European Parliament
The European Parliament in Brussels, Belgium Photograph by Buena Vista Images/Getty Images

How a proposed European Union cybersecurity law could impact tech companies

Aug 06, 2015

It’s not just China and Russia that are trying to figure out how to deal with big, foreign web companies and Internet service providers doing business in their countries.

An upcoming cybersecurity law brought on by the European Union could see tech giants like Google (goog) , Cisco (csco) , and Amazon (amzn) having to comply with strict security requirements, including having to report data breaches to governments that are part of the EU, according to a Reuters report on Thursday.

Under the terms of the Network and Information Security Directive—which was originally proposed by the executive body of the EU in 2013 to counter security threats—cloud computing providers, search companies, and even social networks could be held under the same security requirements as companies operating in industries that the EU deems critical to protect. These could include the energy, transportation, and finance industries.

Apparently, EU members debated whether to lump web companies with companies operating in critical sectors, and ultimately decided to do so with the difference being that web companies would face “less onerous security obligations,” although it’s unclear what those obligations are, the report states.

Reuters reports that under the terms of the law, if a cloud computing provider or other Internet service provider does business with a company operating in a critical sector, the web companies would essentially be subject to the same security rules as their clients.

"We’re pleased to see digital service platforms subject to a different regime but we’re disappointed at the lack of recognition that it is the use of cloud that determines the security risk not the service itself," Cisco senior manager of government affairs Chris Gow told Reuters.

The Reuters report notes that the details of the law are still subject to change, and countries in the EU will meet in September to discuss before the “drafting of a full legal text will start.”

The EU directive comes at a time when countries like Russia and China have created their own cybersecurity laws that could potentially impact the way foreign web companies conduct business outside of their home turf.

An upcoming Russia security law basically calls for foreign companies to set up data centers in Russia if they want to do business in Russia in which Russian data is being used. Google reportedly moved some of its servers into the data centers of Russian telecom Rostelecom to comply with the law.

China’s draft cybersecurity law also echoes Russia’s security law with foreign companies having to store Chinese data within China, although special exemptions could mean that it’s a case-by-case situation depending on the company involved.

Web companies and Internet service providers operating in China will also face stiffer security requirements, such as aiding the Chinese government with criminal or national security investigations. They may even have to let authorities annually audit them to determine if there are security risks the Chinese government would like to know about.

Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.

For more on cyber security, check out the following Fortune video:

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions