Proposed EU Cyber Security Law Would Firm Up Breach Notification Rules
Large Internet companies would be required to notify a national agency about serious incidents
Thu, February 07, 2013
IDG News Service (Brussels Bureau) — New rules on cyber security across the European Union were presented on Thursday after weeks of speculation and leaked drafts.
The main part of the European Commission's Cyber Security Strategy is a proposed Directive on Network and Information Security. If approved by the European Parliament and member states, this would become E.U. law.
Previous voluntary efforts have fallen short, "leaving many gaps in our overall cybersecurity" according to a Commission document. Currently only telecom companies are required to report significant security incidents. The new Directive would extend that to major Internet companies such as large cloud providers, social networks, e-commerce platforms and search engines, the banking sector and critical infrastructure services including energy, transport and health as well as public administrations.
All these organizations would have to report any security breach that has "a significant impact on the security of core services" to a national authority. This authority "may require that the public be informed", but a public announcement will not be mandatory.
"At the end of the day openness and transparency about your experience is going to result in a better environment for all," said Digital Agenda Commissioner Neelie Kroes.
She hit out at business managers who deny cyber attacks are happening because they are worried about reputation. Secrecy is not the way forward, she said. Statistics show that in 2012, 93 percent of large corporations experienced a cyber attack. "It is near-by normal," said the Commissioner, so there is no reason for secrecy.