Click:forged wheels for sale

Negotiators strike deal on EU cybersecurity law

Companies in critical sectors will need to inform national authorities if their computer networks are breached.

The European Union struck a deal around midnight Monday on legislation that will force companies to disclose breaches and countries to cooperate on cybersecurity.

Under the network and information security (NIS) directive, companies in transportation, energy and other critical sectors will need to inform national authorities if their computer networks are breached. That information must then be shared across the 28 member countries.

Certain online companies, including Google and Amazon, must also report serious attacks on their systems to their local authorities.

The European Parliament had tried to remove this element from the legislation, but largely caved in the face of resistance from the Commission and Council. Under the final compromise, e-commerce services, search engines and cloud services fall under the scope of the directive, but social networks and payment service providers are excluded.

The main trade-off from Council’s side was the fact that countries will need to cooperate on cybersecurity. Some already do, on an informal basis, but this process will now be formalized and enhanced.

Cooperation is a sensitive issue because the EU does not have legal competence on national security issues, but member countries gave some ground on cybersecurity to get the deal done.

The final compromise allows “as much cooperation as is needed without forcing member states to give up too much of their turf concerning national security,” said a source in the Luxembourg presidency of the Council.

Andreas Schwab, a German member of the EPP bloc and Parliament’s rapporteur on the NIS directive, said the result provided “something that is light-touch and sensible,” that could serve as an example for further online platform regulation.

“Operators from the digital world are subject to a fully harmonized regime. European rules need to be applied the same everywhere,” he said.

Antanas Guoga, the shadow rapporteur for the liberal ALDE group, said the deal was “not perfect, for sure, but it’s done and we can move on.”

“Mandatory reporting is quite important — hopefully that gets implemented properly,” Guoga said.

Parliament is expected to approve the agreed text on December 17 and Council the following day.

Once the text has been cleaned up and officially published, most likely early next year, EU countries will have 21 months in which to transpose the directive into national law.

The NIS deal is a good omen for the Parliament and Council’s negotiations over the EU’s proposed data protection proposals. With the two sides now in agreement on cybersecurity and passenger name records, the momentum to get a deal on data protection by the Luxembourg presidency’s year-end deadline is growing, and the goal looks attainable.

Zoya Sheftalovich and Nicholas Hirst contributed to this article.

This story has been updated to add latest news developments.