EU Agrees to First Set of Cybersecurity Rules�What This Means for Your Company
?European Union (EU) member states and lawmakers reached a deal late Monday that will require Internet firms and critical service companies to report serious breaches or face sanctions.�
The deal, the Network and Information Security Directive, is the first ever EU-wide set of cybersecurity rules, and is designed to ensure that thedigital infrastructure used by critical sectors�energy, transport, banking, financial market, health, and water supply�to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyberattacks.�
�Member states will have to identify concrete �operators of essential services� from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems, and whether an incident could have significant disruptive effects on its provisions or public safety,� according to anEU Parliament press release.
If companies in these sectors experience a serious security breach, they also must be prepared to report the breach to public authorities. Additionally, the deal requires some Internet service providers�like online marketplaces, search engines, and clouds�to ensure the safety of their infrastructure and to report on major incidents. Amazon, eBay, and Google were specifically named as U.S. companies that will be subject to these requirements.
However, it was unclear what is defined as a �serious� breach and there has been no clarification on what the sanction penalties will entail.�
EU Parliament Rapporteur Andreas Schwab said the deal is something the EU Parliament has advocated for years and called it a major �milestone� in a statement.
�Parliament has pushed hard for a harmonized identification of critical operators in energy, transport health, and banking fields, which will have to fulfil security measures and notify significant cyber incidents,� Schwab said. �Member states will have to cooperate more on cybersecurity�which is even more important in light of the current security situation in Europe.�
Under the draft rules of the directive, a strategic cooperation group will be set up to exchange information and best practices, draw-up guidelines, and assist member states in cybersecurity capacity building, according to the press release.�
�In addition, a network of Computer Security Incidents Response Teams, set up by each member state to handle incidents, will have to be established to discuss cross-border security incidents and identify coordinated responses,� the release explained.
While this marks a significant step for the EU, it remains behind the United States in creating a vast information sharing network, says Lisa Sotto, head of the Hunton & Williams global privacy and cybersecurity team.�
The deal �seems to set up this information-sharing infrastructure that we have in the United States, which is quite mature and appears to be non-existent in the EU,� she explains. �Here in the United States, we have a really very robust information sharing framework between government entities, the private sector, and law enforcement.�
However, the directive is not effective immediately. It still needs to be formally approved by the EU Parliament�s Internal Market Committee and the Council Committee of Permanent Representatives before going into full effect.