By Mark Young and Oliver Grazebrook
The Irish Presidency of the Council of the EU has published a progress report on negotiations at Member State level on the EU CyberSecurity Strategy and proposed EU Directive on Network and Information Security (“NIS Directive”). As we summarised in this post, if enacted in its current form, the NIS Directive will require companies in the energy, transport, financial services and health sectors, as well as a broad range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.
Member States clearly have concerns with some fundamental aspects of the proposals. The Presidency has highlighted the following issues:
Commission’s Impact Assessment (IA)
- Several Member States have pointed out that the impact assessment does not sufficiently justify why specific sectors have been included in the proposal, such as “enablers of information society services”, and others have not, such as hardware/software manufacturers.
- Most Member States have also raised the issue of the perceived significant costs involved in implementing the Directive and regretted that the IA fails to sufficiently assess the possible benefits.
- At a more fundamental level, Member States have requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats.
- Member States have expressed doubts about subjecting providers of information society services to the same obligations as operators of critical infrastructures.
- More generally, many national delegations are unclear how the proposal for a NIS Directive would relate to other relevant pending and forthcoming legislation, such as that concerning critical infrastructures, attacks against information systems, data protection and electronic identification. For example, they are also concerned that various notification obligations in several pieces of legislation might lead to confusion.
- Regarding establishing NIS strategies, cooperation plans and CERTs, delegations have not yet expressed firm positions as they are currently carrying out national consultations with stakeholders and are analysing the details of the proposal in the context of existing or planned national cyber strategies.
The next key event in the process will be a ministerial debate on 6 June. The following questions have been tabled for debate:
- Is legislation necessary in this field or would a voluntary or a mixed voluntary/legislative approach be preferable?
- Should EU companies and companies from third countries active in the EU implement higher security standards than companies in and from other parts in the world?
- Is there is a need to coordinate this matter further at a global level before regional solutions are implemented?