From: TechWeek
Exclusive: European Commission hopes to enshrine transparency around cyber incidents in law
by Tom Brewster
The European Commission wants to impose obligations on public and private organisations to report and share information on cyber attacks that cause serious damage, TechWeekEurope has learned.
A draft proposal for the Cyber Security Strategy of the European Union has been making its way around Brussels, but has not been released to the press yet. It will be officially unveiled by Neelie Kroes, EU Digital Agenda vice president, and her team later this year, possibly before the end of the month.
But an internal Commission document seen by TechWeekEurope said a proposed directive would force businesses and government bodies to report “incidents with a significant impact”. The EC believes this “will enhance the ability to respond to incidents and foster transparency”.
The document hints at broad aims within the strategy. Under a subheading asking what will change after adoption of the directive, the document read: “There will be a high level of cyber security across the EU in terms of increased capabilities, preparedness, cooperation, information exchange and awareness at national and EU level, both in the public and the private sectors.”
Cyber attack transparency
This differs from the European Commission’s controversial proposed directive on data protection, laid before the public last year. That directive includes a rule stipulating that organisations should report a data breach incident within 24 hours. But such a breach does not have to relate to a cyber attack or incident, only to cases where citizen information has been exposed
The directive under the Cyber Security Strategy would, this publication understands, relate to any kind of severe cyber incident, even those where no citizen data has gone missing. As long as it is deemed serious enough, the list could include distributed denial of service (DDoS) attacks, cyber fraud and even events caused by natural disasters.
The ultimate aim is to create an information sharing environment, so if something cataclysmic happens, nation states will have more to work with during recovery.
“This is about system problems,” a spokesperson from Neelie Kroes’ office told TechWeekEurope. “This reporting requirement is more like ‘Hurricane Sandy wiped out my power station and now electricity and Internet are down – who do I call to help?’”
“We don’t tell the countries exactly what incidents must be reported – that will have to be agreed at a later stage in the debate.”
The spokesperson was clear that global technology companies would certainly not be exempt from the requirement to report incidents.
“We need to protect critical infrastructure and IT systems are often the critical infrastructure. It would be nonsense to try to increase our understanding of these threats and to deal with them more efficiently without formalising a responsibility on the companies,” he added.
Leave a Reply