Extension of EU directive “Network Security and Infrastructure” to digital stakeholders?

Ever since the alarming proliferation of cybercrime, which equates to an estimated annual cost of more than $ 400 billion, and the recent spate of hacking cases around the world, cyber security has clearly evolved into a global issue. The European Union has therefore taken up the matter in 2013 with a view to proposing a directive to increase the level of cyber security in the Member States and to establish a comprehensive strategy in this regard. The Network and Information Security Directive (NIS) was approved on 13 March 2014 at the European Parliament, and is being discussed at the European Council. This draft directive focuses on entities with the highest risk, namely critical infrastructure operators, where an incident can have far-reaching consequences for public health, the economy and security. However, given the importance of digital industries in our societies, some Member States would be in favor of extending the scope of the Directive to the digital sector to ensure the stability of the European economy.

The aim of this draft directive, which is established on the principles of security of States and economic stability, is to reduce cybercrime. In fact, the Directive aims to establish cooperation between national authorities as regards potential threats to several Member States. Furthermore, the NIS contains a non-exhaustive list of critical infrastructure operators, including operators in the energy, banking, health, transport and financial services sectors. These critical infrastructure operators are subject to a series of security requirements such as incident reports. In France, the ANSSI already deals with the compliance of similar security obligations incumbent upon large banks and telecom operators, but not on private digital stakeholders yet.

The security requirements for critical infrastructure operators could apply to other stakeholders in the private digital industry. Specifically, it should be companies which often have the status of hosting providers, such as Google, Amazon, Microsoft, OVH, Dailymotion, which should be covered. However, during the debates, SMEs have not been formally rejected. In addition, only the most important services would be concerned, that is, those which decision would have a major economic impact. For example, whilst the Amazon cloud service would be concerned, its e-commerce site would not be. This is the subject of a heated debate, and for now, the Member States remain divided as to whether to include or not some digital industry players such as cloud providers, in this European legislation.

While the concerned companies consider these measures as being disproportionate, several Member States seem to favor the extension of said security obligations to private digital industry stakeholders. For example, the French Prime Minister, Manuel Valls and his German counterpart, Chancellor Angela Merkel, are agreeable to the extension. But all member States do not concur on this issue, and even less the affected companies. The latter consider that security obligations, if they must be complied with, could constitute a significant financial burden. In France, the French Association of Internet software and solutions vendors (AFDEL) urged not to extend the field of critical infrastructure operators provided for in the Directive, to “companies of the Information Society”. While supporting the project and its objective of strengthening cyber security in Europe, it asserts that this extension could damage the competitiveness of enterprises. Thus, for AFDEL, the qualification [of] “critical infrastructure” for all digital business is not justified and it would be disproportionate to impose additional administrative obligations.

Currently, the Directive has not yet reached the European Council for a first reading. Forthcoming developments are to be followed minutely and will involve all Internet stakeholders.