Disagreements between member states are holding up proposals for pan-European cyber security rules, whilst experts warn that the threat from an anarchic Internet is increasing.
The Latvian presidency of the European Council wants to begin negotiations on the proposed network and information security (NIS) directive on 30 April, but needs a mandate from the member states before it can do so.
The directive would oblige infrastructure-critical companies to report any cyber attacks, but the definition of what types of companies would be included within the scope of the reporting within the directive remains controversial.
A key outstanding issue focuses on the extent to which US giants such as Google, Amazon and Facebook – so called “over-the-top” companies – will be caught by the directive, and obliged to make reports in respect of cyber attacks.
More or less rigorous definition
EU diplomats told EurActiv that Ireland, Sweden and the UK – all countries which host large US-based internet concerns – are leading efforts to minimise the involvement of such companies within the scope of the directive. Meanwhile France, Germany and Spain, amongst others, are opposed.
Latvia is keen to try and iron out a compromise before the end of its presidency, having taken the unusual step of earmarking 30 April to start trilogue negotiations between the EU Council, Parliament and Commission. The Latvian presidency has not pegged dates for other trilogues yet – an indication of how keen it is to agree the cyber security dossier.
Delays to the agreement of the NIS directive come against a backdrop of rising warnings from officials about European preparedness in the face of cyber attacks.
Udo Helmbrecht, the executive director of the EU’s Agency for Network and Information Security (ENISA) recently warned MEPs about the risk of a virtual “Wild West”.
“When you talk today about the Internet, it is the ‘Wild West’. Everyone can do what they want. There is no control, no regulation,” he told MEPs in an exchange of views held on 16 March in the European Parliament’s subcommittee on security and defence. “And the reason for this is: where is the governance structure?”
Member states keeping cards close to chest
ENISA’s role is to support the EU and the member states in enhancing and strengthening their capability and preparedness to prevent and detect cyber security incidents.
Problems of trust between member states were alluded to at the same meeting by Peter Round, the director of capability, armament and technology at the European Defence Agency.
Round explained that there were widespread reports that member states are concealing details of the development of offensive cyber security capabilities from one another.
“One of the issues with cyber is that it is in some ways the new gunpowder. When a member state gains a capability – certainly at first – they don’t want to share it, because some have it and some don’t, and we are seeing that some don’t want to share it, seeing it as a sovereign and national issue,” Round told MEPs.
An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.
The European Commission shortly after proposed a Directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.
- 30 April 2015: Latvian Presidency hopes to begin trilogue discussions between European Parliament, Council and Commission on the NIS directive
- European Commission: EU Cybersecurity Strategy
- European Network and Information Security Agency (ENISA) Cyber Crisis Exercises
- EurActiv Germany: Cyber-Attacken: Europa unter virtuellem Beschuss
- EurActiv Germany: Richtlinie zur Cyber-Sicherheit: Aufschub trotz Gefahren des "Wildwest-Intenet"