The European Parliament today voted to approve the draft Network and Information Security Directive (known colloquially as the Cybersecurity Directive), which contains new rules designed to improve the cybersecurity of the European Union. The proposal was first published in February 2013. Our comments on the initial proposal can be found here.
MEPs were strongly in favour of the current draft of the new rules, with the 'yes' vote winning by 521 votes to 22. Now the current draft of the Directive has been approved by the European Parliament, it will be negotiated with the European Commission and the Council.
In the most recent draft of the Directive, the requirement for certain technology service providers (such as social networks, search engines, e-commerce platforms and online payment gateways) to notify breaches of their data systems to national authorities has been removed. Only those providers who own, operate or provide infrastructure which, if disrupted or destroyed, would have a significant impact on a Member State will be caught in the scope of the Directive. This was one of the most fiercely debated aspects of the drafting and its removal may have been the key to the success of the draft Directive in the European Parliament today.
See our analysis of the current draft of the Directive (published in February 2014) here.
The Directive is unlikely to complete the legislative process before the end of the current European Parliament term, meaning there is the possibility that the process will not be continued in the new Parliament starting in May 2014 although this is unlikely given the strong support of MEPs in this vote.
Simon Shooter, a partner in Bird & Bird's Cybersecurity Team comments:
"The European Parliament has recognised the critical importance of network and information systems in today's society and the need to protect them against cyber threats. However, many in industry will be concerned that the proposed new rules will increase regulation and the associated cost of doing business without actually delivering the desired improvements in security.
As the only law firm sitting on the NIS Public-Private Platform working group formed by ENISA (the European Union Agency for Network and Information Security) to help implement the proposed new rules we've seen that businesses considered to be an 'operator of critical infrastructure' are particularly concerned that the rules requiring them to report security breaches in their systems will be inconsistently applied by different Member States leading to regulatory complexity in complying. This is compounded by uncertainty at present about who these reporting rules will actually apply to.
What does this mean for businesses? First an assessment should be made as to whether your business is likely to be affected by the resultant legislation. If it is you should start to implement measures now that will ease the task of compliance later."