It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.

Recap on the Proposed NIS Directive

The Commission proposed the NIS Directive in February 2013.  In addition to provisions aimed at Member State governments (e.g., to improve cyber security capabilities and cooperation to prevent and respond to cyber-attacks), the Directive targets private companies in the energy, transport, financial services and health sectors.  The Commission draft also applied to “enablers of key internet services”, such as providers of cloud computing services, app stores, e-commerce platforms, internet payment gateways, search engines and social networks.   

The two main requirements on private sector companies under the Directive are (i) to implement security measures to “guarantee a level of security appropriate to the risk presented . . . having regard to the state of the art”, and (ii) to notify competent national authorities of any security incident that has a significant impact on the continuity of core services they provide.  The basic idea is to extend EU-level security and incident reporting requirements, which currently only apply to communication network and service providers, to a broad universe of private sector companies. 

Scope 

Including “enablers of key internet services” within the scope of the Directive has been controversial.  One view, which rapporteur Andreas Schwab (IMCO) expressed in his report, is that the security and reporting requirements should be “limited to infrastructures that are critical in a stricter sense”.  The Parliament yesterday agreed that these requirements should only be imposed on companies in the energy, transport, financial services and health sectors, and that “internet enablers” should be excluded.  This is consistent with the view of several Member States that such companies should not be covered by the proposal (see the Council’s Progress Report of 22 November 2013).  The Parliament also has removed public administrations from scope.      

The Parliament agreed with the Commission’s original proposal that software developers and hardware manufacturers should be excluded from the scope of the Directive.

Overlap with the General Data Protection Regulation – and who to notify… 

One of the concerns that has been raised in relation to the Directive is the overlap with the proposed General Data Protection Regulation, specifically regarding whether it creates double reporting requirements (in relation to security incidents and personal data breaches).  More work will need to be done to clarify how this is to work in practice. 

Several other issues (such as applicable national law) still need to be resolved in relation to the NIS Directive, but one of the more significant challenges will be deciding which regulators should supervise private sector companies and receive reports of incidents.  As we know from the GDPR debate, determining which national regulators have scope to act and how they should cooperate is a thorny issue, which is arguably even more complicated in relation to the NIS Directive as energy, transport, financial services and health companies are already supervised by sector-specific national regulators.  The Parliament has made some progress in this area by proposing to amend the Directive to require each Member State to appoint one single point of contact, but it remains to be seen whether this plan will survive negotiations with the Council.