European ministers said on Wednesday they are ready to negotiate a new cybersecurity law with the European Parliament and Commission.
The proposed Network and Information Security (NIS) Directive would force operators that provide essential services (such as energy, transport, banking, and healthcare) and key internet enablers (such as e-commerce platforms and search engines) to take measures to manage risks to their networks and notify national authorities of cyber "incidents."
The question of what defined "key internet enablers" has been a sticking point. When it was originally proposed by the Commission, the draft law included rules for so-called "enablers of information society services" such as Google, Amazon, Ebay, and Skype. In November, however, such companies begged to be left out of the scope of the law.
The Computer & Communications Industry Association (which represents all of the above, as well as Yahoo!, Paypal, and Facebook) sent a letter to Europe’s telco ministers arguing that the directive should exclude internet enabling services and focus only on "truly critical infrastructure".
On Wednesday, the presidency of the Council, currently held by Latvia, announced that national ministers had reached an agreement among themselves and would now start talks with the Parliament and the Commission to get the new law on the books as soon as possible. But consensus between the three institutions could still be a long way off and the fate of Google et al is still unclear.
Digi Commissioner Günther H-dot Oettinger and Vice President Andrus Ansip welcomed the Council decision to move forward. "This is good news. The Commission will make sure that the trilogue produces ambitious results that live up to the challenges of cybersecurity," said Oetti. ®