Law makers ponder imposing EU cyber security obligations on digital platforms

Digital service platforms could face some cyber security obligations under the EU's planned new Network and Information Security (NIS) Directive, under plans being considered by EU law makers, Reuters has reported.

The news agency said that it had seen a document from the Luxembourg presidency of the Council of Ministers that contained proposals which, if introduced, would see digital service platforms subject to certain requirements under the NIS Directive.

Under the plans, digital service platforms would face "less onerous" cyber security obligations than other organisations that will be subject to the Directive, according to the Reuters report. Those other organisations include operators of critical banking, energy, health and transport infrastructure.

The Luxembourg presidency's document does not outline what those obligations would entail and 'digital service platform' has not yet been defined, Reuters said.

According to earlier NIS Directive proposals, operators of infrastructure that is "essential" for the maintenance of major "economic and societal activities" would be required to have appropriate and proportionate cyber security measures in place to protect their network and information systems from being compromised. Operators of that infrastructure would be required to report cyber security incidents that have a significant impact on the security of their network or systems to regulators.

Reuters reported that, under the Luxembourg Presidency's new proposals, digital service platforms could also be required to notify regulators where they experience such incidents. However, EU countries have been asked to specify their preference for whether cyber security incident notification should be voluntary for digital service platforms at a meeting in September, it said. 

