A new law which will require some companies to report security breaches has been approved by the European Union. The European Parliament voted in favour of the Network and Information Security (NIS) Directive that will require companies which own or operate technology for critical infrastructure facilities to report cyber-attacks to officials – even if data has not been compromised in the incident. A number of firms have supported the introduction of the new law as it will allow a sharing of information and could reduce or prevent future attacks. “We commend the European Parliament for wisely focusing the directive on the critical infrastructure elements,” explained Thomas Boue, policy director at BSA, the Software Alliance to ComputingUK.
He added: “This directive will succeed if it is based on clear and future-proof definitions and a proportional, risk-based approach that allows the private sector to continue to innovate.” Each member state will decide how the directive should be incorporated into national law so penalties for failing to report an attack will be country-specific. However, all European Union members are legally required to investigate any incidents of noncompliance. Initially, the directive would have required companies such as Google, eBay and Amazon to report security attacks but the wording was changed and means they will now not be forced to comply with the new law.
Neelie Kroes, vice-president of the European Commission responsible for the Digital Agenda, explained that sharing information on bio-terrorism and flu outbreaks is already second nature for the Union and this should now apply to cyber incidents to help protect the region’s economy and infrastructure. Figures from the European Commission show that 93 per cent of large-scale organisations were victims of a cyber-attack in 2012. However, almost 75 per cent felt that being required to report such incidents would not lead to further costs and more than 66 per cent felt the introduction of a NIS risk management system would not increase expenses.