On 13 March 2014, the European Parliament successfully voted through the proposed Network and Information and Security (NIS) Directive, but with a number of amendments to the proposed text.
The European Parliament’s proposals for amendment include removing public administrations, software developers and hardware manufacturers from the scope of the NIS Directive. Whilst acknowledging that public administrations as a result of their public duty, should exercise due diligence in the management and the protection of their own network and information systems, the European Parliament suggests that it is important for the NIS Directive to focus on critical infrastructure essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial markets and healthcare.
Instead, the European Parliament proposes to extend the list of sectors which are considered critical infrastructures under the NIS Directive, to include internet exchange points and food supply chain services. The European Parliament has also added a proviso that the disruption or destruction of the functions performed by the critical infrastructures must have a significant impact in a Member State as a result of the failure to maintain those functions.
In relation to the reporting obligations under the NIS Directive, the European Parliament has proposed a number of factors which should be taken into account to determine the significance of the impact of an incident and whether it is reportable to the national competent authority. The factors proposed by the European Parliament include the number of users whose core service is affected, the duration of the incident and thegeographic area affected by the incident.
Since the NIS Directive was first proposed it has been subject to scrutiny by various committees and stakeholders and some of the above proposed amendments reflect the feedback from the various committees and stakeholders. Please see our previous report on the NIS Directive looking at recommendations for changes to the initial draft here.
The European Parliament have tried to limit the scope of some of the provisions of the NIS Directive. However, there are still some concerns about the onerous reporting obligations and the fact that whilst the NIS Directive will increase the costs of doing business it is uncertain whether it will actually deliver on its aim of increasing security.
A survey commissioned by the Department for Business, Innovation and Skills last year confirmed that 93% of large organisations and 87% of small businesses had a security breach in the past year, with affected companies experiencing roughly 50% more breaches on average than the previous year. According to these statistics, the reporting obligation under the NIS Directive could be potentially significant amongst business in the UK and would add a further regulatory and financial burden on them. In addition, businesses will also be concerned about the publicity that may arise as a result of reporting of incidents and security breaches which could potentially damage their reputation.
The amended text, that can be viewed here, will now be examined by the Council of the EU. The Commission is hopeful that the NIS Directive will be adopted by the end of 2014.