The EU's first cyber-security law has been decided upon by both the European Parliament and the governments of the EU.
The law will require companies like to report their cyber-security breaches or face the discipline of the EU. It sets out the reporting requirements in major sectors like transport, finance and energy as well as dealing with internet companies like Google although held to a looser standard. The EU Parliament told press that “Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday. Online marketplaces like eBay or Amazon, search engines and clouds will also be required to ensure that their infrastructure is secure.”
The new law, known as the Network and Information Security Directive, has been prompted by not only the fact that the EU contains 28 different cyber-security cultures but currently faces rising levels of cyber-crime which traverse those 28 borders of member state who aren't eager to cooperate with one another.
If companies don't report their breaches, they may well be sanctioned. What exactly they could be punished with is left up to the member state to decide, but according to one EU spokesperson who spoke to SCMagazineUK.com “penalties have to be effective, proportionate and dissuasive.”
Emily Taylor, an associate fellow at Chatham House and internet governance expert told SC that the transnational nature of the Directive is crucial: “criminals don't stop at borders, and cooperation between EU members states is essential in combatting online crime.” However, “The challenge will be, as always, translating these high level policy principles into a network of coherent national strategies”, said Taylor.
Plenty of the member states within the Directive are already thinking about legislation, like the much-maligned Investigatory Powers Bill, “which are focused on their own national interests within the confines of their borders - how will the two policy spaces match up?”
Member states will have to designate what companies and organisations within those critical sectors will be subject to the Directive, based on whether it could have “significant disruptive effects on its provision or public safety.”
There will also be a strategic cooperation group to exchange information across borders as well as a series of Computer Security Incidents Response Teams (CSIRTS) to handle incidents and coordinate responses.
The deal was finally worked out after hours of negotiations between the Parliament and the supra-national body's member governments. The Parliament's rapporteur Andrews Schwab told press after the deal was made "Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the Parliament has advocated for years."
There has not yet been a great amount of detail released on what the Directive might mean for everyday business in the UK and Europe but the news has been warmly received by the industry. Adam Palmer, director of international government relations at FireEye told SC that “FireEye supports the approach adopted by the NIS and encourages all EU member state governments to now quickly adopt its recommended risk management procedures.” However, “It is important to start planning for this compliance NOW, rather than wait and risk a penalty for non-compliance after the 2 year implementation period expires.”
However, said Palmer, this is only a first step: “It is now a critical time for European governments to build on this foundation and adopt clear strong standards."
Developments like this have been a long time coming for people like Chris Wysopal, former white hat hacker and current co-founder, CTO and CISO of application security company, Veracode. Wysopal was one of the eight members of the hackers group L0pht who testified in front of the US congress in 1998 saying, among other things, that cyber-security wouldnt get better unless companies were held to account for the security of their products. He spoke to us recently on how those words still ring true and today, told SC that “It's good to see agreement from EU lawmakers that something needs to be done about the state of cybersecurity across the region.”
While it's a step in the right direction, “any legislation needs to be prescriptive to create a baseline for what's considered reasonable security, otherwise it will be difficult to drive change. One way to do this would be taking the Network and Information Security Directive one step further and crafting some form of liability to enforce reasonable efforts are being taken to secure systems.”
“The NISD is going to significantly increase the focus on cybersecurity at board level – the obligation to publicly declare a breach will send shivers up the spines of CEOs everywhere”, Andrew Rogoyski, head of cyber-security at CGI and a former cabinet office adviser told SC. One of the likely implications, said Rogoyski is that the “Visibility of breaches will increase. This will drive public concern over the safety of online systems and whether a company can be trusted with sensitive information by users.” In the US this kind of visibility has lead to a huge increase in litigation associated with large breaches, which in turn has created the growth of the cyber-insurance industry which is only set to grow in the coming years: “The cyber insurance market is already worth over $1 billion and is expected to grow at double-digit rates over the next 2-3 years. Again, this will drive organisation to invest in better cyber security.”
Rogoyski added that the Directive comes alongside the General Data Protection Regulation (GDPR), which will harmonise data protection law across europe “ With penalties of up to 5 percent of global turnover being mooted, the GDPR is to be taken very seriously indeed. Combined with the Directive, there will be enormous pressure on companies and organisations to improve their cybersecurity.”
The Directive has only been provisionally agreed and has yet to be formally approved by the European Parliament's Internal Market Committee and Council of Permanent Representatives.