Out-Law / Your Daily Need-To-Know

MEPs: new network and information security rules should not apply to all cloud providers

Out-Law News | 20 Jan 2014 | 2:24 pm | 1 min. read

A committee of MEPs has outlined plans to restrict the extent to which cloud providers would be subject to new EU rules governing IT security.

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) at the European Parliament has finalised its opinion on the European Commission's draft Network and Information Security (NIS) Directive (26-page / 254KB PDF). The proposed laws aims to ensure that that banks, energy companies and other 'market operators' involved in the operation of critical infrastructure maintain sufficiently secure systems.

The Commission had sought to make cloud computing providers subject to the new regime, however the LIBE committee said only cloud providers that store "critical infrastructure data of the European Union" should have to adhere to the NIS Directive when it is introduced.

In addition, the LIBE committee also backed an amendment to the Commission's proposals which would remove social networks from being subject to the new framework altogether.

Under the Commission's plans, public administrators and market operators would have to notify designated regulators of "significant" cyber security incidents that they experience. Not all breaches reported to the regulators would necessarily be conveyed to the public under the plans, but regulators would be required to determine on a case-by-case whether it was in the public interest to inform them. The regulators would be obliged to share information with one another on cyber security risks in accordance with the proposed framework. 

The LIBE committee said that how the Commission proposes to define a cyber security 'incident' should be changed. It said such an incident should refer to "any circumstance or event having an actual adverse effect on security and the provision of core services".

Security standards that public administrators and market operators would need to adhere to would vary depending on the risks to their systems, and be dependent to an extent on the technology available to use to protect those systems, according to the proposals.

"Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to detect, effectively manage and limit the risks posed to the security of the networks and information systems which they control and use in their operations," the draft plans backed by the LIBE committee said. "Having regard to the state of the art, these measures shall guarantee a level of security appropriate and proportional to the risk presented."

"In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services and security of the data underpinned by those networks and information systems," it said.