Members of the European Parliament voted through the revised draft of the Network and Information Security Directive (“NISD”) on cyber security regulation in the European Union (“EU”) yesterday following a debate in Strasbourg this week. Commission Vice President Neelie Kroes has since stressed the importance of Member States coming to a final agreement on the roll out of NISD by the end of 2014.
NISD aims to harmonise cyber security across the EU and will impose mandatory obligations on public authorities and market operators. NISD has gone through a round of amendments from various committees further to Member State consultation on the original draft from the European Commission.
The original draft included a wide range of companies within the definition of “Market Operator” – including search engines, payment gateways, cloud computing services and mobile applications – but many businesses expressed concern at the scope of the definition and the potential impact on innovation that such regulation might have on them. "Market Operators" has since been refined to include companies which are deemed important to national infrastructure – such as energy companies, banking and financial services companies and companies operating within the telecommunications, health and transport sectors.
For companies already operating in similarly regulated environments, such as those in the telecommunications sector, NISD is likely to result in a change in approach to operating practices. For others, such as companies in the energy sector, cyber security regulation will become an increasingly important strategic concern, this being especially true for those energy sector companies playing a role in energy services, big data, metering and other activities relating to developing markets such as smart cities and smart grids.
There are still however a number of potentially contentious issues with NISD, including the mechanics of how Member States plan to co-operate with each other, what role proposed National Competent Authorities (“NCAs”) will play, what powers they will be able to exert and what the potential criminal consequences could be in respect of notification requirements from NCAs to law enforcement bodies. There is also the opportunity for individual Member States to legislate beyond NISD, setting a higher standard within national legislation.
To add further complexity, it is still unclear how NISD will interact with contemporaneous European regulation such as the new EU Data Protection Regulation (which has also been voted through by the European Parliament this week) and, for example, in the telecommunications sector, the existing directive on ePrivacy.
The European Council will now work together to agree a common approach across Member States to NISD, taking into account the full report from the European Parliament, before moving towards the anticipated deadline for adoption in December 2014. Once adopted, Member States will have a further 18 months to incorporate NISD into national law to ensure a common minimum approach across the EU, meaning an ultimate deadline of approximately the Summer of 2016.
Progress made this week in the European Parliament on NISD and the new Data Protection Regulation adds momentum to work being undertaken by the European Commission to make the EU the most competitive digital economy in the World. This, linked with reform of the telecommunications sector (the so called “Connected Continent” package) and the ongoing TTIP negotiations with the United States around data and information security, presents an ever changing regulatory landscape for EU companies that operate in the digital World to understand and plan for.