U.S. tech giants, like Google and Facebook, found themselves caught between the European Parliament and the European Commission as disagreements continue as to whether Internet service providers should be included within the definition of ‘market operators’ in the Proposed Directive on Network and Information Security (IP/13/94) (the ‘Directive’). Currently, the EU Commission would like to see both search engines and social networks included, whereas the European Parliament prefers a common European framework focusing on critical infrastructure only, such as financial services and power stations.

The EU Parliamentary view is that broadening the scope of the Directive risks undermining the aim of the law which is to protect key or critical services, whereas including ISPs, and as a consequence some U.S. tech giants, would require the tech giants to report global cyber attacks to each of 28 member states’ respective regulators. Those arguing against ISP inclusion argue that they are already highly regulated, and that many of the requirements contained in the proposed Directive are already provided for by commercial contracts and service level agreements, and that the introduction of additional legislation would create added complexity and have a negative impact on innovation within the tech industry.

The Commission disputes this, highlighting the increased role of technology and the Internet, resulting in ISPs being critical to businesses. The Commission also argues that ISPs have become ‘entry points for several important aspects of the modern economy’ and therefore need to be regulated at the same level.

Negotiations relating to the scope and requirements of the Directive are on-going, and the proposed Directive is at some risk of being outdated before it becomes law – given the growing trend of organisations to share information about cyber attacks with law enforcement.