Out-Law News 1 min. read

Differing standards of protection possible for compliance with new EU rules on IT security

Certain businesses that deploy high standards of security may be deemed in breach of new EU rules on network and information security whilst other businesses conforming to lower standards of protection remain compliant, under the latest proposals.

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) at the European Parliament has published a document containing a list of draft amendments (63-page / 392KB PDF) MEPs in the group would like to see made to the European Commission's proposed Network and Information Security (NIS) Directive.

The draft Directive, first published by the Commission in February last year, aims to ensure that that banks, energy companies and other businesses involved in the operation of critical infrastructure maintain sufficiently secure systems.

But MEP Marie-Christine Vergiat has now suggested that the standard of protection required of organisations should differ based on the extent of damage that could be caused in the event of the protections put in place by each organisation being breached.

"Public administrations and private undertakings, including network service-providers and suppliers of information and software, should regard the protection of their information systems and of the data which they contain as forming part of their duty of care," the proposed amendment suggested by Vergiat said. "Appropriate levels of protection should be provided against reasonably identifiable threats and areas of vulnerability. The cost and burden of such protection should reflect the likely damage which a cyber-attack would cause to those affected."

Under the Commission's plans, public administrators and 'market operators' would have to notify designated regulators of "significant" cyber security incidents that they experience. Not all breaches reported to the regulators would necessarily be conveyed to the public under the plans, but regulators would be required to determine on a case-by-case whether it was in the public interest to inform them. The regulators would be obliged to share information with one another on cyber security risks in accordance with the proposed framework. 

However, MEP Christian Ehler has suggested a slight change to the planned notification obligations to place a timeframe on reporting.

"Member States shall ensure that public administrations and market operators completely and without measurable delay notify to the competent authority incidents having a significant impact on the security of the core services they provide," Ehler's draft amendment said.

Other proposals contained in the LIBE committee document would, if implemented, see the implementation of the NIS Directive postponed until after reforms to EU data protection rules – currently subject to separate negotiations – are introduced. A separate personal data breach notification regime is envisaged under the draft General Data Protection Regulation that has been outlined.

In addition, EU member states would be obliged to draw up their own national strategies on network and information security within a year of the NIS Directive being adopted, under a proposal drafted by MEP Csaba Sógor.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.