The European Commission (EC) has proposed a directive on Network and Information Security (NIS) that will require large EU-based companies to disclose major cyber attacks to national authorities.
The aim of the proposed directive is to ensure a high common level of NIS across the EU. This will be achieved by requiring ‘market operators’ and public authorities to take measures to manage cyber risks, one of which will be an obligation to report serious cyber incidents.
‘Market operators’ is not yet a term of science, but it is estimated over 40,000 firms in the EU could be impacted. The proposal loosely defines the group as including: providers of e-commerce platforms, internet payment gateways, social networks, search engines and app stores; and operators of ‘critical infrastructure’ in the fields of energy, transport, banking, stock exchanges and health. Hardware manufacturers and software developers are currently exempt.
The measures these market operators would be required to adhere to can be split into three broad categories:
- A requirement to submit to independent regulation: each member state would have to adopt a NIS strategy and set up a single national authority to monitor application of the measures.
- A requirement to disclose to the national authority cyber incidents that have a ‘significant impact on the security of core services’. The authority will then be able to inform the public or require the market operator to do so if it considered the incident to be of public interest.
- A requirement to undergo cyber security audits where necessary and permit investigations in cases of non-compliance.
As this final point suggests, the directive also requires member states to enact sanctions for non-compliance, though exactly what form these take is left at each member state’s discretion. If and when the directive is brought into effect, agreement on sanction regimes could prove difficult. The EC may choose to be more prescriptive when it comes to publishing the final form of its directive to stave off the setting of dangerous precedents.
Member states will also have to create a ‘co-operation mechanism’ to share information on security breaches and threats across the EU. This raises inevitable concern over data confidentiality, which the EC has sought to allay by including a set of common, minimum information security standards and an obligation on member states to create Computer Emergency Response Teams to co-ordinate incident responses.
The implications for business are considerable, and the inclusion of ‘market operators’ is likely to bring on the same headache that has pained efforts to pass national cyber security legislation in the US. Even companies not headquartered in Europe but which have activities or systems in Europe would have to disclose significant intrusions. The anxieties that killed the proposed Cybersecurity Act in the US – namely that the state did not want to be seen to be prying on personal information or imposing burdensome government-set security standards on private firms – are likely to resurface in Europe.
Concerns have also been voiced about the reputational damage disclosure might cause and the impact on SMEs, which cite compliance with administrative regulations such as those proposed as one of their largest constraints on business.
This is nevertheless a step in the right direction by the EC. The ability to get redress for fraud varies significantly across the EU and it is in the interests of the sector to improve the overall level of risk management. Encouraging greater transparency on cyber incidents and the active sharing of knowledge between member states is a bold ambition, but there is a definite determination here to address the vulnerabilities perceived in the current system.
The EC estimates the proposal will not be implemented before 2015.