A draft EU network and information security directive should focus on Europe’s critical networks and infrastructure, including transport, energy and banking, in order to overcome uneven preparedness across the 28 member states of the European Union.
That is the argument of Thomas Boue, director of government affairs in Europe for technology industry lobbying group, Business Software Alliance/The Software Alliance. “To build a foundation for cyber protections in Europe we need to start with Europe’s most critical infrastructure, ensuring from the outset that EU laws are helping to secure that which needs protecting the most,” claimed Boue.
He added that the directive “should build on the regulatory infrastructures already in place that support critical systems and infrastructure”.
“Keeping the directive’s reporting requirements focused on critical infrastructure and excluding information society services would eliminate conflicts or redundancies in process,” Boue said.
The European Commission published a draft directive in February 2013 aimed at banks, energy companies and other major organisations that operate critical infrastructure. It would mandate them to ensure that their infrastructure maintains sufficient security at all times. The proposed directive would also require them to notify their regulators of any “significant” cyber security incidents.
However, the regulator would not be under any obligation to demand that the organisation publicly disclose the breach – that would be determined on a case-by-case basis, based on the supposed public interest. Regulators, though, would be obliged to share cyber security information between themselves.