Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

The new proposed EU (European Union) cybersecurity law will see internet giants like Google, Cisco and Amazon contending with strict security requirements. According to a document seen by Reuters, the directive will force the companies to implement hardcore security measures and more than likely have them report major breaches to respective national authorities. The Reuter's report said these "digital service providers" will more than likely fit within the rules outlined by the Network and Information Security Directive, similar to the financial and energy sector that is currently being drawn up by European politicians. Arguments between EU Lawmakers and Member States continue.

Talks between EU lawmakers and member states in the Network and Information Security Directive have been stuck, a result of disagreements regarding whether or not to include digital platforms like e-commerce websites, social networks, search engines and cloud computing providers. The members of the European Parliament prefer that the law just include sectors they feel are critical, which include finance, transport and energy. However, following months of discussions, digital platforms will now be counted under the new law. That being said, based on the Reuter's document, less burdensome security requirements will come into play although it didn't provide details regarding the obligations.

According to the Reuter's document, cloud computing providers, along with virtually any digital firm that provides a service for an infrastructure proprietor, will more than likely be subjected to the same rules applied to that operator. While the internet companies may be subject to notification prerequisites in instances of security breaches, no agreement has been reached yet with regards to whether or not the notifications will be voluntary or mandatory.

The Luxembourg paper, holding the revolving EU presidency, recommends implementing a lighter approach for digital service sites, which usually don't have direct links to physical infrastructures including, as an example, nuclear power companies. Firms that meet the proposed EU Cyber-Security law's definition of "digital services" would be covered immediately in order to avoid member states using different approaches, triggering fragmentation throughout the EU?s 28 states.

Companies that fall under the "digital sphere" are opposed to being included under the law's scope. Cisco?s Chris Gow, Government Affairs Senior manager has stated that while the company is pleased that digital service platforms are subject to a different system, they're dissatisfied with the lack of acknowledgement that it's using "cloud", which ascertains the security risks, not the actual service and there seems to be a clear distinction.

The European Commission and a number of the member states believe that, due to the wide-ranging use of Internet services and the volume of businesses that depend upon the web, it's important that they also should be subject to the proposed security rules and breach reporting requirements. At this time, there isn't a pan-European cyber-security law in place. Presently, telecoms operators are the only ones subject to any incident reporting requirements.

The European Union directive comes at a time when countries that include Russia and China have developed their own cyber-security laws that could potentially impact the way international internet companies conduct business beyond their countries.

The European member states are expected to convey their preferences at the September meeting, after which the penning of a full legal writing will begin.