Detailed EU cybersecurity rules for digital providers delayed until autumn

14 August 2017 10:04am
Security on screen

By Magnus Franklin. Published 10 August 2017.

Companies that underpin the digital economy — including Google, Microsoft, IBM and — will have to wait until after the summer to know what cybersecurity standards they will be expected to adhere to in Europe. Secondary legislation that was due to be adopted on Aug. 9 has been delayed until some point during the autumn, MLex has learned.

An group of government experts, who will rubber-stamp the final decision, discussed an informal "non-paper" on the detailed rules at a meeting in late June, but evidently did not secure sufficient support for the European Commission to quickly adopt the related implementing act as it had originally planned.

The EU adopted the Network and Information Security Directive in July 2016. This primary legislation aims to ensure that operators of "critical infrastructure" have certain security systems in place to resist cyber attacks. The law covers traditional industries such as energy, transport, finance and healthcare, as well as online businesses such as operators of Internet nodes, online marketplaces, online search engines and cloud-computing services.

The European Commission is also expected to put forward a proposal in September to update the bloc's cybersecurity strategy, last reviewed in 2013. The subject has come to the fore in policy discussions in recent months, after a wave of large-scale cyberattacks on European companies and administrations.

Some digital companies involved in drafting the secondary legislation have told MLex that the commission has given mixed messages on the stringency of the precise standards that will eventually be required.

On the one hand, the informal paper circulated in June notes that lawmakers "decided to apply a light-touch regulatory approach" to digital service providers when drafting the main piece of legislation. Such companies "should remain free to take measures they consider appropriate to manage the risk posed to the security of their network and information systems."

But at the same time, the documentation that underpins the current draft of the implementing act sets out detailed measures that such operators must take to comply with it. These rules cover two broad areas: the preventive measures operators need to take, and what factors should come into play to determine whether an incident is serious enough to require the company to notify authorities and users.

In parallel with the drafting of the implementing act, EU member states are adopting national laws that will bring the directive to life.

Andrea Jelinek