EU Rules on Reporting Responsibilities for Cyberattacks

December 10, 2015 @ 4:30 PM
| |
2 min read

EU officials have imposed rules on how and when Internet companies should report any cyberattacks, SecurityWeek recently reported.

The new law, known as the Network and Information Security Directive, was prompted by the fact that the EU contains 28 different cybersecurity cultures. But the federation also faces increasing levels of cybercrime that crosses borders, and most of the EU member nations aren’t overly eager to cooperate with one another. That’s now poised to change.

A New Deal for the EU

The deal was worked out via negotiations between the EU Parliament and the member governments. The resulting EU-wide rules would mandate critical utility-providing companies, such as water and power providers, financial institutions and health care providers, to increase security to prevent attacks and also change their reactions in the event that one takes place. They would have to inform the proper authorities following an incident.

Specifics of how these companies would increase security and exactly what kinds of cyberattacks would trigger these reporting requirements have not been released. That may be because each of the member states is free to designate what the specifics of the enacted directive will be.

For example, EU member states will have to identify companies and organizations within critical sectors that will be subject to the directive. That designation is based on whether a cyberattack (and its potential consequences) could have “significant disruptive effects on its [the state’s] provision or public safety,” the European Parliament said in a news release.

The legislation also contains measures for setting up a strategic cooperation group to exchange information across borders and establishing Computer Security Incidents Response Teams (CSIRTS) to handle incidents and coordinate responses.

Changing Reactions to Cyberattacks

While the regulations cover online marketplaces such as eBay and Amazon, they also apply to search engines like Google. SC Magazine reported that Google will be held to a lower standard, but gave no specifics. And while micro and small digital companies are exempt from the rules, the legistlation should still be enough to enhance security efforts across the EU.

“This agreement is a major step in raising the level of cybersecurity in Europe,” European Commissioner for Digital Economy and Society Günther Oettinger wrote. He added that the rules are designed to buttress an ambitious plan unveiled earlier this year, which intends to overhaul Europe’s fragmented technology landscape to create a “digital single market.”

The directive has only been provisionally agreed to and has yet to be formally approved by the European Parliament’s Internal Market Committee and Council of Permanent Representatives. Once that occurs, however, the global cybersecurity landscape could be changed for good.

Larry Loeb
Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE mag...
read more