SPECIAL REPORT / EU attempts to introduce comprehensive new cybersecurity rules risk failure in the European Parliament, where senior administrators doubt the package will pass before the legislature's mandate expires, EurActiv has learned.
In addition to the launch of its new over-arching Cybersecurity Strategy, the European Commission last month proposed a Directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
Key internet companies including payment services, social networks, search engines, cloud services, apps providers, e-commerce platforms, video sharing platforms and voice-over-Internet providers were also earmarked by the EU strategy.
The Commission has sent the proposal to the Parliament, where it is awaiting distribution amongst the committees likely to play a key role in the debate.
These include committees for Civil Liberties, Justice and Home Affairs, for Industry Research and Energy, for the Internal Market and Consumer Protection and for Legal Affairs.
Which committee should lead the process remains to be decided, whilst rapporteurs and shadow rapporteurs – the MEPs responsible for the content of committee reports – will also need to be appointed.
The mandate of the current Parliament expires next year, and with elections set for May 2014, MEPs are likely to cease considering legislative matters weeks before as they prepare to canvass for votes.
Parliamentary sources told EurActiv that the body has already signalled to the Commission that it will not be in a position to manage the debate of new legislative measures proposed by the EU executive after April this year.
Paper is complicated, controversial
That puts the cybersecurity directive in a precarious position as it is a complicated paper requiring scrutiny from the different political groups.
One key issue is the extent to which the private sector will be compelled to make official notifications indicating when they have been cyberattacked under the new rules.
This issue marks a clear line of difference between the levels of cybersecurity vigilance the EU and United States aim to implement, since the US is likely to opt for a much more voluntary approach to such notifications.
“The European Parliament will have a very close look on the Commission's proposal and we will carefully elaborate the impact of the directive. Ensuring the security of our citizens, granting shareholder as well as consumer protection will be at the core of the discussions in the coming months,” said German MEP Christian Ehler (European People’s Party), a member of the committee on industry research and energy.
Race against time
Two senior administrators in the Parliament, speaking on condition of anonymity, doubted the body would be able to conclude deliberations before its mandate finishes next year.
“It is complex, and even deciding who should take the lead on the process is clearly not going to be easy,” said one.
Even if the Parliamentary process works at top speed, negotiations with the Council and the Commission are likely to be "extremely difficult", another administrator said.
“The Commission will also be coming to the end of its mandate, and political pressures between the EU executive and the Parliament will make the atmosphere less amenable,” he added.
If the legislation fails to pass the Parliament, a fresh proposal may be needed since “only legislation which has reached an advanced stage of agreement can usually be held over for the next elected Parliament to consider,” one administrator said.
That would mean a considerable delay to Europe’s adoption of harmonised cybersecurity measures.
"Digital Europe welcomes aspects of the draft Network and Information and Security (NIS) Directive that aims to strengthen public sector agencies and improve pan-European co-ordination. These include the strengthening of national Computer Emergency Response Teams (CERTs), the setting up of the cooperation network between competent national authorities and the requirement for the remaining Member States who have not already done so to adopt national cyber strategies. We welcome the clarification that the measures following from the provisions in the Directive should avoid specific design, development or manufacturing requirements in a particular manner. We also support efforts by the European Commission to focus the type of incidents that are reported under the reporting mechanism on those related to the core service of critical infrastructure operators as opposed to incidental services they may offer,” a statement from the group said.
“We are also aware, however, that this is the first time Europe has introduced legislation in this field and it represents a move away from voluntary, bidirectional information sharing between the public and private sector towards mandatory obligations and unidirectional reporting requirements. As such, we want to ensure that appropriate safeguards are put in place and that any provisions adopted are not only proportionate in terms of the sectors which are targeted but also reflect the international nature of cybersecurity and avoid inhibiting innovation in security," the Digital Europe statement concluded.
“I would like to emphasise on the fact that cybersecurity must go broader than combating digital crimes only. Technical disruptions and incidents or natural disasters could have the same severe consequences on our citizens and society,” said Bulgarian MEP Ivalio Kalfin (Socialists & Democrats).
“Clearer provisions on the single point of coordination, minimum resilience requirements in the Member States and on the relevant measures for a trust-based cooperation among competent authorities and stakeholders would be also profitable,” added Kalfin, a member of the Parliament’s Industry Research and Energy committee.
On 30 January, speaking at the Global Cybersecurity event, Craig Mundie, special advisor to Microsoft chief Steve Ballmer, estimated that cybercrime is responsible for the loss of between $300 billion and $1 trillion annually in the conventional economy.
“This grossly understates the risks associated with the cyber issues today, because the ultimate national security in every country depends at the end of the day on economic security,” Mundie said on 30 January told a global cybersecurity event organised by the European Security Round Table (ESRT) and the Estonian Defence Ministry under the Irish presidency official agenda.
“We now see a degree of industrial espionage at a scale that's never been prevalent before, and that is being converted into advantage by a number of countries, to the great disadvantage long term of the economic stability of others,” according to Mundie.
“We welcomes the European Commission’s proposed cyber security strategy which echoes our conviction that international cooperation is essential to achieving cyber security both within and beyond EU borders,” according to Wout van Wijk, EU public Affairs Manager with tech company Huawei.
“Huawei considers this to be a critical move coming at a crucial moment for both the public and the private sector. We would therefore encourage the Parliament and the Council to come to an agreement before the end of the mandate of the current Commission to ensure the swift adoption of the Directive,” said van Wijk.
“Additionally, if and when the strategy is transposed into law, we would urge lawmakers in Member States to adopt a simplified and coordinated approach. Otherwise international companies may be confronted by 28 different legal frameworks which could complicate efforts to create a safe, open and transparent cyber environment in Europe and beyond.”
- Before April 2013: Parliament to start considering the new Cybersecurity Directive
- May 2014: EU Parliamentary elections