Tech associations raise concerns with EU's proposed cybersecurity rules

A table at the bottom of the memo says AT&T, Amazon, Google, PayPal, Dropbox, eBay, Skype, Instagram, YouTube, Spotify and Apple's iCloud storage service are examples of companies that would fall under the reporting requirement in the proposed cybersecurity directive.


But U.S. tech trade associations argue that the proposed rules are too sweeping and would not have the desired effect of boosting cybersecurity in Europe. They argue that Internet companies and cloud storage services are not critical infrastructure and should not be subject to the proposed rules.

"We believe that to be manageable, useful and proportionate, the requirements should be narrowly targeted at sectors which operate truly critical infrastructures," said Christian Wagner, security and privacy policy manager of TechAmerica's Europe arm, in a statement.

"We are concerned that the sweeping and indiscriminate inclusion of 'enablers of Internet-services' in the scope of the directive would fail to strike the delicate, but indispensable, balance between the risk-based prioritization of assets and functions to be protected," Wagner added.

Tech trade groups also fear that another section in the EU cyber directive would force companies to meet a set of performance standards, arguing that it's too prescriptive. The EU directive says member countries will ensure market operators "take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations."

Mark MacCarthy, vice president of public policy at the Software and Information Industry Association (SIIA), argued that new performance standards would likely lead to technical mandates and rigid regulations, which would "prevent the very kind of innovation [companies] need to respond to the ever-changing threats."

"That's the biggest worry, that [the framework] won't meet the challenges we recognize are all there," he said.

If enacted, that section would also make tech companies follow a different set of cybersecurity standards from one region to another, MacCarthy argued.

"Cybersecurity is a global problem and the solution should be global," he said.

In a statement, TechAmerica's Wagner said "security ultimately cannot be achieved by measures which would hinder industries’ ability to innovate and respond by raising new market barriers at the borders or within the EU single market."

MacCarthy argued that the scope of the EU's proposed cyber rules is also troublesome. SIIA counts Google, IBM and Cisco as members, which would be subject to the new directive.

"When we've been talking about cyber proposals [in the U.S.], they usually try to define critical infrastructure narrowly," he said.

For example, proposed cybersecurity legislation and policy in the U.S. would only apply to companies that operate critical infrastructure, such as the electric grid, water plants and financial networks. They are defined as entities where an outage caused by a cyberattack would lead to loss of life or a grave national security and economic risk.   

MacCarthy said the proposal "may reopen the debate" about which companies will be covered under cybersecurity rules in the U.S.

"That's one reason why we'd want to persuade the EU regulators that a more narrow approach is desirable," he said.

IBM echoed the same message in a company statement.

"Cyber security attacks on vital network infrastructures pose a growing threat in Europe and around the world. ... We urge EU national governments and the European Parliament to make needed changes to the proposed directive to ensure that it fosters improved information sharing between governments and industry; focuses on the highly critical networks such as power grids, financial and transportation systems; and allows for continued investment in private-sector R&D," IBM said.

In its memo, the European Commission argues that citizens, governments, private companies and activists heavily rely on Internet services in their day-to-day lives. In addition to Internet companies, energy, transportation, banking, stock exchange and healthcare entities would be required to report significant cyber incidents under the proposed rules.

Hardware manufacturers and software developers would be exempt from the reporting obligations.

According to the memo, "only incidents having a significant impact on the security of core services provided by market operators and public administrations will have to be reported to the competent national authority." For example, cloud storage services and travel sites would need to report an outage. 

An earlier version of this story misstated the reporting authority. This has been corrected at 7:15 p.m.