The UK Government Department for Business, Innovation and Skills (BIS) produced a note dated 5 June 2015 (later released by the Bank of England), that confirms negotiations started in August 2014 between the European Council and European Parliament on the proposed directive to ensure a high common level of network and information security across the European Union (also known as the Cyber-Security Directive).

Some areas have been informally agreed. These include flexibility for Member States to use existing structures for the institutional structure required e.g. setting up emergency response teams and allowing Member States to develop guidelines on what a reportable incident is, and that cooperation between Member States and information sharing should be voluntary. Concerns which led to these agreements appear to include cutting down on the associated costs, and avoiding over-regulation.

Areas of disagreement remain regarding the scope and cooperation of incidents. The European Council would prefer Member States to decide which companies are in scope to allow them to focus on only critical services, whereas European Parliament wants all companies to be included (and the BIS considers this could represent an unjustifiable regulatory burden). Furthermore, there is no agreement on whether digital services e.g. search engines and social media websites should be in scope (which the European Council is divided on – the UK having previously felt a lack of any significant disruptive effect does not merit regulation) or excluded (which European Parliament wants), but negotiations have not yet touched on this.

It is estimated this will be resolved before summer 2015, but may not be agreed until autumn this year. On agreement, Member States will then have two and a half years to implement the directive into national law.

A copy of the note can be found here: