Political agreement has been reached on a new European regime imposing cyber security requirements and incident notification obligations on banks, energy companies and other operators of essential services identified by member states, together with certain digital service providers. Implementation through national laws is expected within two years.
In this briefing, we provide background information on the Directive, outline which organisations may be affected, the new requirements they may be subject to and possible next steps.