EU lawmakers and member states on Monday (7 November) struck a deal on the bloc’s first broad cybersecurity law to affect multiple industry sectors.
The new law will require online firms, such as Google and Amazon, to report serious breaches or face sanctions.
The deal, following five hours of negotiations between the European Parliament and EU governments, was reached in response to increasing worries about cyber attacks resulting in security and privacy breaches. It still needs to be formally approved.
The European Commission Vice-President for the Digital Single Market, Andrus Ansip, said the new law would build up consumers’ trust in online services, especially cross-border services.
“The Internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction,” Ansip said.
— Andrus Ansip (@Ansip_EU) December 8, 2015
EURACTIV has previously reported on the negotiations over the cybersecurity directive.
The new law, known as the Network and Information Security Directive, sets out security and reporting obligations for companies in critical sectors such as transport, energy, health and finance. Those will have to ensure that the digital infrastructure they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber attacks, the Parliament said in a statement.
Within these sectors, each member states will identify the operators providing essential services, based on criteria laid down in the directive.
Andreas Schwab, a German centre-right MEP (CDU), who steered the negotiation for Parliament, said he was satisfied. “Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity – which is even more important in light of the current security situation in Europe.”
Web firms will be subject to less stringent obligations, than, say, airports or oil pipeline operators, which are considered critical.
Under the measure, internet companies such as Google, Amazon, eBay and Cisco – but not social networks like Facebook – will be required to report serious incidents to national authorities, which in turn will be able to impose sanctions on companies that fail to do so.