Cisco and Google are seeking to be excluded from a new EU cybersecurity law that would force them to adopt tough security measures and report serious security breaches to national authorities.
The so-called Network and Information Security directive is due to be finalised in talks between the European Parliament, the European Commission and member states over the coming weeks.
EU lawmakers want the law to cover only sectors that they consider critical, such as energy, transport and finance.
But the Commission – the EU executive – and some countries, such as Germany and France, are pushing to include cloud providers, social networks, search engines and e-commerce platforms because of their widespread use by people and businesses.
Internet companies are firmly opposed to such a move, which would incur extra compliance costs.
“Online services such as e-commerce sites, search and social networks are useful but not critical. This legislation should focus on truly critical infrastructure only,” said James Waterworth, vice-president for Europe of the Computer and Communications Industry Association, a lobbying group which includes Facebook, Microsoft and Google.
Such firms agree with lawmakers who say their inclusion would lead to duplicate incident reporting – for example when a bank using a cloud-computing provider suffers a security breach.
“We are implicated anyway with critical sectors as customers,” said Chris Gow, senior manager of government affairs at network equipment maker Cisco.
Currently there is no pan-European law and only telecoms operators are subject to the incident-reporting requirements.
The European Parliament also wants all companies within a sector to fall under the new law’s scope – but member states want the flexibility to pick and choose within sectors.
Internet companies are concerned that if member states have their way, this would result in a fragmentation of security standards across the bloc.
“If cybersecurity rules are different in each European country … it would fragment the digital single market,” Waterworth said.
In November 2010, the European Commission presented the EU Internal Security Strategy in Action 2010-2014. The strategy which comes to an end, set out a shared agenda for Member States, the European Parliament and EU agencies to address key challenges for the security of the EU: serious organised crime, terrorism, cybercrime, border security, and the management of natural and man-made disasters.
Taking account of the Communication on the future agenda for Home Affairs and of the European Council guidelines adopted in June, the Commission will present in early 2015 a Communication on a renewed strategy for 2015-2020.
The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched a cybersecurity strategy alongside a Commission proposed directive on network and information security (NIS).
The Strategy is accompanied by a legislative proposal to strengthen the security of the EU’s information systems, which is supposed to encourage economic growth as confidence in buying online and using the internet grows.