The EU's first cyber-security law has been decided upon by the European Parliament and member states.
The law will require companies to report cyber-security breaches or face the discipline of the EU. It sets out the reporting requirements in major sectors like transport, finance and energy as well as dealing with internet companies such as Google although held to a looser standard.
The new law, known as the Network and Information Security Directive, has been prompted by growing fears over a major cyber-attack.
The EU contains 28 different cyber-security cultures and faces rising levels of cyber-crime in multiple member states, leading to problems over jurisdiction and cross-border cooperation.
If companies don't report their breaches, they may well be sanctioned. The punishment is left up to the member states, but according to one EU spokesperson who spoke to SCMagazineUK.com “penalties have to be effective, proportionate and dissuasive.”
Emily Taylor, an associate fellow at Chatham House and internet governance expert, told SC that the transnational nature of the Directive is crucial: “Criminals don't stop at borders, and cooperation between EU members states is essential in combatting online crime.”
However, she added, “The challenge will be, as always, translating these high level policy principles into a network of coherent national strategies.”
Plenty of member states covered by the Directive are already thinking about legislation, such as the much-maligned Investigatory Powers Bill.
Member states will have the power to designate which companies and organisations within those critical sectors will be subject to the Directive, based on whether it could have “significant disruptive effects on its provision or public safety”.
There will be a strategic cooperation group to exchange information across borders as well as a series of Computer Security Incidents Response Teams (CSIRTS) to handle incidents and coordinate responses.
The deal was finally worked out after hours of negotiations between the Parliament and member states. The Parliament's rapporteur Andrews Schwab told press after the deal was made, "Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the Parliament has advocated for years."
There has not yet been a great amount of detail released on what the Directive might mean for everyday business in the UK and Europe but the news has been warmly received by the industry.
Adam Palmer, director of international government relations at FireEye told SC, “FireEye supports the approach adopted by the NIS and encourages all EU member state governments to now quickly adopt its recommended risk management procedures.”
However, he commented: “It is important to start planning for this compliance now, rather than wait and risk a penalty for non-compliance after the two-year implementation period expires.”
And this is only a first step, he added: “It is now a critical time for European governments to build on this foundation and adopt clear strong standards."
Developments like this have been a long time coming for people like Chris Wysopal, former white hat hacker and current co-founder, CTO and CISO of application security company, Veracode.
Wysopal was one of eight members of the hackers group L0pht who testified in front of the US Congress in 1998 saying, among other things, that cyber-security wouldn't get better unless companies were held to account for the security of their products.
He spoke to us recently on how those words still ring true, adding today: “It's good to see agreement from EU lawmakers that something needs to be done about the state of cyber-security across the region.”
While it's a step in the right direction, “Any legislation needs to be prescriptive to create a baseline for what's considered reasonable security, otherwise it will be difficult to drive change. One way to do this would be taking the Network and Information Security Directive one step further and crafting some form of liability to ensure reasonable efforts are being taken to secure systems.”
The Directive will focus the minds of boards of directors everywhere, said Andrew Rogoyski, head of cyber-security at CGI and a former cabinet office adviser. “The obligation to publicly declare a breach will send shivers up the spines of CEOs everywhere”, Rogoyski told SC.
One of the likely implications is that the visibility of breaches will increase, said Rogoyski. "This will drive public concern over the safety of online systems and whether a company can be trusted with sensitive information by users.”
In the US, this kind of visibility has led to a huge increase in litigation associated with large breaches which, in turn, has stimulated the growth of the cyber-insurance industry. “The cyber insurance market is already worth over $1 billion and is expected to grow at double-digit rates over the next 2-3 years. Again, this will drive organisations to invest in better cyber security," he said.
Rogoyski added that the Directive comes along at the same time as the General Data Protection Regulation (GDPR), which aims to harmonise data protection law across Europe. “With penalties of up to five percent of global turnover being mooted, the GDPR is to be taken very seriously indeed. Combined with the Directive, there will be enormous pressure on companies and organisations to improve their cyber-security.”The Directive has only been provisionally agreed and has yet to be formally approved by the European Parliament's Internal Market Committee and Council of Permanent Representatives.