EU breach notification law could cover social networks

Major Internet firms are arguing they should not be subject to a looming European Union cybersecurity breach notification law, Reuters reported.

The European Parliament and European Commission are expected to finalize what’s called the Network and Information Security directive in the coming weeks.


The two sides have not yet settled who the directive will cover, according to Reuters.

EU lawmakers think it should apply to critical infrastructure sectors, like energy, transportation and finance. But the commission and several EU countries believe it should be more expansive, covering cloud computing companies, e-commerce firms, search engines and social networks.

The Computer and Communications Industry Association (CCIA) — a tech lobbying group which includes Facebook, Microsoft and Google — has pushed back against Internet company inclusion.

“Online services such as e-commerce sites, search and social networks are useful but not critical,” CCIA Vice President for Europe James Waterworth told Reuters. “This legislation should focus on truly critical infrastructure only.”

The U.S. has made attempts to standardize its breach notification requirements, but no single bill has come close to passage.

Existing federal breach notification requirements are limited to specific sectors, such as finance and healthcare.