The European Commission's draft directive on the security of networks and information systems, presented on 7 February in the framework of its EU cyber security strategy, has received a lukewarm welcome. Broadly speaking, the text forces operators of critical infrastructures and key internet businesses to adopt risk management practices and notify "significant" incidents to the national authorities that have jurisdiction - as established by the member states. These obligations are already in place for the telecoms industry.

"DigitalEurope believes in a coordinated approach to cyber security and welcomes various initiatives under the cyber security strategy [...] However, we see room for improvement in the strategy," in particular when it comes to the draft directive. DigitalEurope voiced concerns over the Commission's approach, which consists in imposing "unidirectional reporting obligations and requirements" at the expense of genuine cooperation between member states and the industry. DigitalEurope is of the view that this would "undermine the benefits that companies gain from bi-directional exchange, which allows for the understanding of new threats and improves incident response". Most importantly, DigitalEurope believes that the proposed requirements should be only be targeted at critical infrastructures, given that incidents that happen on these infrastructures can have a very strong impact on the economy. On this basis, DigitalEurope questions the inclusion of enablers of internet...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT