A fourth trilogue meeting to agree the Network and Information Security Directive (NISD) took place yesterday, 29 June. The Council’s Latvian Presidency, whose term ends today, published this release heralding the “breakthrough” in talks with the European Parliament to finalise the law.
However, this is an “understanding on the main principles” of the Directive, rather than an agreement on the final text.
The most controversial aspect of the proposal – namely the extent to which online platforms should be subject to the new requirements on breach reporting – does not appear to have been fully resolved. The press release states that: “It was agreed that digital service platforms would be treated in a different manner from essential services. The details will be discussed at a technical level.” It is unclear at this stage just how differently, and what this might mean in practice. The UK is one of the Member States which has resisted the proposal to make online services subject to the same level of cyber breach notification obligations which will apply to more conventional essential services, such as energy and transport.
As readers of Datonomy’s weekly cyber updates will be aware, this is the issue which has held up negotiations and is one of the reasons that successive target dates for adoption have come and gone. So, while the broad principles of the new regime may have been agreed, there still appears to be some way to go on the detail. Luxembourg takes over the Council Presidency tomorrow, 1 July and will be under pressure to finish the job, after EU Member States called for “rapid adoption” of the Directive in last week’s Council meeting.
At the time of writing, there is little information in the public domain about the detail of the compromise reached yesterday. The Council’s Telecoms Working Party is due to be debriefed on the latest negotiations when it meets this Thursday. Datonomy will continue to monitor developments in Brussels as the talks continue.