Out-Law / Your Daily Need-To-Know

European Parliament backs new EU rules on network and information security

Out-Law News | 17 Mar 2014 | 2:53 pm | 2 min. read

UPDATED: The European Parliament has voted in support of new EU rules on network and information security (NIS).

The NIS Directive was first proposed last year by the European Commission with the aim of ensuring operators of critical national infrastructure meet appropriate IT security standards, share information about threats, and report certain incidents they encounter where that security has been breached.

However, the Directive has been subject to amendment by various committees of MEPs since it was first introduced. The version approved in the parliament vote was the most recent one as amended by the Internal Market and Consumer Protection (IMCO) Committee, a spokesperson told Out-Law.com.

The IMCO Committee has led the Parliament's scrutiny of the NIS Directive proposals and published a report recommending changes to the Commission's original draft last month.

The IMCO Committee proposed changes to the scope of the NIS Directive. The Commission intended the new rules to apply to 'public administrations' and 'market operators', such as those that operate in the banking sector, telecoms companies, energy suppliers and e-commerce platforms.

However, the IMCO Committee proposed excluding public administrations and revising the definition and list of 'market operators' to also exclude websites and other providers of 'information society services' and bring operators of infrastructure that "are essential for the maintenance of vital economic and societal activities" in the fields of financial market infrastructures, internet exchange points and food supply chains into scope of the regime.

The IMCO Committee amendments were also aimed at clarifying other aspects of the Commission's proposals. The Commission said that organisations subject to the NIS Directive should have to report "incidents having a significant impact on the security of the core services they provide" to regulators. The IMCO Committee set out a definition of what should be meant by an 'incident having a significant impact’. The definition proposed said: "an incident affecting the security and continuity of an information network or system that leads to the major disruption of vital economic or societal functions".

The IMCO Committee also suggested new provisions which would allow individual EU member states the freedom to determine the "criticality" of each 'market operator' subject to the regime, in reference to a number of factors. It said that the purpose of the new proposals was to allow the security audits businesses would have to open themselves up to under the Directive to be "adapted to the specific level of criticality of the market operator".

In addition, whilst member states would have the power to impose sanctions against organisations that fail to meet their security obligations under the new Directive, the IMCO Committee has proposed that those sanctions should only be able to be served where the organisations intentionally fall short of the standards required or do so because they have acted with gross negligence.

The text supported by the European Parliament would need the backing of the EU's Council of Ministers before it could be introduced into law.

Editor’s note 21/03/14: the story was altered to confirm which version of the proposals was approved by the parliament.