By John Higgins, Director General of DIGITALEUROPE

The 28 member states of the European Union run the risk of undermining a new cybersecurity law that will play a central role in protecting Europe’s critical infrastructures from cyber attacks.

Earlier this year, the European Parliament narrowed the scope of the proposed Network and Information Security (NIS) directive to focus more specifically on critical infrastructure – including banking, energy and transport networks. The Parliament’s version passed with overwhelming support.

However, as the three institutions – the European Parliament, Commission and Council – begin final stage negotiations on the wording of the directive, a growing number of Member States are pushing for the inclusion of so­‐called “over the top” services like cloud computing, application stores, search engines and social networks within the scope of the law.

Inclusion of these broader “information society services” would not only threaten the innovative capacity of this sector in Europe by creating a burdensome regulatory regime with no corresponding security benefit, it would also heighten the workload for often struggling regulatory agencies, and it would expose citizens’ personal data to unnecessary risk.

Incident data should be reported by the critical infrastructures themselves, as only they have a 360­‐degree view of the incident. They in turn pass on their reporting obligations to their technology vendors through contractual obligations. This is what the industry advocates and is a proportionate way of protecting critical infrastructures.

Widening the scope of the directive to cover web­‐based services would mean that technology vendors would be obliged to pass customer data, including personal information, to regulatory agencies without any guarantees of what would happen with this data, or how it would be shared between national authorities in other EU Member States.

Many EU member states have limited capability to handle incident reporting within their government departments and agencies. It’s going to be challenging and costly for them to acquire enough capability to develop and maintain robust reporting systems just to cover critical infrastructures, let alone internet enablers and over the top services providers.

Calls for a broader scope of the NIS directive therefore risk undermining the law’s ability to protect what really needs to be protected. There are not enough IT-­security experts in the world today to protect everything that is connected to the Internet equally. While defenses have improved, attackers have also become much more sophisticated. In this constant race where cyber defence tries to keep up with cyber offense, prioritization is key.

Those who call for this law to “protect everything” will end up less secure than the starting point today. And Europe will have missed a unique opportunity to prepare itself for cyber attacks against truly critical infrastructures which could lead to catastrophic impacts on public safety, national security and the broader economy.