Google, eBay, Facebook, Yahoo! foursquare and Microsoft want nothing to do with the proposed new EU cybersecurity law.
In an open letter to Europe’s telco ministers last week, CCIA (the Computer & Communications Industry Association) said the proposed Network and Information Security (NIS) Directive should excluding internet enabling services and focus on “truly critical infrastructure”.
When the law was first proposed by the European Commission, it included rules for so-called "enablers of information society services" aimed at online giants such as Google, Amazon, Ebay and Skype. However the European Parliament changed the text so that the rules will now apply only to companies that own, operate or provide technology for critical infrastructure facilities.
National ministers, the European Commission and MEPs got together for the first time to try to nail down the wording in the proposed Network and Information Security (NIS) Directive last month.
In the text as it stands, so-called “market operators” are required to notify the authorities about any cybersecurity incidents. H however although it is broadly agreed that critical infrastructure must be included, there is a lot of argument about what should constitute a “market operator”.
The general consensus, as CCIA points out, is that online banking services would be included along with other financial institutions and it adds basic and essential telecom services are already regulated under the EU’s telecoms rules framework. However that still leaves a lot of room for debate on whether “internet enabling services” should be included.
CCIA says many of the requirements envisioned by the NIS Directive are already provided for by commercial contracts and service level agreements. However the new law goes beyond normal data breach notification rules and could require the reporting of major “incidents” even if no data is stolen.
Google et al’s mouthpiece claims this would swamp regulators: “Inclusion of broader information society services risks unleashing an avalanche of random personal data for often struggling regulatory agencies. Such massive reporting, and often double reporting, to poorly resourced authorities would expose citizens’ personal data to unnecessary risk at no significant security benefits,” says the CCIA letter.
The letter characterises “internet enabling services” as online gaming and social networks and says citizens expect “scarce economic resources and technical expertise” to focus on “truly critical infrastructure such as nuclear power plants and transportation facilities”.
Many internet enabling services are already regulated for cybersecurity incidents, and additional legislation would only introduce complexity and confusion, they argue ... and, which the CCIA coyly doesn’t add, cost.
“A broader scope of the NIS Directive risks undermining the law’s ability to protect what really needs protection,” says the letter. ®