MEPs, the presidency of the Council of Ministers (the Council) and the European Commission have been in three-way discussions over the wording of the NIS Directive over the past six weeks and are set for a "third and final" meeting next week, the presidency of the Council said.
The NIS Directive would require operators of critical national and market infrastructure to adhere to stiffer IT security requirements, report certain cyber security incidents they experience to regulators and the public and apply new information sharing rules in an effort to ensure cross-industry collaboration against cyber security threats.
According to the proposals backed by the European Parliament earlier this year, organisations subject to the NIS Directive would have to report "incidents having a significant impact" on the security of the services they provide to regulators. The Parliament defined 'incident having a significant impact’ as "an incident affecting the security and continuity of an information network or system that leads to the major disruption of vital economic or societal functions".
In a briefing on the progress of talks (2-page / 204KB PDF) between it, the European Parliament and Commission on the NIS Directive, the Council presidency said that it is "confident" that the Council and Parliament would be able to "reach a deal before the end of the year" on the final wording of the legislation.
However, the Council presidency said that the Parliament and it have yet to agree on precisely which businesses should be subject to the new NIS Directive rules. This issue needs to be resolved before the Directive can be finalised.
"On substance, the main outstanding issue between the two institutions concerns the scope of the proposal," the presidency said in a briefing to the Council.
"Whereas the Council text would allow member states to assess, on the basis of defined criteria, whether or not certain operators in identified sectors would be subject to the obligations regarding security requirements and incident notifications in the Directive, the EP envisages an approach whereby all operators in all of the sectors identified are subject to the obligations but with a possible varying degree of providing evidence of effective implementation of security policies," it said.
"The identification and inclusion of certain sectors … also remains an open issue, including the question whether internet enablers should be [subject to the Directive], as the Commission advocates," the presidency said. "Other outstanding issues concern the architecture, objectives and extent of strategic and operational cooperation and the modalities and criteria for national incident notification and for notification in the EU context."
Earlier this month, Thomas Boué, a director of government affairs for the Business Software Alliance in Europe, the Middle East and Africa, said that only the operators of critical infrastructure and not information society services, like e-commerce and cloud platforms, should be required to report cyber security incidents under the NIS Directive.
“If business-to-business services like cloud services are included in the scope directly, it would create a situation where a single incident would be reported by both an IT service provider and the operator of the infrastructure," Boué said. "There would then be two (or more) reports for what is ultimately one problem, wherein only one entity has an clear and complete understanding of the impact of the incident on the critical network or service."
In September, the European Central Bank warned EU legislators about imposing new security incident notification rules in the payments sector under the NIS Directive which conflict with reporting frameworks payment service providers are already subject to.