Sector-specific guidelines will set out cyber security incident reporting duties, UK government confirms

Out-Law News | 11 Jun 2015 | 12:19 pm | 1 min. read

Sector-specific guidelines will be issued to help businesses understand when they must notify regulators of cyber security incidents they experience under new EU cyber security laws, the UK government has said.

EU law makers currently negotiating the final wording of the proposed Network and Information Security (NIS) Directive have "informally agreed" on criteria that would "allow member states to develop sector-specific guidelines on what would constitute a reportable 'incident'", Rachael Bishop, policy officer at the Department for Business, Innovation and Skills (BIS) on cyber security EU and international policy, said in a new note on the progress of the negotiations (2-page / 94KB PDF).

Bishop said the agreement would allow EU countries to set different reporting guidelines for businesses from one another and for tailored guidance to be issued on cyber security incident reporting by businesses depending on which sector they operate in.

The NIS Directive was first published by the European Commission in February 2013 in a bid to bolster the security of critical infrastructure in the EU and ensure that cyber security incidents affecting that infrastructure that have a real-world impact are reported to regulators.

Bishop told Out-Law.com earlier this year that negotiations on the new Directive had stalled as a result of a disagreement between EU governments on the scope of the new Directive. Some governments are keen that digital service platforms should be subject to the new cyber security and incident reporting rules, however others, including the UK, oppose such a move, she said at the time.

In her new note, Bishop said that the European Parliament and Council of Ministers have still to resolve "the issue of scope", which she described as "the main area yet to be resolved".

"First, for Council it is important that it is left up to member states themselves to decide which companies are in scope of the Directive so that it is applied to those operators that provide critical services within the sectors identified in the Directive," Bishop said. "The Parliament want to opt for a maximalist approach which would see all companies within the identified sectors included in scope which could represent an unjustifiable regulatory burden."

"Second, there has been no agreement on whether digital services (e.g. search engines, social media websites) should be in scope," she said. "Council remains divided on this question whereas the Parliament would like them to be excluded from scope. The negotiations between Council and Parliament have not yet touched on this issue in any detail."

Operators of critical banking, energy, health and transport infrastructure are among the businesses that the finalised NIS Directive is likely to apply to.

Bishop said that it is possible that agreement between the Parliament and Council on the final text of the Directive might not be reached until this autumn. The provisions would then have to be implemented into national laws across the EU within two and a half years.