The Network and Information Security Directive is being hammered out by member states and EU lawmakers. The sticking point is disagreements over whether to include digital platforms such as search engines, social networks, e-commerce sites and cloud computing providers.
Members of the European Parliament want the law to only cover sectors they consider critical, such as energy, transport and finance.
But after months of negotiations, digital platforms will fall under the law’s remit.
Any firm meeting the law’s definition of a digital service platform — which is still under discussion — would automatically be covered to avoid member states taking different approaches and causing fragmentation across the 28-nation EU.
A cloud computing provider or any other digital firm providing a service for an infrastructure operator would be subject to the same rules applying to that operator, according to the document, which could still change in discussions after the summer.
Internet firms will also be subject to notification requirements in cases of security breaches, although there is no agreement yet on whether these should be compulsory or voluntary.
The paper asks member states to express their preferences at a meeting in September, after which drafting of a full legal text will start.
US firms are furious the EU thinks the laws would apply to them after all that is what they had that revolution about.
Chris Gow, Senior Manager, Government Affairs at Cisco, said that he was disappointed at the lack of recognition that it is the use of cloud that decides the security risk and not the service itself.
Currently there is no pan-European cybersecurity law and only telecoms operators are subject to the incident reporting needs.