Disagreements between member states are holding up proposals for pan-European cyber security rules, whilst experts warn that the threat from an anarchic Internet is increasing.
The Latvian presidency of the European Council wants to begin negotiations on the proposed network and information security (NIS) directive on 30 April, but needs a mandate from the member states before it can do so.
The directive would oblige infrastructure-critical companies to report any cyber attacks, but the definition of what types of companies would be included within the scope of the reporting within the directive remains controversial.
A key outstanding issue focuses on the extent to which US giants such as Google, Amazon and Facebook – so called “over-the-top” companies – will be caught by the directive, and obliged to make reports in respect of cyber attacks.
More or less rigorous definition
EU diplomats told EURACTIV that Ireland, Sweden and the UK – all countries which host large US-based internet concerns – are leading efforts to minimise the involvement of such companies within the scope of the directive. Meanwhile France, Germany and Spain, amongst others, are opposed.
Latvia is keen to try and iron out a compromise before the end of its presidency, having taken the unusual step of earmarking 30 April to start trilogue negotiations between the EU Council, Parliament and Commission. The Latvian presidency has not pegged dates for other trilogues yet – an indication of how keen it is to agree the cyber security dossier.
Delays to the agreement of the NIS directive come against a backdrop of rising warnings from officials about European preparedness in the face of cyber attacks.
Udo Helmbrecht, the executive director of the EU’s Agency for Network and Information Security (ENISA) recently warned MEPs about the risk of a virtual “Wild West”.
“When you talk today about the Internet, it is the ‘Wild West’. Everyone can do what they want. There is no control, no regulation,” he told MEPs in an exchange of views held on 16 March in the European Parliament’s subcommittee on security and defence. “And the reason for this is: where is the governance structure?”
Member states keeping cards close to chest
ENISA’s role is to support the EU and the member states in enhancing and strengthening their capability and preparedness to prevent and detect cyber security incidents.
Problems of trust between member states were alluded to at the same meeting by Peter Round, the director of capability, armament and technology at the European Defence Agency.
Round explained that there were widespread reports that member states are concealing details of the development of offensive cyber security capabilities from one another.
“One of the issues with cyber is that it is in some ways the new gunpowder. When a member state gains a capability – certainly at first – they don’t want to share it, because some have it and some don’t, and we are seeing that some don’t want to share it, seeing it as a sovereign and national issue,” Round told MEPs.