Governments Divide Over Whether Cybersecurity Approach Should be Mandatory or Voluntary
European Commission-proposed legislation to boost European network and information security won general backing from telecom ministers Thursday, but they split over whether the approach should take the form of regulation, self-regulation or a mix. All EU members accept the importance of network and information security and that cyberattacks seriously affect national economies, the EU Irish Presidency said at the Telecommunications, Transport and Energy Council meeting in Brussels. There’s also widespread support for finding a global solution that stresses high standards to create a level playing field for European operators, it said. Whatever governments decide, they must move fast, said Digital Agenda Commissioner Neelie Kroes.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The draft directive on network and information security (http://bit.ly/123IEH0) includes calls for governments to meet some minimum standardized requirements like setting up computer emergency response teams and reporting incidents with a significant impact on core services and the supply of goods on network and information systems. The privacy, network security and high-technology sectors have criticized some of the provisions (CD Feb 8 p11). Telecom ministers are now vetting the legislation.
The U.K. said it strongly supports the principles of the EC approach to increasing the cyber capabilities of EU members. But the U.K. is concerned that mandatory breach reporting will lead to a “culture of compliance,” rather than a more fundamental understanding of cybersecurity, it said. Requiring information-sharing on cyberincidents could prevent administrations from acting as fast as possible, it said. Rules won’t give governments the flexibility they need to deal with this ever-changing landscape, said the U.K.
Other countries also rejected the idea of regulation. Legislating in this area could remove the sense of responsibility for security from network operators and shift it to governments, Sweden said. Countries need high standards for network and information security, but a law may not be the best way to go or be workable, said Slovenia. It’s not right to adopt a directive at this point, said Germany, which criticized the level of detail in the proposal and called for an impact assessment.
Many governments said they favor a mixture of self-regulation and legislation. There should be voluntary initiatives to secure networks and information, but those should go hand in hand with legislation governing public authorities and critical infrastructure, said Poland. A voluntary approach isn’t enough to guard against incidents and risks, said Slovakia. Countries without good protection weaken the ability of all EU members to respond, it said. The EU should legislate minimum standards, it said.
Estonia, which suffered a massive cyberattack several years ago, said minimum requirements across Europe will guarantee a cohesive level of network and information security. Estonia’s experience shows that regulation is needed except for market players, it said. The directive should apply only to providers of critical services identified through a risk assessment process, it said. The Netherlands wants self-regulation where possible and regulation where necessary, it said.
France backed a combined approach, with EU legislation limited to the essential areas of strengthening national laws and critical infrastructure. It nixed the idea of binding requirements for incident reporting. Some of the EC provisions are prescriptive and risk making Europe into a fortress that drives away business, said Luxembourg. Italy said it wants as harmonized a regulation as possible to avoid a security divide akin to the digital divide. Bulgaria worried that countries don’t have the financial resources to put the measures in place quickly. But Lithuania said it’s high time for this paradigm shift in network security.
Whichever approach is adopted, it must be flexible, given the evolving nature of the threats, the Presidency said. Many governments want legislation in the areas of critical infrastructure and services, while others believe the threat is so serious that only legislation can guarantee a standardized European approach, it said. There’s agreement that cybersecurity needs a global solution, and that high standards will create a level playing field for European operators, it said.
The EU can’t afford to put its digital economy on the line, Kroes said. “We need to move fast.” The proposal is “very flexible,” but there must be a minimum level of capabilities and cooperation that can’t be optional, she said. Europe needs minimum harmonization to avoid the weak links, with standard-setting left up to national administrations, she said. It’s about creating a culture of risk management and information flows, she said. The Irish Presidency’s term ends June 30, with debate continuing into Lithuania’s presidency.