Member States Reportedly Unconvinced On Need for EU Cybersecurity Directive

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  


BRUSSELS--European Union member state ministers in charge of telecommunications infrastructure will be asked when they meet June 6 if they back a proposed EU cybersecurity law, or if its goals can be achieved through a voluntary approach, according to an EU Council progress report prepared for the meeting.

The European Commission, the European Union’s executive arm, published a draft network and information security directive (NIS Directive) Feb. 7, saying that about 42,000 companies in sectors considered vulnerable to cyber-attacks should have enhanced cybersecurity obligations (12 PVLR 225, 2/11/13).

The draft NIS Directive would require large companies in sectors such as energy, financial services, and transportation to adopt risk management practices and report major security incidents on their core services, though the Commission’s proposal said that definitions of terms such as “risk management practices” and “major security incidents” would be left to a later date.

Telecommunications companies and internet service providers that provide services on public networks already have an obligation to notify competent national authorities of data breaches, under the EU e-Privacy Directive (8 PVLR 1721, 12/7/09).

Mandate Approach Questioned

The EU Council progress report, dated May 28, said that in preliminary discussions between EU member state representatives, some countries “requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks, and threats.”

The progress report added that “other parts of the world, such as the USA, appear to opt for a more voluntary and flexible approach with regard to cybersecurity standards,” and mandatory EU standards “might create inconsistencies for companies whose operations span several jurisdictions, as is usually the case with many online services.”

“Most” countries had also “raised the issue of the perceived significant costs involved in the implementation of the Directive,” the progress report added.

Call to Improve Impact Assessment

In addition, the progress report said that countries wanted the Commission to improve its impact assessment on the proposed NIS Directive and had questioned which sectors and institutions should be included within its scope.

The progress report said that EU member states had not finalized their opinions on another proposal contained in the draft directive, the requirement for all countries to adopt network and information security strategies and to share information on threats at the EU level.

The EU Council is the institution that represents the governments of EU member states, and which is responsible for formulating the agreed positions of EU governments in negotiations with the European Parliament on new legislation.

Telecommunications ministers meeting June 6 will debate the issues raised in the progress report but will not take any formal decisions on the NIS Directive.

The government of the United Kingdom May 22 opened a consultation seeking public comment on the NIS Directive (see related report).

The EU Council progress report on the proposed NIS Directive is available at

Request Bloomberg Law: Privacy & Data Security