“The European Commission will propose by the end of the third quarter of 2012 a new obligation for security breach notifications for the energy, transport, banking and financial sectors,” said an official working at the Commission's digital agenda department.
The official said that companies have an interest in beefing up their protection against cyber attacks, but that they were not doing enough to defend their infrastructure.
“When they suffer a security breach, they usually do not report it,” the official explained, saying the Commission was looking at ways of obliging companies to notify those.
“The obligation to report would worsen the reputational damage suffered by companies which undergo security breaches. This should lead them to invest more in security to lower their vulnerability,” the official said.
Following the ICT model
A second official, from the Commission directorate in charge of Justice and Home Affairs, confirmed plans to extend security breach notifications to new industries, other than telecommunication companies and internet firms which in Europe are already subject to reporting obligations.
The EU directive on e-Privacy states that “in case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk.”
This e-Privacy directive is currently the reference on cyber security, but it is likely to be soon complemented by more stringent rules. At the beginning of the year, the European Commission pushed forward a new legislative proposal to impose reporting obligations on data breaches for ICT firms, on top of the current security breaches.
Viviane Reding, the EU Justice Ccommissioner who is also in charge of privacy issues, proposed in January a 24-hour reporting obligation for telecoms and Internet companies when they suffer data losses.
Involving the private sector in the pursuit of stronger cyber security is necessary as it owns 90% of critical infrastructure in the EU, according to Europol, the EU law enforcement agency.
National and European institutions will also have to increase their cooperation to fight cyber crime. The Commission has recently proposed the establishment of a European cyber crime centre which is expected to become operational in January 2013.
But cooperation among the myriad of security agencies in the continent is far from guaranteed. “There is enough crime that we do not have to compete for it,” said Troels Ørting of Europol, the designated director of the European cyber crime centre.