Publication
What M&A trends will transform the 2024 insurance landscape?
It is widely accepted that 2023 was one of the worst years in recent memory for M&A activity.
Global | Publication | December 2015
On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD).1 The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union for Foreign Affairs and Security Policy published a strategy for ‘An Open, Safe and Secure Cyberspace’ and proposed directive in 2013. Once adopted, likely in early 2016, EU Member States will have 21 months to adopt the necessary national provisions to comply with the NISD.
The NISD lays down minimum obligations for all Member States on the prevention and handling of and the response to risks and incidents affecting networks and information systems, creates a cooperation mechanism between Member States, and establishes security requirements for certain market operators and public administrations. The NISD will impose new security-related obligations on market operators providing “essential services” in a wide range of industries. In the words of the European Parliament’s rapporteur, the NISD marks the “beginning of platform regulation” in the EU.
The NISD’s imposition of security-related obligations on market operators has been among the most contentious issues delaying agreement on the NISD. Under the agreed compromise, the NISD will impose obligations only on operators of “essential services” in critical sectors. These sectors, however, include many of the EU’s most important industries:
Within these sectors, Member States will identify the operators providing essential services, based on criteria in the NISD, including whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety. These operators will have to take appropriate security measures and notify serious incidents to the relevant national authority.
Providers of digital services will also be caught by the NISD. The following providers will be covered:
Member State authorities will have six months after the NISD’s implemenation deadline to identify their providers of essential services.
The NISD will oblige each EU Member State to designate one or more national authorities and develop a cybersecurity strategy. The NISD will also create a “Cooperation Group” between Member States to support and facilitate strategic cooperation and the exchange of information among Member States. The Commission will provide the secretariat for the Cooperation Group. The Directive will, moreover, create a network of Computer Security Incident Response Teams to promote the swift and effective operational cooperation on specific cybersecurity incidents and the sharing of information about risks.
Council press release 904/15, December 8, 2015 and European Parliament press release, December 7, 2015.
Publication
It is widely accepted that 2023 was one of the worst years in recent memory for M&A activity.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023