Large US-based internet firms such as Cisco, Google and Amazon will be subject to a new EU cybersecurity law forcing them to adopt tough security measures and possibly report serious breaches to national authorities, according to a document seen by Reuters.
The so-called Network and Information Security Directive has been stuck in talks between member states and EU lawmakers because of disagreements over whether to include digital platforms such as search engines, social networks, e-commerce sites and cloud computing providers.
EurActiv previously reported that Sweden, Ireland and the UK, which all host American technology giants’ European offices, had favoured a narrower application of the directive that would exclude many internet companies.
Members of the European Parliament want the law to only cover sectors they consider critical, such as energy, transport and finance.
But after months of negotiations, digital platforms will now fall under the law’s remit, albeit with less onerous security obligations, according to the document, which did not provide details of the obligations.
Internet companies are likely to contest the decision to include their services in the directive, as they’ve increasingly spoken out against legislative plans that they say would unnecessaily interfere in private firms’ activities.
Technology trade association DigitalEurope has called for the NIS directive to target only critical infrastructure. “The authorities in member states simply don’t have the capacity to police such a wide range of services. If you were to include internet enablers, it would drown national regulators. These notifications are daily occurences, there are cyber attacks all the time,” DigitalEurope spokesman Paul Meller told EurActiv. Cisco and Google are both DigitalEurope members.
The new details regarding internet companies stems from the Luxembourg Council presidency and suggest adopting a lighter approach for digital service platforms which typically do not have direct links to physical infrastructure such as, for example, a nuclear power company.
Any firm meeting the law’s definition of a digital service platform — which is still under discussion — would automatically be covered to avoid member states taking different approaches and causing fragmentation across the 28-nation EU.
A cloud computing provider or any other digital firm providing a service for an infrastructure operator would be subject to the same rules applying to that operator, according to the document, which could still change in discussions after the summer.
The paper asks member states to express their preferences at a meeting in September, after which drafting of a full legal text will start.
Internet firms will also be subject to notification requirements in cases of security breaches, although there is no agreement yet on whether these should be mandatory or voluntary.
“We’re pleased to see digital service platforms subject to a different regime but we’re disappointed at the lack of recognition that it is the use of cloud that determines the security risk not the service itself,” Chris Gow, senior manager for government affairs at Cisco told Reuters.
The European Commission and some member states reckon that because of the widespread use of Internet services and the number of businesses that rely on the web they should also be subject to security rules and reporting requirements.
Currently there is no pan-European cybersecurity law and only telecoms operators are subject to the incident-reporting requirements.