European negotiators have reached an agreement on the draft text for the Network Information Security (NIS) directive, the first cyber security rules for the European Union.
Online marketplaces like eBay and Amazon, search engines like Google and cloud service providers will have to ensure they are secure and report serious breaches, under the rules agreed between internal market MEPs and the European Council of Ministers.
However, micro and small digital companies will get an exemption, and so will social networks like Facbook, according to Reuters.
Energy, transport, banking, financial market, health and water supply companies will also have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks.
These companies must also be ready to report serious security breaches to public authorities.
“Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the [European] parliament has advocated for years”, said the European parliament’s rapporteur Andreas Schwab.
“Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents.
“Member states will have to cooperate more on cyber security – which is even more important in light of the current security situation in Europe,” said Schwab.
To ensure a high level of security across the EU and to develop trust and confidence among member states, the draft rules also set up a strategic co-operation group to exchange information and best practices, draw up guidelines, and assist member states in cyber security capacity building.
In addition, a network of Computer Security Incidents Response Teams (CSIRTs), set up by each member state to handle incidents, will have to be established to discuss cross border security incidents and identify coordinated responses.
The provisionally-agreed text still needs to be formally approved by parliament’s internal market committee and the council committee of permanent representatives.
The NIS directive seeks to address the fact that there is no common approach on cyber security and incident reporting across Europe despite the fact that according to the EU cyber security agency Enisa, security incidents affecting information systems, essential networks and services currently result in annual losses of €260bn-€340bn a year.
The new rules are aimed at increasing the preparedness to handle such incidents and improve collaboration among member states as well as public and private sectors.
The mandatory breach notification requirements of the overhauled European data laws are likely to have the biggest impact on UK and other European businesses, according to Ross McKean, partner at law firm Olswang.
“Currently there is no general data breach notification requirement in the UK, and most firms choose not to go public if they can avoid it, to avoid taking a hit on their reputation,” he told Context Information Security’s Oasis symposium in London.
But the EU’s General Data Protection Regulation (GDPR) and NIS Directive will change that, said McKean, making notification of most data breaches involving personal information mandatory.
This will mean most UK and other European firms will have to change their approach to data breaches, he said, and ensure they have processes to comply with the rules.
Once in force, the NIS directive will require the companies it covers to demonstrate the effective use of security policies and measures, said Alex Cravero, commercial technology associate at Kemp Little.
“Failing to do so, is likely to result in reputational damage, loss of customers and potentially also breach of the GDPR leading to more severe enforcement actions,” he told attendees of a seminar on cyber attacks in London.