EU adopts first cybersecurity rules, ups reporting requirements
The European Parliament has passed its first ever body of cybersecurity rules, which will require providers of services across multiple sectors and digital realms – including Google and Amazon – to address security measures more closely and enhance their reporting on any breaches. The new rules, dubbed the Directive on Security of Network and Information Systems, were adopted on 6 July. “Without trust and security, there can be no Digital Single Market. Europe has to be ready to tackle cyber-threats that are increasingly sophisticated and do not recognise borders,” commented EC VP responsible for the Digital Single Market Andrus Ansip, who steered the regulation through its assembly.
“We are proposing concrete measures to strengthen Europe’s resilience against such attacks and secure the capacity needed for building and expanding our digital economy.” Under the Directive, operators of essential services will have to “take appropriate security measures” – both technical and organisational – that are “proportionate to the risk.”
The measures include security systems and facilities, incident handling, business continuity, monitoring, auditing and testing, as well as compliance with international standard “The measures should prevent and minimise the impact of incidents on the IT systems used to provide the services,” EC said, adding that service providers must notify “serious incidents to the relevant national security.” Exactly what constitutes a “serious” incident will be defined by the relevant authorities in each member state on the basis of the number of affected users, duration and footprint of the incident and service and economic impact. For providers of digital services, the types of services covered by the Directive include online marketplaces, cloud computing services, and search engines.
As part of the Directive, the Commission set out a tentative schedule for bringing the Directive’s mandates online. A year from now, the Directive expects digital service providers to formally adopt security and notification requirements, with those requirements becoming “national law” by May 2018.
The Directive also calls for closer collaboration between EU Member States to “tackle the fragmentation” of the market. According to the Commission, current regulation requires service providers seek approval and certification in each EU market, hampering the availability and development of security services.
“The Commission will therefore look into a possible European certification framework for ICT security products,” the Commissions said. “A myriad of innovative European SMEs have emerged in niche markets (e.g. cryptography) and in well-established markets with new business models (e.g. antivirus software), but they are often unable to scale up their operations.
The Commission wants to ease access to finance for smaller businesses working in the field of cybersecurity and will explore different options under the EU investment plan.” To support the Commission’s cybersecurity framework, the Directive advocates the establishment of national strategies on the security and network and information systems for each member state, including clear objectives, risk assessment and a list of actors involved in the implementation of the strategy.
Each member state should also set up one or more computer security incident response terms to monitor cybersecurity-related activities. Finally, the Directive calls on member states to set up a “cooperation group” to collaborate in their fight against cybersecurity threats, and to harmonise cybersecurity prevention and response strategies. “The Directive on Security of Network and Information Systems is the first comprehensive piece of EU legislation on cybersecurity and a fundamental building block for our work in this area,” Ansip said. “The rules adopted today… create the right conditions for people and businesses to use digital tools, networks and services in the EU with confidence.”
(This article first appeared on www.commsday.com)