EU Develops New Cybersecurity Rules

The European Union will propose new cybersecurity rules Thursday, requiring search engines, energy providers, banks and other companies to report disruptions to government authorities.
Transit hubs, stock exchanges and a host of other entities would be covered by the proposal, which has been seen by The Wall Street Journal and which the European Commission, the bloc's executive arm, drafted after a decade of failed voluntary measures.

The proposals still must be reviewed by the European parliament and the leaders of the EU's 27 national governments before becoming law. Such proposals are generally amended but ultimately approved, a process that normally takes roughly two years.

"Information systems can be affected by security incidents, such as human mistakes, natural events, technical failures or malicious attacks," the draft proposal says. "These incidents are becoming bigger, more frequent, and more complex."

With the EU's member countries all enforcing different cybersecurity rules, and member states reluctant to share information with neighbors for fear they are less secure than themselves, the bloc is increasingly open to attack, according to the proposal.

"The current situation in the EU, reflecting the purely voluntary approach followed so far, does not provide sufficient protection against network and information security incidents and risks across the EU," according to the document.

The new rules will be jointly introduced Thursday by the bloc's foreign-policy-and-defense, technology-and-telecommunications, and home-affairs chiefs.

"We need to intensify global efforts to fight cybercrime that is shaking the confidence of online services and is thereby damaging our economies," EU High Representative Catherine Ashton said last October.

The proposal requires all EU countries to establish competent authorities to monitor online security and set up Computer Emergency Response Teams.

Many of the countries already have such an authority.

That would encourage countries to share information and improve resilience, according to EU officials, who point to the U.K., Denmark, Finland, the Netherlands and Sweden as being among the best countries in the bloc when it comes to dealing with cyber threats.

In the U.K. earlier this month, a parliamentary committee said lack of preparedness against cyberattacks is putting Britain's military forces at risk. The British government has committed £650 million ($1.02 billion) to upgrading its capacity to combat cyberattacks.

Several high-profile hacking incidents have grabbed headlines recently. Twitter Inc. reported unauthorized attempts to access information such as user names and passwords. The Wall Street Journal and other newspapers alleged that China has hacked into their computers—claims the Chinese have denied.

There are also plans to work with countries outside the bloc to enhance security, including the Balkan region and West Africa, with Nigeria known to be a hub of illegal online activity, according to EU officials.

In the U.S., a White House-backed bill, which would have established a voluntary regime of cybersecurity standards developed by the government and private industry, was blocked by Republican lawmakers in August.

EU officials stressed the importance of a strong trans-Atlantic approach to cybersecurity, praising the work of the EU-US Working Group on Cyber-security and Cyber-crime. U.S. companies with subsidiaries in Europe would also have to report disruptions under the EU proposal, if they are in sectors affected by the legislation.

Approximately 40,000 companies would be affected by the proposal, according to EU officials. That includes so-called Internet enablers such as Google Inc., Facebook Inc. and Twitter, as well as banks, energy providers and cloud-computing providers.

Companies would have to notify authorities of data-privacy breaches or "incidents with a significant impact" on services, such as natural disasters, extreme weather and cases of human error, as well as cyberattacks.

Sanctions for failing to report would be decided by the member states, which would have to turn the directive into national law. The proposal makes an exception for so-called micro enterprises, in order to avoid an excessive administrative burden on small businesses.

Neelie Kroes, the EU commissioner for digital agenda, said in a recent interview that "the cost of not acting on cybersecurity is much greater for companies than [that of] acting."

In an online public consultation prior to drawing up the proposals, the commission found that 57% of respondents had experienced cybersecurity incidents over the previous year that had a serious impact on their activities.


0 yorum: