EU-wide IT security breach notification laws agreed in Brussels

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computing.co.uk/ctg/news/2438307/eu-wide-it-security-breach-notification-laws-agreed-in-brussels

A new EU-wide cyber-security law has been agreed following negotiations
between the European Commission and the EU Parliament.

The centrepiece of the new law will be an obligation on organisations to
report cyber security breaches almost as soon as they are discovered - or
risk swingeing fines and, potentially, other sanctions.

The new law will be known as the Network and Information Security
Directive, and may take years to fully implement. Unlike the forthcoming
Data Protection Regulation, the Directive will require translation into EU
member states' own laws - the Regulation, in contrast, bypasses national
government scrutiny, approval and, invariably, interpretation.

The European Commission's digital commissioner, Andrus Ansip, claimed that
the EU ought to take a lead on cyber security matters as the internet, and
computer security, is no longer constrained by national boundaries.

"The Internet knows no border - a problem in one country can have a
knock-on effect in the rest of Europe. This is why we need EU-wide
cyber-security solutions. This agreement is an important step in this
direction," he said.

The new law will stipulate the cyber security breach reporting obligations
for companies in critical sectors, which include energy, health, finance
and transport. Organisations operating outside stated critical areas will
be subject to less stringent obligations. Member states will be required to
identify their own "operators of essential services", although small
companies will be exempted.

A strategic group in the EU will be established to improve sharing of
threats and information - presumably via the offices of national computer
emergency response teams, such as CERT-UK.

"Parliament has pushed hard for a harmonised identification of critical
operators in energy, transport, health or banking fields, which will have
to fulfil security measures and notify significant cyber incidents. Member
states will have to cooperate more on cybersecurity - which is even more
important in light of the current security situation in Europe," said
Parliament's rapporteur Andreas Schwab MEP in a statement.

The governance of the new law at a national level will come under a
regulatory authority, such as the Information Commissioner's Office (ICO)
in the UK.

The new directive has been the subject of haggling between various parties
for several years. However, industry is reluctantly accepting the need for
mandatory breach notification as the number and scale of IT security
breaches have grown in recent years.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!