In March the European Parliament voted through the Network and Information Security (NIS) Directive. The NIS (or cyber-security) Directive was proposed in early 2013 and is intended to ensure a high common level of network and information security across the EU. With ever increasing attention being paid to cyber-security, Neelie Kroes, vice president of the European Commission responsible for the Digital Agenda, has described online security as “a pre-condition for digital business models, our society and European Competiveness'.
The European Parliament made a number of amendments to the European Commission’s proposals including the following:
- The compulsory measures in Chapter IV of the Directive will now be limited to market operators of critical infrastructure essential for the maintenance of vital economic and societal activities. Providers of Information society services such as e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and app stores will no longer be included in the list of market operators in Annex II.
- Software developers and hardware manufacturers are excluded from the scope of the Directive.
- Processing of personal data should primarily be regulated in accordance with the Data Protection Directive and the ePrivacy Directive. Use of personal data should be limited to what is necessary and should be as anonymous as possible.
- There may be one or more competent authorities on the security of network and information systems in each member state but member states should appoint one single point of contact.
- Each member state shall set up at least one Computer Emergency Response Team (CERT) for each of the sectors established in Annex II (eg energy and banking).
The draft Directive now needs to go before the Council where further changes to the draft text of the Directive could be made.
The author, Lucy Pegler, is a solicitor in Burges Salmon's Technology, Media and Telecommunications team, led by Andrew Dunlop.