In addition to the launch of its new over-arching Cybersecurity Strategy, the European Commission last month proposed a Directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
Key internet companies including payment services, social networks, search engines, cloud services, apps providers, e-commerce platforms, video sharing platforms and voice-over-Internet providers were also earmarked by the EU strategy.
The Commission has sent the proposal to the Parliament, where it is awaiting distribution amongst the committees likely to play a key role in the debate.
These include committees for Civil Liberties, Justice and Home Affairs, for Industry Research and Energy, for the Internal Market and Consumer Protection and for Legal Affairs.
Which committee should lead the process remains to be decided, whilst rapporteurs and shadow rapporteurs – the MEPs responsible for the content of committee reports – will also need to be appointed.
The mandate of the current Parliament expires next year, and with elections set for May 2014, MEPs are likely to cease considering legislative matters weeks before as they prepare to canvass for votes.
Parliamentary sources told EurActiv that the body has already signalled to the Commission that it will not be in a position to manage the debate of new legislative measures proposed by the EU executive after April this year.
Paper is complicated, controversial
That puts the cybersecurity directive in a precarious position as it is a complicated paper requiring scrutiny from the different political groups.
One key issue is the extent to which the private sector will be compelled to make official notifications indicating when they have been cyberattacked under the new rules.
This issue marks a clear line of difference between the levels of cybersecurity vigilance the EU and United States aim to implement, since the US is likely to opt for a much more voluntary approach to such notifications.
“The European Parliament will have a very close look on the Commission's proposal and we will carefully elaborate the impact of the directive. Ensuring the security of our citizens, granting shareholder as well as consumer protection will be at the core of the discussions in the coming months,” said German MEP Christian Ehler (European People’s Party), a member of the committee on industry research and energy.
Race against time
Two senior administrators in the Parliament, speaking on condition of anonymity, doubted the body would be able to conclude deliberations before its mandate finishes next year.
“It is complex, and even deciding who should take the lead on the process is clearly not going to be easy,” said one.
Even if the Parliamentary process works at top speed, negotiations with the Council and the Commission are likely to be "extremely difficult", another administrator said.
“The Commission will also be coming to the end of its mandate, and political pressures between the EU executive and the Parliament will make the atmosphere less amenable,” he added.
If the legislation fails to pass the Parliament, a fresh proposal may be needed since “only legislation which has reached an advanced stage of agreement can usually be held over for the next elected Parliament to consider,” one administrator said.
That would mean a considerable delay to Europe’s adoption of harmonised cybersecurity measures.