New rules on cybersecurity across the European Union were presented on Thursday after weeks of speculation and leaked drafts.
The main part of the European Commission's Cyber Security Strategy is a proposed Directive on Network and Information Security. If approved by the European Parliament and member states, this would become E.U. law.
Previous voluntary efforts have fallen short, "leaving many gaps in our overall cybersecurity" according to a Commission document. Currently only telecom companies are required to report significant security incidents. The new directive would extend that to major Internet companies such as large cloud providers, social networks, e-commerce platforms and search engines, the banking sector and critical infrastructure services including energy, transport and health as well as public administrations.These so-called "enablers of information society services" would be required to report any security breach that "significantly affects the continuity of critical services and supply of goods" to a national authority. This authority "may require that the public be informed," but a public announcement will not be mandatory.
A Data Protection Regulation currently being examined by the European Parliament only covers security incidents where personal data is compromised. Therefore cyberattacks that do not target data would not need to be reported. The new directive would change that.
Companies such as PayPal, Google, Amazon, eBay and Skype would have to notify authorities of any major cyberattack as well as other incidents that have a significant impact on services, such as natural disasters, extreme weather and cases of human error.
Digital Agenda Commissioner Neelie Kroes criticized business managers who deny cyberattacks are happening because they are worried about their companies' reputations. Cyberattacks are a common occurrence, with statistics showing that 93 percent of large corporations experienced a cyberattack last year, she pointed out.
"At the end of the day openness and transparency about your experience is going to result in a better environment for all," she said.
Member states will determine how they write the directive into national law, so sanctions for failing to report an incident will vary by country.
As part of the proposed directive, member states will be required to designate a contact agency that is responsible for sharing information about cyberthreats with other countries as well as the European Network and Information Security Agency.
Richard Archdeacon, head of security strategy at Hewlett Packard, said that the proposed directive would help to build trust among consumers. "Cloud computing alone is expected to boost the European economy by ¬1 trillion by 2020, but a lack of confidence in Internet security due to the alarming number of costly attacks is blocking widespread adoption," he said in a statement.
European statistics from 2012 show that Internet users are 18 percent less likely to buy and 15 percent less likely to use online banking because of security fears.
In addition, nearly three quarters of 160 respondents to an online Commission consultation said that the requirement to report cyberincidents would not incur any additional costs, and more than two thirds said that implementing a state of the art risk management system would not result in increased costs.
The European Telecommunications Network Operators' Association unreservedly approved of the plan, while Chinese telecommunications company Huawei stressed the importance of working globally to tackle cyberattacks.
However, "the proposal in its current form will not achieve its stated aim," warned Liam Benham, vice president of governmental programs at IBM Europe."The challenge for business will be to find the right level of security appropriate to the risk presented. In this respect, the proposal is a bit vague at this stage," agreed Jörg Hladjk, associate lawyer with Hunton & Williams.
The European Parliament will now have to approve the directive, so further changes to the text are likely. Once law, E.U. member states have 18 months to write it into their national legislation.