December 10, 2015 By Larry Loeb 2 min read

EU officials have imposed rules on how and when Internet companies should report any cyberattacks, SecurityWeek recently reported.

The new law, known as the Network and Information Security Directive, was prompted by the fact that the EU contains 28 different cybersecurity cultures. But the federation also faces increasing levels of cybercrime that crosses borders, and most of the EU member nations aren’t overly eager to cooperate with one another. That’s now poised to change.

A New Deal for the EU

The deal was worked out via negotiations between the EU Parliament and the member governments. The resulting EU-wide rules would mandate critical utility-providing companies, such as water and power providers, financial institutions and health care providers, to increase security to prevent attacks and also change their reactions in the event that one takes place. They would have to inform the proper authorities following an incident.

Specifics of how these companies would increase security and exactly what kinds of cyberattacks would trigger these reporting requirements have not been released. That may be because each of the member states is free to designate what the specifics of the enacted directive will be.

For example, EU member states will have to identify companies and organizations within critical sectors that will be subject to the directive. That designation is based on whether a cyberattack (and its potential consequences) could have “significant disruptive effects on its [the state’s] provision or public safety,” the European Parliament said in a news release.

The legislation also contains measures for setting up a strategic cooperation group to exchange information across borders and establishing Computer Security Incidents Response Teams (CSIRTS) to handle incidents and coordinate responses.

Changing Reactions to Cyberattacks

While the regulations cover online marketplaces such as eBay and Amazon, they also apply to search engines like Google. SC Magazine reported that Google will be held to a lower standard, but gave no specifics. And while micro and small digital companies are exempt from the rules, the legistlation should still be enough to enhance security efforts across the EU.

“This agreement is a major step in raising the level of cybersecurity in Europe,” European Commissioner for Digital Economy and Society Günther Oettinger wrote. He added that the rules are designed to buttress an ambitious plan unveiled earlier this year, which intends to overhaul Europe’s fragmented technology landscape to create a “digital single market.”

The directive has only been provisionally agreed to and has yet to be formally approved by the European Parliament’s Internal Market Committee and Council of Permanent Representatives. Once that occurs, however, the global cybersecurity landscape could be changed for good.

More from

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today