The Cyber Security Directive (formally known as the Network & Information Security Directive) (the Directive) was considered by the European Parliament (the Parliament) in March. After a first reading of the Directive, MEPs voted strongly in favour of its progression to the next stage of the legislative process. This will involve negotiations between the European Commission (EC) and the Council.
Work on the Directive first began in February 2013, as part of the EU Cyber Security Strategy. In a speech to the Parliament, Vice President Kroes reiterated that the Directive’s main aims are to bring all member states to a minimum security standard, promote cooperation and ensure preparedness and transparency in important sectors.
The Directive will introduce mandatory breach notification for certain organisations and set out minimum security requirements.
The Parliament made substantial amendments to the version of the Directive that had been proposed by the EC, such as:
- Narrowing the scope of organisations that fall within the Directive’s requirements to eliminate its application to search engines, social media platforms, internet payment gateways and cloud computing services, software developers and hardware manufacturers, by limiting its application to providers of “critical infrastructure”, such as organisations in the energy, transport, banking, finance, and health sectors.
- Developing National Security Strategies, with the assistance of ENISA (European Union Agency for Network and Security), that will allow Member States to develop minimum standards.
- Appointment of a single point of contact among national competent authorities (NCAs) for security and network information systems to facilitate cooperation and communication between Member States. NCAs will be responsible for ensuring compliance, including imposing sanctions where an organisation suffers a breach intentionally or where there has been gross negligence. The amendment to the original text of the Directive permits Member States to appoint several NCAs, so long as only one “national single point of contact” is responsible and restricts the imposition of sanctions.
As the Directive progresses to the next stage of the legislative process, additional changes could be made. The Commission aims for the Directive to have completed the legislative process by the end of 2014.