EU lawmakers and member states on Monday (7 November) struck a deal on the bloc’s first broad cybersecurity law to affect multiple industry sectors.
The new law will require online firms, such as Google and Amazon, to report serious breaches or face sanctions.
The deal, following five hours of negotiations between the European Parliament and EU governments, was reached in response to increasing worries about cyber attacks resulting in security and privacy breaches. It still needs to be formally approved.
The European Commission Vice-President for the Digital Single Market, Andrus Ansip, said the new law would build up consumers’ trust in online services, especially cross-border services.
“The Internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction,” Ansip said.
— Andrus Ansip (@Ansip_EU) December 8, 2015
EurActiv has previously reported on the negotiations over the cybersecurity directive.
The new law, known as the Network and Information Security Directive, sets out security and reporting obligations for companies in critical sectors such as transport, energy, health and finance. Those will have to ensure that the digital infrastructure they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber attacks, the Parliament said in a statement.
Within these sectors, each member states will identify the operators providing essential services, based on criteria laid down in the directive.
Andreas Schwab, a German centre-right MEP (CDU), who steered the negotiation for Parliament, said he was satisfied. “Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity – which is even more important in light of the current security situation in Europe.”
Web firms will be subject to less stringent obligations, than, say, airports or oil pipeline operators, which are considered critical.
Under the measure, internet companies such as Google, Amazon, eBay and Cisco – but not social networks like Facebook – will be required to report serious incidents to national authorities, which in turn will be able to impose sanctions on companies that fail to do so.
Xavier Bettel, Luxembourg's Prime Minister and Minister for Communications and the Media, led the negotiaiton as the holder of the rotating EU Council Presidency. He said: "This is an important step towards a more coordinated approach in cybersecurity across Europe. All actors, public and private, will have to step up their efforts, in particular by increased cooperation between member states and enhanced security requirements for infrastructure operators and digital services".
Antana Guoga, a Lithuanian MEP from the Liberal group in Parliament (ALDE), said the agreement was "far from perfect" but nevertheless represented "an important step" towards ensuring the security of information systems. "I am delighted we managed to convince Member States to accept mandatory cooperation mechanisms on cyber-security; improved cooperation and transparency is needed at a European level to improve the ability of the Member States to avoid and respond to cyber incidents"
"Liberals and Democrats defended," Guoga added, "the need for a harmonised approach, so businesses providing services across the whole EU will be able to apply one set of rules, instead of 28 different approaches. I hope this will create much more manageable situations and opportunities for long term investors, while increasing Europe's cybersecurity capabilities. I am delighted we also managed to secure an exclusion for our small digital companies; this is crucial for the development of the single market and European competitiveness globally."
An EU cybersecurity strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.
The European Commission shortly after proposed a Directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.
>>Read our LinksDossier: Cybersecurity: Protecting the digital economy
- EU member states will have 21 months to implement the directive once it enters into force.
- They will then have 6 months to identify their operators of essential services.
- Press release: MEPs close deal with Council on first ever EU rules on cybersecurity (7 Dec. 2015)
- ALDE: Cyber security: EU lawmakers seal deal (7 Dec. 2015)
- Draft NIS directive adopted by European Parliament in first reading (March 2014)
Council of the EU
- Press release: First EU-wide rules to improve cybersecurity: deal with EP (8 Dec. 2015)