(June 12, 2015) A proposal by the European Commission, adopted in 2013, for a Directive on Network and Information Security (NIS) has recently failed to be endorsed by the Council of the European Union, due to disagreements among the Member States. (European Commission, Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union, COM(2013) 48 final (Feb. 7, 2013), EUROPA; Member States See Digital Security as a National Issue, EURACTIV (May 29, 2015).)
Reporting Requirement Controversial
The contentious issues among EU Members include a requirement that a broader group of entities be required to report cybersecurity attacks than under current rules. (Proposal, art. 14, ¶¶ 1 & 2.) Under existing EU rules, only telecom companies and data controllers have to adopt security measures, and only telecom companies are required to report significant security incidents. Moreover, only telecom companies and data controllers are obliged to put in place security measures. (Press Release, European Commission, Proposed Directive on Network and Information Security – Frequently Asked Questions (Feb. 7, 2013), EUROPA.)
The proposal extends the obligation to report important cyber security events that pose a threat to core functions to the following market operators:
• key Internet companies, such as large cloud providers, social networks, and search engines;
• the banking, stock exchange, and energy sectors;
• operators of air, railway, and maritime transport means;
• the health sector; and
• the public administration. (Proposal, art. 3, ¶ 8.)
Small- and medium-size enterprises are excluded from this requirement. (Id. art. 14, ¶ 8.)
Several Member States, including Ireland, Sweden, and the United Kingdom, opposed the cyber attack reporting requirement for large non-European companies, while France, Germany, and Spain opposed the mandatory measure in its entirety. (Member States See Digital Security as a National Issue, supra.)
Disclosure of a data breach to the public is not obligatory under the proposal; nevertheless, designated national competent authorities on information security issues may decide to inform the public of any breach. (Id).
Other Features of the Proposal
In addition, EU Members would be required under the proposal to establish a Computer Emergency Response Team (CERT) to be responsible for handling incidents and risks. (Proposal, art. 7.) The national competent authorities and the Commission would create a permanent cooperative network to exchange information about risks and incidents and would be supported by ENISA. (Id.) ENISA was established in 2004 to ensure the security of network and information in the EU and published a report on cyber security incidents in 2011, covering 51 incidents. (ENISA, Cyber Incident Reporting in the EU: An Overview of Security Articles in EU Legislation (Aug. 2012), at 2 [click on “Full Report” pdf to view].)
The proposal also envisions the creation of an EU NIS cooperation plan, to be adopted one year after the Directive is passed. (Proposal, art. 12.)
Legislative Process
Adoption of the directive would need to follow the EU’s ordinary legislative procedure. The position of the European Parliament on the proposal passed at a first reading on March 13, 2014, and the Council of the EU then went through its first reading of the document. (Improving Cyber Security Across the EU, Council of the European Union website (last visited June 9, 2015).) According to the ordinary procedure, the Council, at this stage, will send the proposal back with its comments on it to the Parliament for a second reading. (Ordinary Legislative Procedure, European Parliament website (last visited June 9, 2015).)