Moodle WebMailLibraryContact Us

New EU cyber security law: time to assess your cyber risk

03 Jun New EU cyber security law: time to assess your cyber risk

Posted at 11:00h in Blog, News | Events, Press Releases by

Computer hacker silhouette. Blue binary code background. Seattle office.

On 17 May 2016, the EU Council officially adopted the first EU-wide legislation on cyber security – the Network Information Security Directive – paving the way for the Directive to come into force in August 2016.

The Directive will impose obligations on ‘operators of essential services’ in high-risk sectors such as energy, transport and finance to take measures to minimise their cyber risk, and to report certain cyber incidents. The Directive complements the General Data Protection Regulation, which was adopted in April 2016 and applies from May 2018, and which introduces much increased maximum penalties for cyber security breaches that affect personal data.

Once the Directive comes into force, EU member states will have 21 months to transpose it into national law – but businesses affected should be getting ready now.

————————————————————————————————————————————————-

-The EIMF organized two seminars in June on Cyber Security

-Managing Cyber Security on the 22-23 JuneLearn more 

-Online Investigations for Non-Technical Audiences on the 24 JuneLearn More 

————————————————————————————————————————————————-
The aim of the Directive.The Directive aims to establish a high common level of network and information security across the EU. Once implemented, member states will be required to co-operate to implement a comprehensive cyber strategy.

How will the Directive become law? The Council will now transmit its position to the EU Parliament, which is expected to vote on the Directive in early July 2016. This vote will facilitate the Directive’s entry into force in August 2016. Member states will then have 21 months (ie until May 2018) to transpose the Directive into national law, and a further six months (ie until November 2018) to identify which ‘operators of essential services’ fall within the Directive’s scope.

Does the Directive affect my business? The Directive imposes obligations on public and private ‘operators of essential services within certain sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure. Member states may determine precisely which entities are “operators of essential services” either by adopting a list identifying each entity, or by adopting a set of criteria.

The Directive also applies to ‘digital service providers,’ including all operators of e-commerce platforms, search engines and cloud computing services. The European Parliament have specifically identified Amazon, eBay and Google as examples of such companies. Telecoms companies, which are already subject to a similar regime, are not included.

What obligations does the Directive impose on ‘operators of essential services’? Qualifying businesses must take ‘appropriate and proportionate technical and organisational measures‘ to minimise the impact of cyber security incidents and to ensure continuity of their services. National regulatory authorities will determine the precise measures to be taken. These measures may include steps that infrastructure companies should already be looking to implement in order to minimise risks, such as:

  • ensuring that appropriate corporate governance and compliance procedures are in place;
  • ensuring that technology systems and networks are appropriately secured and monitored;
  • ensuring that employees are trained and aware of cyber risks; and
  • ensuring that a business continuity plan and incident response plan (involving personnel from IT, legal, HR and PR) are in place;
  • reviewing existing contracts to ensure they adequately address auditing supplier systems, force majeure defences, limitations on liability and notifications of cyber incidents.

Businesses subject to the Directive must also report – ‘without undue delay’ – any incidents that have a significant impact on the continuity of their services. Businesses must assess whether incidents are reportable taking into account: (i) the duration of the incident; (ii) the number of users affected by the disruption of the service; and (iii) the geographical spread of the area affected by the incident. National authorities are expected to act together, in cooperation with the European Network and Information Security Agency, to develop guidelines concerning the test for mandatory notification.

The Directive requires national authorities to consult with a reporting entity before making the reported incident public. Incidents will only be made public where publicity is necessary in order to deal with the incident or prevent a further incident.

What obligations does the Directive impose on ‘digital service providers’? Similar security and reporting obligations apply to ‘digital service providers.’  These businesses must report any incident that has a substantial impact on the provision of the relevant digital service. However, supervision of these entities will be lighter. For example, national authorities will only be empowered to act on an ex post basis.

What happens if your business fails to comply with the Directive? Each member state will determine the applicable sanctions for non-compliance with the Directive. As a point of comparison, the German IT Security Act 2015 – which introduced minimum IT security standards and mandatory reporting obligations on operators of critical infrastructure – provides for fines of up to €100,000 for the most serious breaches. It is not yet clear whether the UK , whose approach to improving cyber security has traditionally been based on voluntary information sharing and standards, will introduce similar sanctions.

What action should your business take now? If your business is in a relevant sector, you’ll need to establish whether you’re an ‘operator of essential services’ or a ‘digital service provider’ and are therefore covered by the Directive. If your business will be subject to the Directive, you should:

  • assess compliance with national law obligations on minimising cyber security risk;
  • assess and refresh cyber security policies;
  • ensure relevant staff are aware of their responsibilities in the event of a cyber incident;
  • ensure you can assess any incidents, and report significant incidents to the national authorities promptly; and
  • consider the costs of ensuring compliance with the Directive’s security standards and reporting obligations.

 

 



Cyprus

  • Address: 25 Megaron Street, 2032 Strovolos, Nicosia, Cyprus

Indonesian Coconut Charcoal
Bayar Pajak Kendaraan

Quick Links

Courses
E-Learning
Accountancy
Compliance | AML | Risk
Meet The Team
Expert Trainers
Facilities
Accreditations and Partnerships
News/Blog

Follow Us

Get in touch

Please contact us should you need more information. A member of the EIMF team will contact you within 24 hours after submitting this form.

Privacy PolicyCookie Policy

Member of EIMF GROUP © 2025. All Rights Reserved.

Days
Hours
Minutes
Seconds

Limited Availability

05 June 2025

Corporate Governance Today: Trends and Challenges

Hosted by the EIMF and the Chartered Governance Institute

Engage with 20+ leading experts and earn 6 CPD units in Financial Regulation.

arrow-icon-size3 Book your place

Get Inspired by Our Head of Accounting

Think. Choose. Grow.

Not sure if it’s right for you? Let’s talk.

Apply Now
Contact us
Days
Hours
Minutes
Seconds

limited time

PAIR UP AND SAVE

BUY ONE, GET ONE FREE

Short Self-Paced Online Courses

arrow-icon-size3 Explore Courses
Days
Hours
Minutes
Seconds

Limited time

New Year, new you

10% discount on All Courses

Discount Coupon: NYNY10

Valid until 31 Jan 2025 23:59

arrow-icon-size3 Explore our Courses

EIMF's Christmas Advent Calendar

Unwrap the Gift of Knowledge this Festive Season!

Register now to receive a valuable educational resource each day and be automatically entered into our Grand Christmas Draw on 24th December – Don’t miss out!

Register Today & Start Unwrapping!
Days
Hours
Minutes
Seconds

Limited time

black friday has arrived

up to 40% discount

On Our Self-Paced eLearning Courses

arrow-icon-size3 Explore our offers
Days
Hours
Minutes
Seconds

Limited Availability

17 October 2024

Regulatory & AFC Compliance Conference

Hosted by the ACAMS Cyprus Chapter and the EIMF.

Engage with 17 leading experts, explore 12 critical areas, earn 6 CPD units in Financial Regulation, gain 4 ACAMS credits, and receive a Certificate of Participation.
arrow-icon-size3 Book your place

Celebrate 9 Years with EIMF

EIMF Has Assisted 6,000+ Professionals Get Certified

 

Ready for your next professional certification? Choose from 9 self-paced eLearning courses and enjoy a 30% discount!

arrow-icon-size3 Courses Available Here

*complete your purchase before 21 April 2024

Starts 20 February 2024

Master in Governance,
Risk & Compliance

Accredited by the CyQAA, our GRC programme empowers you to navigate complex regulations, manage risks, and fortify governance structures. Dive into a dynamic learning experience that ensures ethical operations, regulatory compliance, and risk reduction.

✅ Explore Scholarships & Financial Aid ✅ Discover the Match Funding Scheme

arrow-icon-size3 Learn More
arrow-icon-size3 Contact Us