Following five hours of negotiations, representatives of European governments and the EU policymakers have agreed on the first ever set of cyber security laws to be applied across the European Union.

The Network and Information Security Directive sets out the rights and responsibilities of businesses in critical industries such as transport, utilities, health and finance.

Such businesses will be required to formally report all ‘serious’ cyber security breaches that impact their customers. The directive will apply to all EU member states without exception.

The move is expected to build trust towards European service providers, but at the same time increase the costs of doing business in Europe.

The directive still needs formal approval from the European Parliament and national governments. Once approved, member states will have 21 months to implement it into their national laws and six months more to identify operators of essential services.

The full text of the directive is expected to become available online in the next few days.

With great power…

EU flag
– Thinkstock / MiroNovak

Under the new directive ‘operators of essential services’ – with cloud providers potentially counted in this category - will be required to immediately report security incidents to national regulators. Businesses that fail to comply with the rules will face considerable fines.

The directive includes provisions for businesses with different levels of national importance: for example, a company operating in oil and gas industry will have more responsibilities than a company in entertainment.

Defining which industries are ‘critical’ will be up to the national regulators. The European Parliament press release named services provided by eBay, Amazon and Google as those likely to fall under the new rules.

The directive also requires the member states to establish an organization to “exchange information and best practices, draw up guidelines and assist member states in cyber security capacity building.”

“If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure. The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions,” said Andrus Ansip, European Commission vice-president for the Digital Single Market and successor to ‘Steely Neelie’ Kroes.

“Last night’s agreement is an important step in this direction, but we cannot stop here: we plan an ambitious partnership with the industry in the coming months to develop more secure products and services.”