In February 2013, the European Commission released a draft Network and Information Security Directive (the Draft Directive).
In addition to provisions aimed at member state governments, the Draft Directive applied to a wide range of companies within the definition of Market Operator. Market Operators included private companies in the energy, transport, financial services and health sectors and also included "enablers of key internet services", such as providers of e-commerce platforms, social networks, cloud computing services, application stores, internet payment gateways (e.g. WorldPay) and search engines.
The Draft Directive therefore had a direct impact on key players and stakeholders in the World Wide Web, including global technology brands such as Microsoft, Facebook and Google. It also had a direct impact on SMEs that fell within the definition of Market Operators.
Under the Draft Directive the two main requirements placed on private sector companies falling within the definition of Market Operator are to:
- implement security measures to "guarantee a level of security appropriate to the risk presented"; and
- notify competent national authorities of any security incident that has a significant impact on the continuity of the core services they provide.
What's changed?
On 14 March 2014, the European Parliament voted through an amended version of the Draft Directive (the Approved Directive). The only material difference between the Draft Directive and the Approved Directive concerned the scope of the definition of "Market Operator".
When the Draft Directive was published, many companies expressed concern that the scope of Market Operator was too wide and complained about the potential impact on innovation such an onerous regulation might have. In response to this criticism the Approved Directive only applies to private sector organisations that are deemed important to national infrastructure, namely companies in the following sectors:
- energy;
- banking and financial services;
- telecommunications;
- health; and
- transport.
The Approved Directive will not apply to "enablers of key internet services" such as providers of e-commerce platforms, social networks, cloud computing services, application stores, internet payment gateways (e.g. WorldPay) and search engines or public administrations.
What's next?
The deadline for adoption of the Approved Directive is December 2014, at which point member states will have a further 18 months to incorporate the Directive into national law. Although approved by the European Parliament, the Directive still needs to be agreed at European level and so the Approved Directive is not necessarily the final version. It could still be the case that the final version catches "enablers of key internet services".
Also, there are a number of other issues that still need to be addressed; for example deciding how member states will co-operate with each other and which regulators should supervise private sector companies and receive reports of incidents.
The most pressing issue, however, is likely to concern the Approved Directive's overlap with existing European regulation.
A major concern raised in relation to the Approved Directive is the overlap with the proposed General Data Protection Regulation (the Regulations), which was approved by the European Parliament just a few weeks ago, on 12 March.
Under the Approved Directive and the Regulations, Market Operators will be required to bring incidents that relate to personal data to the attention of both the Information Commissioners Office and the UK's NIS (Network Information Service) competent authority. Work will need to be done to clarify how this will work in practice, as double reporting would be inefficient and unnecessarily burdensome.
Work will also need to be done to determine how the Approved Directive will interact with the existing Directive on ePrivacy which applies to companies in the telecommunications sector.
While there are still many uncertainties over the implementation of the Approved Directive, what we can be sure of is that the digital arena of the EU will be subject to further regulatory changes in the quest to fulfil European Commission Vice President Neelie Kroes's ambition to "make Europe the world's safest online space".