We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
RSS FeedGovernance

EU to force organisations to report major security breaches

NIS Directive set to become law

Article comments

The EU is to legally compel companies in critical sectors such as banking, energy, transport, Internet services and the public sector to report serious security breaches for the first time as part of a major overhaul of cybersecurity policy.

Published as a Network and Information Security (NIS) directive proposal, policy makers use An Open, Safe and Secure Cyberspace to argue that the current voluntary regime has failed, opening the continent to huge risks for its infrastructure and economy.

Both the private sector and member states were failing to share information and some lacked the necessary investment to do so, leaving toothless EU bodies powerless to intervene.

“Private actors still lack effective incentives to provide reliable data on the existence or impact of NIS incidents, to embrace a risk management culture or to invest in security Solutions,” said the paper.

In addition, every member state would be required to set up a properly-funded Computer Emergency Readiness Team (CERT) and to undertake to share security threat data with other states in a co-ordinated way.

"The more people rely on the internet the more people rely on it to be secure. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting," said EC vice president for the Digital Agenda, Neelie Kroes.

"Many EU countries are lacking the necessary tools to track down and fight online organised crime. All Member States should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3," chimed EU Commissioner for Home Affairs, Cecilia Malmström.

The EU had plumped for legal enforcement across cybercrime security policies and disclosure because it believed it had no choice, they argued.

The proposed Directive and strategy received a generally positive reaction from third parties, particularly the potentially significant decision ot impose some basic standards across all 27 nation states.

“Cyber threats do not stop at national borders, and neither can efforts to protect our networks and systems. At Huawei, we believe an international approach in which all stakeholders take their fair share of responsibility is a prerequisite to tackling this global challenge,” agreed Leo Sun of Chinese telecoms equipment vendor, Huawei.

“The proposal is the start, not the end, of the democratic process within the EU, and it is definitely a step in the right direction,” said Symantec senior director of government affairs, Ilias Chantzos.”

Others cautioned that the problem couldn't be solved by drafting new laws as an end in itself.

“It is vital that any legislation around risk assessment and breach disclosure should focus on the market behaviours that will be created; legislation on its own does not solve the problem and if not implemented carefully may drive negative behaviours,” said BAE Systems Detica managing director, Martin Sutherland.

“We need to be careful that positive outcomes and information sharing about the cyber risk is the result, rather than honest disclosure being driven underground by fear of reputational damage,” he said.

As it stands, the proposals are still open to some interpretation, for instance which incidents large organisations will have to report. The document describes these as being any “having a significant impact on the security of core services.”

Major security incidents – database breaches or sudden loss or important services for instance - would need no definition but, interestingly, in the EU definition ‘major’ includes more basic problems such as “the unavailability of an online booking engine that prevents users from booking their hotels.”

Exactly when the proposed law will come into effect will depend on its adoption by the Council and European Parliament, after which member states will have a further 18 months to act.


Recommended Articles


EU to force organisations to report major security breaches

What’s going to kill your company?

What’s going to kill your company?

The role of the CFO and the board in strategic risk governancemore ..

Tesco’s new finance chief starts two months early amid accounting crisis

Marks and Spencer releases Alan Stewart early by to help deal with £250 million hole in Tesco’s accountsmore ..

Microsoft removes Bing image widget after Getty lawsuit

The company is being sued by Getty Images for copyright infringementmore ..

Apple loses bid for sales ban in Samsung patent case

Apple failed to show that it suffered enough harm as a result of Samsung's infringementmore ..

What makes a good board report?

Examining how CFOs can improve the way they report back to the boardmore ..

Examining the issue of corporate litigation funding

Litigation funding is a very useful tool for CFOs but not a panacea for all legal mattersmore ..

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

In Depth
Can finance rise to the challenge of major transformation?

Can finance rise to the challenge of major transformation?

Outdated finance processes, systems and competencies leave too many questions unanswered more ..

In Depth
Interim CFO or consultant? The pros and cons

Interim CFO or consultant? The pros and cons

Ed Harding offers an insight into the life of an interim CFO and the advantages in driving transformation more ..


* *