EurActiv.com

EU news and policy debates across languages

24/07/2016

EU to propose mandatory reporting of cyber incidents

Digital

EU to propose mandatory reporting of cyber incidents

Cyber security.JPG

The European Union may force companies operating critical infrastructure in areas such as banking, energy and stock exchanges to report major online attacks and reveal security breaches, according to a draft report by the European Commission.

The European Commission is due to present a proposal on cybersecurity in February once it has received feedback from the European Parliament and EU countries.

The proposal was initially announced in May for the third quarter this year but has been delayed.

>> Read: EU to impose compulsory cyber defence rules

EU moves to protect critical infrastructure echo similar concerns worldwide amid an increasing number of cyber attacks globally that can disrupt important areas of the economy, from online banking to stock exchanges.

"Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported," the report said.

Unlike the United States where companies are required to report online attacks, which supporters say forces companies into keeping cyber defences tight, the EU has a piecemeal approach.

Some countries like Britain oppose mandatory reporting, which it believes would encourage companies to cover up online breaches because they do not want to alarm their customers.

An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption.

"We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximise security," the official said.

European companies in critical areas of the economy "lack effective incentives to provide reliable data on the existence or impact" of network security incidents, the report said.

Companies fear that revealing their vulnerability could cost them customers, but authorities are eager for increased transparency to try and shut down methods hackers use to exploit networks before they can do widespread damage.

"Cyber security incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity, or mobile networks," the report said.

The EU proposal would require companies in critical infrastructure areas to conduct risk assessments and work with national authorities to ensure a minimum standard across the 27-country bloc.

Inconsistent measures on cyber security also carry an economic cost. In 2012, 38% of the EU's internet users say they were concerned about making payments online, an EU poll showed.

Background

Most cyber security incidents are often not reported or detected even though they can affect millions of citizens and businesses, the EU's cyber security agency ENISA warned last August.

Neelie Kroes, the EU Commissioner for the Digital Agenda, said in a November 2012 speech that the Commission was considering extending to new areas the telecom sector's obligation to adopt risk management measures and report incidents to authorities.

She cited the following sectors: "Internet services, banking, energy, transport, health, public administrations".

Timeline

  • Feb. 2013: European Commission expected to table proposal on mandatory reporting of cyber incidents.