Technology firms and those in charge of critical IT services will in future be legally mandated to report successful cyber-attacks under new rules being put forward by the European Parliament.
The new rules are also set to establish effective minimum standards of cyber security for utility firms and financial institutions.
If the proposed new rules are passed into law, it will in effect be the first time that the European parliament will have created a unified single set of laws on cyber security. At present there is no single approach in Europe to deal with data hacks either intentional or through human error.
The intended laws have been agreed upon by MEPs and individual government ministers from across the whole gamut of the EU’s 28 member states.
“The Internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction,” European Commission Vice President Andrus Ansip said.
The Network and Information Security directive is an attempt to unify Europe’s response to the ever increasing threat of hackers. While the directive is primarily aimed at essential state infrastructure such as power stations and airports, it will also apply to some technology firms as well, such as Google and Amazon, to report serious breaches or face penalties if they fail to disclose vital information
ENISA (European Agency for Network and Information Security) has estimated that hackers and cyber breaches account for between €260 – €340 billion of revenue loss across Europe each year.
Under the new EU directive, member states will have to work more closely together on improving cyber security and dealing with hacks, while being forced to openly exchange information regarding cyber breaches. Member states will also be called upon to assist member states in ensuring that critical state infrastructure is as protected as possible.
German MEP Andreas Schwab said of the deal that:
‘A milestone has been achieved: we have agreed on the first ever EU-wide cybersecurity rules, which the Parliament has advocated for years.’
That said, it will still be some time before the new proposals will become EU wide law. The Network and Information Security directive will have to approved by the national governments that comprise the EU, and also gain approval from European Parliament as well.
After that, EU countries will have around two years to put the new measures in place.