1. Home
  2. |Insights
  3. |EU Legislators Agree on First EU-Wide Legislation on Cybersecurity

EU Legislators Agree on First EU-Wide Legislation on Cybersecurity

Client Alert | 2 min read | 12.09.15

On December 7, the European Parliament and the European Council reached a political agreement paving the way for the first European Union-wide legislation on cybersecurity. The new legislation, the Directive on Network and Information Security (known as the "NIS-Directive") was originally proposed by the European Commission in 2013 and aims at ensuring common standards of network and information security in the European Union.

A final text of the political agreement has not yet been released. Statements from the relevant authorities, however, confirm that, under the new rules, businesses operating "essential services" will have to take appropriate security measures and will also be obliged to report data incidents to the applicable national authorities. The European Union Member States will be responsible for identifying the businesses concerned in the following "essential services" sectors:

  • Energy: electricity, oil, gas;
  • Transport: air, rail, water, road;
  • Banking and financial market infrastructures: credit institutions, trading venues, central counterparties;
  • Health and living: health care providers, drinking water supply and distribution; and
  • Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries.

Notwithstanding serious lobbying from major internet companies, the Directive will also impose security measures and notification requirements on important digital businesses, referred to as "digital service providers" (DSPs), which include online marketplaces, cloud computing services, and search engines. Their obligations are said to be less stringent than those imposed on the essential services operators. 

The relevant authorities will be empowered to impose fines if companies fail to comply.

The political agreement must still be formally approved by the European Parliament and the European Council. After publication in the European Official Journal, European Union Member States will have 21 months to implement and transpose the Directive into national law and an additional six months to identify the "operators of essential services" in accordance with the criteria set forth in the Directive. 

In addition, European Union Member States will be required to adopt a national NIS strategy defining objectives and appropriate measures in relation to cybersecurity. They will also be required to designate a competent authority for the implementation and enforcement of the new rules, as well as Computer Security Incident Response Teams (CSIRTs) that will be responsible for investigating data-related incidents.

Insights

Client Alert | 6 min read | 03.26.24

California Office of Health Care Affordability Notice Requirement for Material Change Transactions Closing on or After April 1, 2024

Starting next week, on April 1st, health care entities in California closing “material change transactions” will be required to notify California’s new Office of Health Care Affordability (“OHCA”) and potentially undergo an extensive review process prior to closing. The new review process will impact a broad range of providers, payers, delivery systems, and pharmacy benefit managers with either a current California footprint or a plan to expand into the California market. While health care service plans in California are already subject to an extensive transaction approval process by the Department of Managed Health Care, other health care entities in California have not been required to file notices of transactions historically, and so the notice requirement will have a significant impact on how health care entities need to structure and close deals in California, and the timing on which closing is permitted to occur....