December 10, 2015 By Larry Loeb 2 min read

EU officials have imposed rules on how and when Internet companies should report any cyberattacks, SecurityWeek recently reported.

The new law, known as the Network and Information Security Directive, was prompted by the fact that the EU contains 28 different cybersecurity cultures. But the federation also faces increasing levels of cybercrime that crosses borders, and most of the EU member nations aren’t overly eager to cooperate with one another. That’s now poised to change.

A New Deal for the EU

The deal was worked out via negotiations between the EU Parliament and the member governments. The resulting EU-wide rules would mandate critical utility-providing companies, such as water and power providers, financial institutions and health care providers, to increase security to prevent attacks and also change their reactions in the event that one takes place. They would have to inform the proper authorities following an incident.

Specifics of how these companies would increase security and exactly what kinds of cyberattacks would trigger these reporting requirements have not been released. That may be because each of the member states is free to designate what the specifics of the enacted directive will be.

For example, EU member states will have to identify companies and organizations within critical sectors that will be subject to the directive. That designation is based on whether a cyberattack (and its potential consequences) could have “significant disruptive effects on its [the state’s] provision or public safety,” the European Parliament said in a news release.

The legislation also contains measures for setting up a strategic cooperation group to exchange information across borders and establishing Computer Security Incidents Response Teams (CSIRTS) to handle incidents and coordinate responses.

Changing Reactions to Cyberattacks

While the regulations cover online marketplaces such as eBay and Amazon, they also apply to search engines like Google. SC Magazine reported that Google will be held to a lower standard, but gave no specifics. And while micro and small digital companies are exempt from the rules, the legistlation should still be enough to enhance security efforts across the EU.

“This agreement is a major step in raising the level of cybersecurity in Europe,” European Commissioner for Digital Economy and Society Günther Oettinger wrote. He added that the rules are designed to buttress an ambitious plan unveiled earlier this year, which intends to overhaul Europe’s fragmented technology landscape to create a “digital single market.”

The directive has only been provisionally agreed to and has yet to be formally approved by the European Parliament’s Internal Market Committee and Council of Permanent Representatives. Once that occurs, however, the global cybersecurity landscape could be changed for good.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today