On 7 December 2015, the EU Council reached an informal agreement with the EU Parliament on the draft Network and Information Security (NIS) Directive.The draft Directive sets out cybersecurity obligations for operators of essential services in the healthcare, banking, energy and transport sectors, and also digital service providers (including e-commerce platforms, search engines, social networks, internet payment gateways, and cloud services). These operators will be required to take measures to manage cyber risks and report major security incidents.

Next Steps
The final text of the Directive is not yet available. 

Member States will have 21 months to transpose the Directive once published in the official journal, and 6 months more to identify operators of essential services.

The Presidency is due to present the agreed text for approval by Member States’ ambassadors at the Permanent Representatives Committee (Coreper) on 18 December 2015. To conclude the procedure, formal adoption by both the Council and the Parliament is required.

European Commission Press Release