EU proposes new directive on cyber security
The new directive was announced as part of the EU Cybersecurity Plan, designed to create a greater level of cyber resilience and a common cyber defence policy across Europe in light of growing concern over potential cyber attacks on critical national infrastructures.
The EU has already established a European Cybercrime Centre to develop new legislation for cyber crime and it is now turning its attention to the practical side of cyber risk management.
“It is time to take coordinated action-the cost of not acting is much higher than the cost of acting,” said Neelie Kroes, European Commission Vice-President for the Digital Agenda.
hide
The EU’s strategy is threefold. Firstly member states must adopt a NIS strategy and appoint a national authority to prevent, handle and respond to cyber security incidents.
Secondly, the EU would like to see a mechanism that allows for greater information sharing between member states and an early warning facility on risks and incidents.
Thirdly, the public and private companies included in the proposed directive’s remit must not only ensure the adoption of cyber risk practices but also report any major cyber security incidents to the relevant national authority.
Telecom, network and internet service providers already have an obligation to report incidents. But the EU proposes to extend this obligation to six sectors it deems critical infrastructures-energy, transport, banking, health, public administration and key internet companies.
This last group includes large cloud computing providers, search engines, e-commerce platforms and social networks.
The introduction of public notification rules in the event of a data breach has been instrumental in the adoption of cyber insurance policies in the US and similar rules could come into force in the EU in 2015 through changes to data protection policy.
However, the EU’s proposed directive on cyber security will not mandate that every incident be reported or that notifications of cyber incidents be made public.
The EU’s proposal follows the recent publication by the European Network and Information Security Agency (Enisa) of the findings of the largest ever pan-European cyber security exercise.
The study involved 29 member states, 339 organisations and 571 individuals from both the public and private sector and covering cyber security agencies, government ministries, financial institutions, internet service providers and telecommunications.
While the exercise was rated positively by 88% of the participants, the report’s findings identified a number of operational challenges-ensuring sufficient public-private cooperation across different countries and achieving the necessary scalability to complete the exercises given the number of countries involved.
Consequently Enisa has made a number of key recommendations to further the development of pan-European cyber resilience for key infrastructures. This will include the running of more exercises, more training in crisis procedures, including input from other sectors such as energy and transportation and increased involvement of private sector firms in the exercise.