First pan-European cyber-security law to be enacted
via Flickr © fdecomite (CC BY 2.0)
- New Network and Information Security Directive codifies legal responsibilities of Internet companies.
- Those classified as "essential services" must report all serious breaches of their networks and systems.
- List includes the likes of Amazon, Cisco, eBay and Google but not social networks such as Facebook and Yahoo.
- Firms face fines of 5 per cent of global turnover if they fail to report incidents
Legislators have agreed on the basis and principles upon which to fashion the European Union's (EU) first cyber-security law: the Network and Information Security Directive (NISP). Remarkably, the accord came following a mere five-hour-long discussion between the European Parliament and the individual governments of the 28 member states of the EU - a rare event indeed and evidence of genuine political accord and just how seriously the EU now takes the ever-increasing threats and incidences of cyber attacks and the resultant breaches of security and privacy and bringing down of vital commercial and governmental networks and Internet sites.
One of the central tenets of the new law is that ISPs such as Amazon. eBay and Google will be legally bound to report all 'serious breaches' of their networks to the national governments of the EU member states and systems or face serious sanctions. However, social networking sites such as Facebook and Yahoo will not be subject to the same requirements or penalties.
Andus Ansip, the former Prime Minister of Estonia, is now at the European Commission (EC) overseeing the development of Europe's Digital Single Market with the remit to make Europe a world leader in ICT and to fight cybercrime. He commented, “Trust and security are the very foundations of a Digital Single Market. If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure.”
Mr. Ansip added, "The Internet knows no borders - a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. This agreement is an important step in this direction. The new law will build-up consumers' trust in Internet services, especially cross-border services."
The Network and Information Security Directive codifies in law the security and reporting obligations incumbent on companies and enterprises in what are classified as 'critical and essential sectors'. These include, energy, health, finance and transport.
German MEP, Andreas Schwab, who oversaw the law's passage through the European Parliament said, "Germany pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cyber-security – which is more important than ever in light of the current security situation in Europe."
It means that the likes of Amazon, Cisco, Google and Microsoft have been classified as 'essential service providers, alongside the likes of energy, banking, healthcare and transport companies, and they too will be required to report any attacks or breaches.
Andus Ansip again: “We need EU-wide cyber-security solutions. The agreement is an important step in this direction, but we cannot stop here: we plan an ambitious partnership with the industry in the coming months to develop more secure products and services.”
Günther Oettinger, the EU's Commissioner for the Digital Economy and Society, observed, "The agreement constitutes a major step in improving the resilience of our network and information systems in Europe. Improving cooperation and information exchange between Member States is a key element of the agreed rules and will help us tackle the increasing number of cyber-attacks.”
Now the text of the political agreement will be approved by the European Parliament and the Council. After that it will gazetted in the EU Official Journal and thus become European law. Henceforth it will be incumbent on relevant businesses and organisations to make themselves completely familiar with their responsibilities under the terms of the new legislation and as "operators of essential services” must be prepared to take all “appropriate security measures” and notify serious incidents to the relevant national body.
The EC expects that the new law will have the effect of making companies much more honest and transparent about the security breaches they suffer and will force the senior management and boards of directors of such enterprises publicly to declare and reveal that a cyber-security breach has happened; something that, in the past, many companies have been most unwilling to acknowledge. Should they fail to so so once the new law is in place, the companies face fines of five per cent of their global revenues.