Internet firms Google, Cisco push to be left out of EU cybersecurity law

Internet companies like Cisco and Google are seeking to be excluded from a new EU cybersecurity law that would force them to adopt tough security measures and report serious security breaches to national authorities. The so-called Network and Information Security directive is due to be finalised in talks between the European Parliament, the European Commission and member states over the coming weeks. EU lawmakers want the law to cover only sectors that they consider critical, such as energy, transport and finance. But the Commission - the EU executive - and some countries, such as Germany and France, are pushing to include cloud providers, social networks, search engines and e-commerce platforms because of their widespread use by people and businesses.

Internet companies are firmly opposed to such a move, which would incur extra compliance costs. "Online services such as e-commerce sites, search and social networks are useful but not critical. This legislation should focus on truly critical infrastructure only," said James Waterworth, vice-president for Europe of the Computer and Communications Industry Association, a lobbying group which includes Facebook, Microsoft and Google. Such firms agree with lawmakers who say their inclusion would lead to duplicate incident reporting - for example when a bank using a cloud-computing provider suffers a security breach. "We are implicated anyway with critical sectors as customers," said Chris Gow, senior manager of government affairs at network equipment maker Cisco.

Currently there is no pan-European law and only telecoms operators are subject to the incident-reporting requirements. The European Parliament also wants all companies within a sector to fall under the new law's scope - but member states want the flexibility to pick and choose within sectors. Internet companies are concerned that if member states have their way, this would result in a fragmentation of security standards across the bloc. "If cybersecurity rules are different in each European country ... it would fragment the digital single market," Waterworth said.