EU-wide IT security breach notification laws agreed in Brussels

IT security industry about to go into overdrive as mandatory breach notification laws are agreed

A new EU-wide cyber-security law has been agreed following negotiations between the European Commission and the EU Parliament.

The centrepiece of the new law will be an obligation on organisations to report cyber security breaches almost as soon as they are discovered - or risk swingeing fines and, potentially, other sanctions.

The new law will be known as the Network and Information Security Directive, and may take years to fully implement. Unlike the forthcoming Data Protection Regulation, the Directive will require translation into EU member states' own laws - the Regulation, in contrast, bypasses national government scrutiny, approval and, invariably, interpretation.

The European Commission's digital commissioner, Andrus Ansip, claimed that the EU ought to take a lead on cyber security matters as the internet, and computer security, is no longer constrained by national boundaries.

"The Internet knows no border - a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. This agreement is an important step in this direction," he said.

The new law will stipulate the cyber security breach reporting obligations for companies in critical sectors, which include energy, health, finance and transport. Organisations operating outside stated critical areas will be subject to less stringent obligations. Member states will be required to identify their own "operators of essential services", although small companies will be exempted.

A strategic group in the EU will be established to improve sharing of threats and information - presumably via the offices of national computer emergency response teams, such as CERT-UK.

"Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity - which is even more important in light of the current security situation in Europe," said Parliament's rapporteur Andreas Schwab MEP in a statement.

The governance of the new law at a national level will come under a regulatory authority, such as the Information Commissioner's Office (ICO) in the UK.

The new directive has been the subject of haggling between various parties for several years. However, industry is reluctantly accepting the need for mandatory breach notification as the number and scale of IT security breaches have grown in recent years.