05.08.2015

European Information Security: eco Warns Against Inclusion of All Web Services

  • Europe-wide harmonization in the areas of critical infrastructure is welcome
  • Avoid fragmentation and differences in implementation
  • Scope should concentrate on actual critical infrastructure

The legislative process for a European Directive for Network and Information Security (NIS Directive) is soon to be concluded. With this legislation, the European Commission wants to improve the cooperation of Member States and as such increase the resilience and defensive readiness of the EU against cyber attacks. The directive is expected to be concluded by the end of 2015 at the latest. In a newly-published position paper, eco – Association of the German Internet Industry welcomes in principle the endeavor for a Europe-wide harmonization of legal obligations for IT security, but still sees several unresolved problems. The association warns in particular against the inclusion of all web services, from the small web shop to the large social media service, in the scope of the directive. Such a generalized inclusion would not make sense, as not all services are considered critical infrastructure and small companies in particular would be unnecessarily burdened. eco advocates instead for a precise and concrete definition of the scope and a differentiated risk-based approach, as has recently also be applied in the German IT Security Act.

Avoid fragmentation and differences in implementation

The primary objective must be to achieve a strong Europe-wide harmonization of the obligations and requirements for operators of critical infrastructure. The directive should determine precise criteria and should not allow the Member States too great a leeway for their own regulatory formulations. Only in this way can the legislator avoid fragmentation and an adverse impact on the digital single market in Europe.

Scope should concentrate on actual critical infrastructure

eco also calls for the scope of the directive to be concentrated on actual critical infrastructure. In particular, areas in which requirements for IT security are completely lacking should be brought into line with already regulated areas.

The complete eco position paper on the European NIS Directive is available online here.