A new EU cyber security law is poised to force internet companies such as Cisco, Google and Amazon to adopt tough security measures and possibly report serious breaches to national authorities.

The EU’s Network and Information Security Directive published two years ago, has been stuck in talks between member states and EU lawmakers because of quarrels over whether to include digital platforms such as search engines, social networks, e-commerce sites and cloud computing providers, along with operators of critical infrastructure (such as energy, transport, banking, stock exchange, healthcare).

Digital platforms affected

According to a document seen by Reuters, after months of negotiations, digital platforms will now fall under the law’s remit, albeit with less burdensome security obligations.

The document suggests adopting a lighter approach for digital service platforms, which typically do not have direct links to physical infrastructure such as, for example, power stations or a hospital.

If found meeting the EU law’s definition of a digital service platform, which has yet to be finalised, a company like Google would automatically be covered by this law to avoid the 28 member states taking different approaches.

Cloud computing providers

According to the document, a cloud computing provider or any other digital company supplying a service for an infrastructure operator would be subject to the same rules applying to that operator.

The EU law also specifies notification requirements for digital service platforms in cases of security breaches, although there is no agreement yet on whether these should be mandatory or voluntary.

No current pan-European cyber security law

In an earlier press release, Neelie Kroes, European Commission Vice-President for the Digital Agenda said: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It’s time to take co-ordinated action – the cost of not acting is much higher than the cost of acting.”

No pan-European cyber security law exists today, and only telecoms operators are subject to the incident-reporting requirements.

The document is asking member states to state their preferences at a meeting in September, after which drafting of a full legal text will commence.

Chris Gow, Senior Manager, Government Affairs at Cisco, commented: “We’re pleased to see digital service platforms subject to a different regime but we’re disappointed at the lack of recognition that it is the use of cloud that determines the security risk not the service itself.”

The European Commission – the EU executive – and a handful member states consider the widespread use of internet services and the number of businesses that rely on the web, means they should also be subject to security rules and reporting requirements.