We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
RSS FeedGovernance

EU to force organisations to report major security breaches

NIS Directive set to become law

Article comments

The EU is to legally compel companies in critical sectors such as banking, energy, transport, Internet services and the public sector to report serious security breaches for the first time as part of a major overhaul of cybersecurity policy.

Published as a Network and Information Security (NIS) directive proposal, policy makers use An Open, Safe and Secure Cyberspace to argue that the current voluntary regime has failed, opening the continent to huge risks for its infrastructure and economy.

Both the private sector and member states were failing to share information and some lacked the necessary investment to do so, leaving toothless EU bodies powerless to intervene.

“Private actors still lack effective incentives to provide reliable data on the existence or impact of NIS incidents, to embrace a risk management culture or to invest in security Solutions,” said the paper.

In addition, every member state would be required to set up a properly-funded Computer Emergency Readiness Team (CERT) and to undertake to share security threat data with other states in a co-ordinated way.

"The more people rely on the internet the more people rely on it to be secure. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting," said EC vice president for the Digital Agenda, Neelie Kroes.

"Many EU countries are lacking the necessary tools to track down and fight online organised crime. All Member States should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3," chimed EU Commissioner for Home Affairs, Cecilia Malmström.

The EU had plumped for legal enforcement across cybercrime security policies and disclosure because it believed it had no choice, they argued.

The proposed Directive and strategy received a generally positive reaction from third parties, particularly the potentially significant decision ot impose some basic standards across all 27 nation states.

“Cyber threats do not stop at national borders, and neither can efforts to protect our networks and systems. At Huawei, we believe an international approach in which all stakeholders take their fair share of responsibility is a prerequisite to tackling this global challenge,” agreed Leo Sun of Chinese telecoms equipment vendor, Huawei.

“The proposal is the start, not the end, of the democratic process within the EU, and it is definitely a step in the right direction,” said Symantec senior director of government affairs, Ilias Chantzos.”

Others cautioned that the problem couldn't be solved by drafting new laws as an end in itself.

“It is vital that any legislation around risk assessment and breach disclosure should focus on the market behaviours that will be created; legislation on its own does not solve the problem and if not implemented carefully may drive negative behaviours,” said BAE Systems Detica managing director, Martin Sutherland.

“We need to be careful that positive outcomes and information sharing about the cyber risk is the result, rather than honest disclosure being driven underground by fear of reputational damage,” he said.

As it stands, the proposals are still open to some interpretation, for instance which incidents large organisations will have to report. The document describes these as being any “having a significant impact on the security of core services.”

Major security incidents – database breaches or sudden loss or important services for instance - would need no definition but, interestingly, in the EU definition ‘major’ includes more basic problems such as “the unavailability of an online booking engine that prevents users from booking their hotels.”

Exactly when the proposed law will come into effect will depend on its adoption by the Council and European Parliament, after which member states will have a further 18 months to act.



EU to force organisations to report major security breaches

What makes a good board report?

What makes a good board report?

Examining how CFOs can improve the way they report back to the boardmore ..

Vodafone buys out partner's stake in Indian unit

Mobile giant acquires the remaining 11% it did not already ownmore ..

Financial advisers not being clear enough on charges, says watchdog

FCA’s review found 73% of firms failed to provide adequate informationmore ..

EU data retention rules violate privacy rights, EU court rules

Rules requiring telcos to retain communications metadata are disproportionate, the court saidmore ..

Examining the issue of corporate litigation funding

Litigation funding is a very useful tool for CFOs but not a panacea for all legal mattersmore ..

Corporate governance: A catalyst for innovation

Corporate governance is a powerful tool in a C-suite executive’s arsenalmore ..

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

In Depth
How M&A teams can create value by challenging the CEO

How M&A teams can create value by challenging the CEO

A typical “hold” period of nine to 18 months can generate increased sale value more ..

In Depth
What every company needs to do about big data?

What every company needs to do about big data?

In the first of a three part series, Pat Brans explores just how big 'big data' will get? more ..


* *