Knives out for new EU rules forcing govts to reveal hacker attacks

Talks began on a new computer security law for Europe on Tuesday night.

National ministers, the European Commission and MEPs got together for the first time in an attempt to nail down the wording in the proposed Network and Information Security (NIS) Directive.

When it was proposed by the commission early last year, the draft law included rules for so-called "enablers of information society services" such as Google, Amazon, eBay and Skype. However, the European Parliament removed that bit, and the draft law now covers only companies that own, operate or provide technology for critical infrastructure.

Those companies will be required to report any security breach that "significantly affects the continuity of critical services and supply of goods" to a national authority, whether data had been compromised or not. But it now looks as though national governments will water down the wording even further – particularly the bits about requiring national watchdogs to share information about security incidents or breaches with officials in other EU countries.

Speaking before the talks began on Tuesday, Pilar del Castillo, the Spanish MEP charged with overseeing the discussion, said that for various reasons national ministers are wary of sharing information.

“Some because they are too big, some are too small. Some have very strong, developed security systems, others have underdeveloped systems, but whatever reason, there is reluctance in this area,” she said, adding that there was a need to EU countries to work together in the area of computer security.

As it stands, the proposed law would require countries to adopt a national strategy that includes setting up a competent authority for overseeing information security, and installing a computer emergency response team (CERT) that is responsible for handling incidents and risks. These CERTs would be expected to work together to “exchange information between authorities, provide early warnings on information security issues and agree on a co-ordinated response in accordance with an EU NIS co-operation plan”, according to the European Commission.

“Market operators” would also be required to notify the authorities about any cybersecurity incidents, however although it is broadly agreed that critical infrastructure must be included, there is a lot of argument about what should constitute a “market operator”.

According to the commission, 93 percent of large corporations experienced a cyber attack in 2012. Yet nearly three quarters of respondents to an online consultation said a requirement to report cyber incidents would not incur any additional costs. ®