Cybersecurity legislation is still being held up by member state reluctance to report attacks on their digital networks.
The Latvian Presidency of the European Council has been pushing the network and information security (NIS) directive as part of its portfolio relating to the European Commission’s Digital Single Market plans, including data protection and the telecoms single market package. But after trialogue meetings with the European Parliament and the Commission in April, some member states are stalling talks by protesting the mandatory reporting clause.
“I came in thinking we’ll try to finish the directive by the end of the presidency. At some points I felt desperate,” said J?nis S?rts, state secretary of the Latvian Ministry of Defence at a cybersecurity conference in Brussels on Thursday (28 May).
“This is the first EU regulation and we’re not able to compromise,” S?rts said. “It doesn’t give a very powerful message to those we’re going to confront”.
EurActiv reported last month that Ireland, Sweden and the UK were opposed to requiring large non-European companies to report cyber attacks, while France, Germany and Spain are against the mandatory measure altogether.
Some countries, like the UK, want to stick with a soft power approach for collecting reports on security breaches.
When asked about the mandatory element of planned European cybersecurity legislation, Rachael Bishop, a cybersecurity officer at the UK Department for Business, Innovation & Skills, said, “Smaller companies in particular, they might just stop looking for violations. That would be a massive disincentive to the kind of higher resilience we’re trying to do.”
The Digital Single Market plans include starting the public-private partnership to share information on cybersecurity vulnerabilities early next year.
Udo Helmbrecht, executive director of the European Agency for Network and Internet Security (ENISA), told EurActiv that member states still see digital security as a national issue.
“The mandatory reporting is one thing, but the fear is if you just put it on a voluntary basis, on a weak basis, then what information will be exchanged?” Helmbrecht explained.
“Those who made the legislation fear it won’t have the effect in the end that we want it to have. On the other hand, the member states fear if it’s mandatory and too detailed, they’ll sacrifice some of their interests,” he added.
An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.
The European Commission shortly after proposed a Directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
- The European Commission wants to launch a public-private partnership that would require companies to report cybersecurity attacks in early 2016.