The European Union has released its proposals for protecting
cybersecurity and information network security and it has some U.S. companies
with European tech arms a little worried.
Billed as "An Open, Safe and Secure Cyberspace,"
the directives are meant to be a "comprehensive vision on how best to
prevent and respond to cyber disruptions and attacks."
The network security portion would require that EU member
"[A]dopt a Network and Information Security [NIS]
strategy and designate a national NIS competent authority with adequate
financial and human resources to prevent, handle and respond to NIS risks and
"[Create] a cooperation mechanism among Member States and the Commission
to share early warnings on risks and incidents through a secure infrastructure,
cooperate and organize regular peer reviews; and that
"Operators of critical infrastructures in some sectors (financial
services, transport, energy, health), enablers of information society services
(notably: app stores e-commerce platforms, Internet payment, cloud computing,
search engines, social networks) and public administrations must adopt risk
management practices and report major security incidents on their core
The U.S. government has yet to come to an agreement on
information security standards, with Democrats pushing for voluntary best
practices and most Republicans arguing those best practices are best left to
individual companies, saying voluntary guidelines would eventually morph into
mandates that could impede swift reaction to cyber threats.
TechAmerica Europe, whose members include Dell and Apple,
had some problems with the scope of the EU recommendations, particularly with
the broad category of affected online players outlined in part three above.
"While we applaud the Commission's effort to seek to
comprehensively address all three pillars of cybersecurity, i.e. people,
process and technology, we are concerned about the overly broad scope of the
draft network and information security (NIS) directive," the group said in
a statement. "The directive extends from developing competent authorities,
cooperation networks and secure information exchanges to incident reporting
obligations and audits for a broad set of market operators including an
indefinite range of providers of Internet services, which is not only broad but
is also unclear about the positive outcomes and benefits which it seeks to
deliver to the EU and its member states.
"We believe that to be manageable, useful and
proportionate, the requirements should be narrowly targeted at sectors which
operate truly critical infrastructures. We are concerned that the sweeping and
indiscriminate inclusion of 'enablers of Internet-services' in the scope of the
directive would fail to strike the delicate, but indispensable, balance between
the risk-based prioritization of assets and functions to be protected and the
strong interdependencies in cyberspace across sectors and across borders."
Add the Software & Information Industry Association (SIAA) to those who saying the EU proposals go too far.
"we are concerned about the scope of the Commission's regulatory approach," the association said in a statement. "It is overly broad, too prescriptive and threatens to suppress the very innovation that will help businesses, governments and citizens anticipate and address changing cybersecurity threats.
"The proposal's cybersecurity performance requirements will likely lead to technical mandates and rigid regulatory standards and reporting obligations. Its scope goes well beyond critical infrastructure, where the harms from cyber-attacks are the greatest. In doing so, it threatens to engulf a broad range of other industries, thereby wasting scarce security resources on areas where the dangers are not urgent."
SIAA members include Google and Bloomberg.