EU Cyber Security Directive brings in data breach notification for many sectors

The EU Trilogue on the Network and Information Security Directive, the so-called Cyber Security Directive, was completed on 7 December. A data breach notification duty will apply to providers of key infrastructure, such as energy, transport, and finance. The EU Parliament said in a press release that Member States will have to identify concrete "operators of essential services" from these sectors using certain criteria, whether:
• the service is critical for society and the economy,
• it depends on network and information systems, and
• an incident could have significant disruptive effects on its provision or public safety.

Search engines, cloud computing services and online marketplaces, such as Amazon and eBay, will also be affected – they will be required to make sure that their infrastructure is secure, and report major incidents.

EU Member States will be required to set up a network of Computer Security Incidents Response Teams (CSIRTs) to handle incidents. They will discuss cross-border security incidents and identify coordinated responses.

Once published in the Official Journal of the EU, the Member States will have 21 months to transpose the Directive into national law. The final text is not yet available as both the Parliament and the Council will still have to formally adopt the version agreed by the ministers.