E-commerce platforms and public administrations should be omitted from scope of new NIS Directive, say MEPs

Out-Law News | 27 Jan 2014 | 11:23 am | 2 min. read

Businesses that sell goods and services over the internet and public administrations would not have to adhere to new EU IT security standards, according to plans backed by a committee of MEPs.

The European Parliament's Internal Market and Consumer Protection (IMCO) Committee last week adopted a report that contained a number of changes to the draft Network and Information Security (NIS) Directive which the European Commission originally published in February last year. IMCO is the leading committee within the European Parliament on the NIS Directive.

Under the Commission's plans, 'public administrations' and 'market operators' would be subject to new cyber security and breach notification requirements. Businesses from across the financial services, energy and technology sectors would be among those obliged to comply with the new regime which has been proposed as a means to better protect critical national infrastructure within the EU.

Businesses subject to the rules would have to put in place "appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations". The measures would have to be "appropriate" to address the particular security risks the individual organisations face.

In the event of a cyber security breach that has a "significant impact on the security of the core services they provide", the public administrators and market operators would have to notify designed regulators within EU member states of the incident.

However, the IMCO Committee has now voted in support of amendments to the Commission's plans which reduce the scope of the proposed new framework. Under its plans, neither 'information society services' nor 'public administrations' would be subject to the new Directive.

The definition of an information society service contained within the proposed NIS Directive is derived from other existing EU legislation.

An 'information society service' is "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services", and covers services such as e-commerce platforms.

"While the rapporteur has decided not to include internet society providers and public administration into the scope of the Directive, it would still be of relevance to keep internet exchange points under the obligations of the Directive," a statement issued by the IMCO Committee said. "Public administration, in turn, would be able to adopt the requirements on a voluntary basis."

The text that the IMCO Committee voted to support has not yet been published, but its statement said that the Commission's proposals have been amended in a way which ensures that "data protection obligations have been considerably strengthened".

The IMCO Committee's rapporteur has been given a mandate to open negotiations with the EU's Council of Ministers with a view to agreeing on the final wording of the NIS Directive. Both the European Parliament and Council of Ministers must back proposed EU legislation before it can be introduced. The IMCO Committee said the Parliament is due to vote on its report in March.