Thoroughly knowledgeable,
very pragmatic and

Chambers Guide


Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.

Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.

Cyber Security Directive adopted by Council of Ministers

The NIS Directive is expected to enter into force in August 2016, meaning Member States have until May 2018 to implement changes to national law.

On 17 May 2016, the EU Council of Ministers adopted the Network and Information Security (“NIS” or “Cyber Security”) Directive, following agreement between the Council and the European Parliament on a compromise text which was reached in December 2015.

Amongst other measures, the Directive requires Member States to adopt an NIS strategy, designate a single point of contract for NIS issues and set up at least one Computer Security Incident Response Team.

It requires the imposition of obligations on two classes of organisation:

  • Operators of essential services, as identified by Member States in the areas of energy, transport, banking, financial market infrastructures, health sector, water production and supply and distribution, and digital infrastructure.
  • Digital service providers, being organisations offering three types of information society services: online marketplaces, cloud computing services and search engines.

Both will be required to:

  • take appropriate and proportionate technical and organisational measures to manage cyber security risks;
  • notify authorities of incidents having, respectively, a significant impact on the continuity of the core services or a substantial impact on the provision of the digital service.

The Directive must now be adopted at the European Parliament at a second reading before being published in the Official Journal of the European Union.

The Council’s press release states that the Directive is expected to enter into force in August 2016, which would give Member States until May 2018 to make the required changes to national laws, the same month that the General Data Protection Regulation takes direct effect.

For further information on cyber security matters and the advice and training White & Black can offer, please contact Nick MathysPhil ThompsonNick Mitchell or John Allen.

Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.

This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy