EU lawmakers want providers of essential services in industries including banking, health care, transport and energy to protect their networks from hackers, and to disclose data breaches to the authorities.
The European Commission, which proposed the draft Network and Information Security Directive two years ago, also wants it to cover enablers of key Internet services, such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services and app stores. The European Parliament, however, rejected their inclusion in the critical infrastructure rules last year.
On Wednesday ambassadors of the EU member states sided with the Commission and gave their go-ahead for the Council of the EU, the third body with a say in the shape of the law, to continue negotiations with the Commission and Parliament on Monday.
Treating social media and e-commerce companies as critical parts of the Internet infrastructure will impose additional costs on them for meeting the same stringent security rules as other essential services. At the same time, social media users stand to benefit because their personal data should be better protected, and they would receive quicker notification in the event their data were stolen.
One point open for debate is how to define which companies are critical infrastructure.
Internet companies want to play down their importance so as to avoid additional regulatory constraints on their businesses. The Computer and Communications Industry Association, representing Amazon.com, eBay, Facebook, Google and others, wants the rules to apply only to things such as nuclear power plants and transportation facilities.
Parliament removed these companies from its draft of the law in March 2014, as Members of the European Parliament had too many questions about how the rules would apply.
The Council of the EU, composed of representatives of the member states, wants these digital platforms to remain within the scope of the law, a Council official said Wednesday. However, it wants to subject Internet companies to a different -- as yet undefined -- set of rules than those governing banks and payment services.
Meanwhile, the Parliament still does not want to include Internet companies in the directive's scope, a Parliament official said.
Another source in the Parliament expected Monday's negotiations to focus on the definition of critical infrastructures and how to identify them, rather than on whether Internet companies should be included, an opinion echoed by the Council official, who predicts at least one more meeting will be needed.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com