EU Unveils New Cybersecurity PolicyDirective Would Require Online Entities to Report Cyber-Attacks
Companies operating online in Europe - such as banks, health providers, search engines and social media companies, among others - would be required to report serious cyber-attacks to national authorities under a proposed directive unveiled by the European Union on Feb. 7.
EU officials said the proposed reporting requirement is necessitated because past efforts have been on too small a scale and too fragmented. They said the voluntary nature of previous reporting efforts left many gaps in overall cybersecurity.
"We need to protect our networks and systems, and make them resilient; that can only happen when all actors play their part and take up their responsibilities," Neelie Kroes, European Commission vice president for the digital agenda, said at a press conference in Brussels launching the EU's new cybersecurity strategy.
"Cyberthreats are not contained to national borders: nor should cybersecurity be," Kroes said. "So our strategy is accompanied by a proposed directive to strengthen cyber-resilience within our single market. It will ensure companies take the measures needed for safe, stable networks."
To become effective, European member states must implement the directive within 18 months of its adoption by the European Parliament.
Concerns Voiced from America
"We are concerned that the sweeping and indiscriminate inclusion of enablers of Internet services in the scope of the directive would fail to strike the delicate, but indispensable, balance between the risk-based prioritization of assets and functions to be protected and the strong interdependencies in cyberspace across sectors and across borders," Wagner said.
Under existing EU rules, only telecommunication companies and data controllers have had to adopt security measures, and telecoms alone are required to report significant security incidents. Directive sponsors say the proposed measure works to level the playing field by applying to all owners of critical infrastructure.
"It is absurd to work to protect critical Internet infrastructure without obliging such companies to take responsibility for their wider role in this ecosystem," a European Commission statement says.
The directive would cover institutions that offer services over the Internet that empower key economic and social activities. The European Commission identifies such enterprises as those in which a suspension of their activities "for a couple of hours" would have a significant impact on Internet users.
Entities that would be covered by the directive include cloud providers, e-commerce platforms and energy and transport companies. Exempt from the directive would be news organizations and publishers, web browsers, websites such as Wikipedia and content management systems such as WordPress.
Directive's Key Provisions
Among provisions of the directive:
- Member states must adopt the strategy and designate a national network and information security competent authority with adequate financial and human resources to prevent, handle and respond to network and information security risks and incidents;
- Creating a cooperation mechanism among member states and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organize regular peer reviews;
- Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (app stores, e-commerce, platforms, Internet payment, cloud computing, search engines and social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.
"The more people rely on the Internet the more people rely on it to be secure," Kroes said. "A secure Internet protects our freedoms and rights and our ability to do business. It's time to take coordinated action - the cost of not acting is much higher than the cost of acting."