Bloomberg reported Friday that any company covered by the proposed rules would be required to notify government agencies in the 28-nation bloc if a cyber attack impacted their core services. The European Commission wants search engines and social networks to be included in the new rules.
Nathalie Vandystadt, a spokeswoman for the EU’s executive arm, told Bloomberg that “Internet enablers” were included in the Commission’s proposal because “they have become entry points for several important aspects of the modern economy.”
“Cloud computing is also considered a key component of this category given the increasing reliance of large and small businesses on the services offered by cloud providers,” she said.
However, some EU lawmakers would prefer that the rules cover only companies with critical services, such as banks and utilities, and not search engines and social media.
Andrew Moir, a London-based cyber security lawyer at Herbert Smith Freehills, agreed, telling Bloomberg that extending the scope of the rules too far would dilute the original purpose.
“I would be far more concerned should there be a major cyber attack that the lights stayed on, rather than whether or not I could update my status on Facebook,” Moir told Bloomberg.
EU lawmakers are working to ensure that the new rules “will not harm innovation, growth and security,” Liga Rozentale, a representative of Latvia, which holds the EU’s rotating presidency, said.