Pressure mounts in EU to treat Facebook and Twitter as critical infrastructure

The move would subject them to the rules on network protection and data breach notification as banks and energy networks.

Flags in front of the European Commission headquarters in Brussels on June 17, 2015

Flags in front of the European Commission headquarters in Brussels on June 17, 2015

Pressure is mounting in the European Union to subject companies including Google, Twitter, eBay and Facebook to the same critical IT infrastructure security requirements as banks or energy networks.

EU lawmakers want providers of essential services in industries including banking, health care, transport and energy to protect their networks from hackers, and to disclose data breaches to the authorities.

The European Commission, which proposed the draft Network and Information Security Directive two years ago, also wants it to cover enablers of key Internet services, such as e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services and app stores. The European Parliament, however, rejected their inclusion in the critical infrastructure rules last year.

On Wednesday ambassadors of the EU member states sided with the Commission and gave their go-ahead for the Council of the EU, the third body with a say in the shape of the law, to continue negotiations with the Commission and Parliament on Monday.

Treating social media and e-commerce companies as critical parts of the Internet infrastructure will impose additional costs on them for meeting the same stringent security rules as other essential services. At the same time, social media users stand to benefit because their personal data should be better protected, and they would receive quicker notification in the event their data were stolen.

One point open for debate is how to define which companies are critical infrastructure.

Internet companies want to play down their importance so as to avoid additional regulatory constraints on their businesses. The Computer and Communications Industry Association, representing Amazon.com, eBay, Facebook, Google and others, wants the rules to apply only to things such as nuclear power plants and transportation facilities.

Parliament removed these companies from its draft of the law in March 2014, as Members of the European Parliament had too many questions about how the rules would apply.

The Council of the EU, composed of representatives of the member states, wants these digital platforms to remain within the scope of the law, a Council official said Wednesday. However, it wants to subject Internet companies to a different -- as yet undefined -- set of rules than those governing banks and payment services.

Meanwhile, the Parliament still does not want to include Internet companies in the directive's scope, a Parliament official said.

Another source in the Parliament expected Monday's negotiations to focus on the definition of critical infrastructures and how to identify them, rather than on whether Internet companies should be included, an opinion echoed by the Council official, who predicts at least one more meeting will be needed.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Council of the European Unionsecurityeuropean commissiontwitterEuropean ParliamentFacebook

More about Amazon.comComputer and Communications Industry AssociationeBayEUEuropean CommissionEuropean ParliamentFacebookGoogleIDGNewsTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers, Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place