EU to force organisations to report major security breaches

NIS Directive set to become law

The EU is to legally compel companies in critical sectors such as banking, energy, transport, Internet services and the public sector to report serious security breaches for the first time as part of a major overhaul of cybersecurity policy.

Published as a Network and Information Security (NIS) directive proposal, policy makers use An Open, Safe and Secure Cyberspace to argue that the current voluntary regime has failed, opening the continent to huge risks for its infrastructure and economy.

Both the private sector and member states were failing to share information and some lacked the necessary investment to do so, leaving toothless EU bodies powerless to intervene.

"Private actors still lack effective incentives to provide reliable data on the existence or impact of NIS incidents, to embrace a risk management culture or to invest in security Solutions," said the paper.

In addition, every member state would be required to set up a properly-funded Computer Emergency Readiness Team (CERT) and to undertake to share security threat data with other states in a co-ordinated way.

"The more people rely on the internet the more people rely on it to be secure. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting," said EC vice president for the Digital Agenda, Neelie Kroes.

"Many EU countries are lacking the necessary tools to track down and fight online organised crime. All Member States should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3," chimed EU Commissioner for Home Affairs, Cecilia Malmstrm.

The EU had plumped for legal enforcement across cybercrime security policies and disclosure because it believed it had no choice, they argued.

The proposed Directive and strategy received a generally positive reaction from third parties, particularly the potentially significant decision ot impose some basic standards across all 27 nation states.

"Cyber threats do not stop at national borders, and neither can efforts to protect our networks and systems. At Huawei, we believe an international approach in which all stakeholders take their fair share of responsibility is a prerequisite to tackling this global challenge," agreed Leo Sun of Chinese telecoms equipment vendor, Huawei.

"The proposal is the start, not the end, of the democratic process within the EU, and it is definitely a step in the right direction," said Symantec senior director of government affairs, Ilias Chantzos."

Others cautioned that the problem couldn't be solved by drafting new laws as an end in itself.

"It is vital that any legislation around risk assessment and breach disclosure should focus on the market behaviours that will be created; legislation on its own does not solve the problem and if not implemented carefully may drive negative behaviours," said BAE Systems Detica managing director, Martin Sutherland.

"We need to be careful that positive outcomes and information sharing about the cyber risk is the result, rather than honest disclosure being driven underground by fear of reputational damage," he said.

As it stands, the proposals are still open to some interpretation, for instance which incidents large organisations will have to report. The document describes these as being any "having a significant impact on the security of core services."

Major security incidents - database breaches or sudden loss or important services for instance - would need no definition but, interestingly, in the EU definition 'major' includes more basic problems such as "the unavailability of an online booking engine that prevents users from booking their hotels."

Exactly when the proposed law will come into effect will depend on its adoption by the Council and European Parliament, after which member states will have a further 18 months to act.

A more detailed Q&A can be found here.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityeuropean commissionhardware systemsData Centre

More about BAE Systems AustraliaCERT AustraliaEUEuropean ParliamentHuaweiSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place