Examining the New EU Cybersec Directive Proposal Would Require Reporting of Serious Cyber-Attacks
A proposed directive requiring the reporting of serious cyber-attacks to national authorities could add complexity to organizations operating online in the European Union, says IT security lawyer François Gilbert.

The European Commission on Feb. 7 issued a proposed directive that would require each member nation to establish computer emergency response teams and requirements that would oblige most enterprises transacting business online in the European Union to report serious breaches [see EU Unveils New Cybersecurity Policy].

The directive leaves many questions about corporate responsibility unanswered, says Gilbert, founder of the IT Law Group and general counsel of Cloud Security Alliance, a not-for-profit that promotes the use of security assurance best practices within cloud computing.

Before it's fully implemented, the directive must be approved by the European Parliament, and each member state must establish its CERTS and cyber-reporting policies. Because each nation will decide how to implement the directive, that could present challenges to organizations transacting business online in more than one European country.

"To what extent do I have to disclose a security breach that is not located in that territory, and how do I respond to this?" Gilbert asks in an interview with Information Security Media Group. "How does one address all of the inconsistencies? You can expect each country is going to interpret it in its own way ... 27 different laws that may have different wording."

It's a similar problem to those faced by enterprises that experienced a breach in the United States: having to comply with 47 different state breach notification laws.

Another challenge facing companies operating online in Europe under the proposed directive is interpreting the term 'serious cyber-attack.' "How do you define a serious cyber-attack, as a global company?" Gilbert asks. "I would say, 'God, please give me a definition that is the same everywhere.' Otherwise, it's not manageable."

In the interview, Gilbert:

  • Compares existing European regulations requiring the reporting of cyber-attacks with those proposed under the directive;
  • Contrasts protections aimed by the directive in Europe with cybersecurity laws in the United States;
  • Describes the types of organizations that would fall under the proposed directive's provisions.

Gilbert specializes in information technology, Internet, IT security and privacy law. She has taught technology and data protection law in the Graduate School of Health Information Science at the University of Illinois in Chicago since 1992, and has been a frequent guest speaker at John Marshall Law School in Chicago and at the Silicon Valley Center for Entrepreneurship at San Jose State University in California. Gilbert has earned law degrees in Chicago and Paris.

Around the Network