Organisations paying little attention to governance measures around cybersecurity face a daunting task even though new EU-wide legislation is not expected until 2018, data protection specialists have warned.

The European Parliament and Luxembourg presidency of the EU council of ministers this week reached agreement on rules in the first EU-wide legislation on cybersecurity.

The Network and Information Security Directive will require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services such as search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.

The text now has to be approved by the European Parliament and council of ministers. Member states will have 21 months to implement the directive into their national laws and six months more to identify operators of essential services.

Solicitor Peter Wright, chair of the Law Society technology and reference group, said businesses that had already incorporated governance measures around cybersecurity best practice ‘will have nothing to worry about’.

However, ‘those paying little or no attention to this threat will face an even bigger task to make themselves fit for purpose when the directive [becomes] law by 2018 which will come around all too quickly for some’.

Financial services institutions are already regulated by the Information Commissioner’s Office and the Financial Conduct Authority on cybersecurity matters and must report serious breaches as well as notify anyone subject to a breach that their personal data has been compromised, Wright said.

Nicola Fulford, data protection partner at technology and digital media firm Kemp Little, said an organisation’s first priority ‘should be to stop breaches from happening in the first place.

‘The mandatory security provisions in the directive will hopefully encourage companies to bolster their security systems and prevent attacks from happening’.

The European Commission, which put forward a proposal for a directive in 2013, said it will establish a public-private partnership on cybersecurity next year.