Search engines, social networks and e-commerce websites will have to comply with EU security measures
The attempt by the European Union to strengthen data security with its proposed cyber security rules will now include digital platforms.
This means that firms such as Google, Amazon and Facebook could have to compile with new cybersecurity rules that focus on risk management and breach reporting requirements in particular.
The EU first proposed its cybersecurity legislation back in July 2012. Known as the ‘Network and Information Security Directive’, the rules were originally only aimed at critical industries such as energy, transport and finance.
“As far as network and information systems are concerned, the aim would be to enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber security culture in the EU,” it said back in 2012.
“The Commission is considering the introduction of a requirement to adopt risk management practices and to report security breaches affecting networks and information systems that are critical to the provision of key economic and societal services,” it added.
But the proposed legislation has faced some criticism over the intervening years, as well as a stiff debate between member states as to whether digital platforms (cloud computing platforms, search engines, e-commerce websites etc) should be included in the new law.
This could potentially mean that companies like Amazon, Google and Facebook would be required by law to report serious breaches to national authorities, at least according to a document seen by Reuters. It said that following months of negotiations, digital platforms will now fall under the law’s remit, albeit with less onerous security obligations.
Details about the less onerous security obligations for digital platforms was not included in the paper that Reuters saw.
It should be noted at this point that the Network and Information Security Directive is still being debated, and a meeting is scheduled for September for nation states to express their own preferences, after which the drafting of the full legal text will begin.
What all this essentially means that is a cloud computing provider or any other digital firm providing a service for an infrastructure operator for example, would be subject to the same rules that apply to that operator.
Predictably, this has not gone down well in the tech industry.
“We’re pleased to see digital service platforms subject to a different regime but we’re disappointed at the lack of recognition that it is the use of cloud that determines the security risk not the service itself,” Chris Gow, Senior Manager, Government Affairs at Cisco was quoted by Reuters as saying.
Have you got security skills? Try our quiz!