The EU is to legally compel companies in critical sectors such as banking, energy, transport, Internet services and the public sector to report serious security breaches for the first time as part of a major overhaul of cybersecurity policy.
Published as a Network and Information Security (NIS) directive proposal, policy makers use An Open, Safe and Secure Cyberspace to argue that the current voluntary regime has failed, opening the continent to huge risks for its infrastructure and economy.
Both the private sector and member states were failing to share information and some lacked the necessary investment to do so, leaving toothless EU bodies powerless to intervene.
“Private actors still lack effective incentives to provide reliable data on the existence or impact of NIS incidents, to embrace a risk management culture or to invest in security Solutions,” said the paper.
In addition, every member state would be required to set up a properly-funded Computer Emergency Readiness Team (CERT) and to undertake to share security threat data with other states in a co-ordinated way.
"The more people rely on the internet the more people rely on it to be secure. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting," said EC vice president for the Digital Agenda, Neelie Kroes.
"Many EU countries are lacking the necessary tools to track down and fight online organised crime. All Member States should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3," chimed EU Commissioner for Home Affairs, Cecilia Malmström.
The EU had plumped for legal enforcement across cybercrime security policies and disclosure because it believed it had no choice, they argued.
The proposed Directive and strategy received a generally positive reaction from third parties, particularly the potentially significant decision ot impose some basic standards across all 27 nation states.
“Cyber threats do not stop at national borders, and neither can efforts to protect our networks and systems. At Huawei, we believe an international approach in which all stakeholders take their fair share of responsibility is a prerequisite to tackling this global challenge,” agreed Leo Sun of Chinese telecoms equipment vendor, Huawei.
“The proposal is the start, not the end, of the democratic process within the EU, and it is definitely a step in the right direction,” said Symantec senior director of government affairs, Ilias Chantzos.”
Others cautioned that the problem couldn't be solved by drafting new laws as an end in itself.
“It is vital that any legislation around risk assessment and breach disclosure should focus on the market behaviours that will be created; legislation on its own does not solve the problem and if not implemented carefully may drive negative behaviours,” said BAE Systems Detica managing director, Martin Sutherland.
“We need to be careful that positive outcomes and information sharing about the cyber risk is the result, rather than honest disclosure being driven underground by fear of reputational damage,” he said.
As it stands, the proposals are still open to some interpretation, for instance which incidents large organisations will have to report. The document describes these as being any “having a significant impact on the security of core services.”
Major security incidents – database breaches or sudden loss or important services for instance - would need no definition but, interestingly, in the EU definition ‘major’ includes more basic problems such as “the unavailability of an online booking engine that prevents users from booking their hotels.”
Exactly when the proposed law will come into effect will depend on its adoption by the Council and European Parliament, after which member states will have a further 18 months to act.
A more detailed Q&A can be found here.