The laws will force organisations to defend against certain attacks under legislative proposals likely to be detailed before the end of this year. The European Data Protection Supervisor (EDPS), which advises EU institutions on privacy issues, said (6-page / 61KB PDF) that the Commission should clarify exactly what will be covered by new laws.
The EDPS said that it was regrettable that EU law has, "notwithstanding the existence of widely recognised technical standards", yet to set out the scope of cyber incidents or threats "in the context of NIS". The European Commission has held a public consultation in a bid to improving NIS (network and information security) in the EU, but the EDPS said that the key terms the subject of the consultation should be defined.
Clear definitions of what is meant by 'cyber security' and 'cyber threats' would help organisations better understand the kind of cyber incidents they could be forced to report under new EU laws.
The Commission recently said that it intends to "present a comprehensive strategy on cyber security" before the end of the year. The proposals will contain draft legislation with the aim of improving "network and information security across the EU" and will "provide for a cooperation mechanism amongst the Member States and introduce security requirements for the private sector".
In July the European Commission launched a consultation on the issue, seeking the views of Governments, businesses and others in a bid to help it form its legislative plans. At the time it said that businesses could be required to report when their "essential" systems have been disrupted due to "cyber incidents". At the time the Commission said its aim is to "enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU." The consultation closed on 15 October.
The EDPS said that a "clear distinction" should be drawn between what constitutes "accidental events, which are incidents that have occurred on a network or an information system, and malicious actions, which could have a connection with cybercrime" in the Commission's forthcoming strategy. The watchdog also noted that there is also no singularly recognised definition of what constitutes 'cybercrime' and therefore stressed the need for the Commission to clearly define the scope of its strategy before publishing it.
"There is therefore a need to provide for a clear definition of the types of incidents or threats that any future policy action aims at addressing in the context of NIS," the EDPS said. "It should furthermore be clarified that the actions foreseen in the context of NIS do not include content-related cybercrime offences."
EDPS also said that the new strategy should require that companies use "privacy-enhancing technologies and other 'best available techniques' (BATs) in all network and information systems deployed on the internet".
"The use of PETs can help design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules," the EDPS said. "Some examples of PETs could be the automatic anonymisation of data after a certain lapse of time, enhancing encryption tools or installing cookie-cutters."
"As for the practical implementation of BATs in the field of security, it refers to the most effective and advanced stage in the development of processes, facilities and their methods of operation for minimising the impact on privacy and strengthening personal data protection," the watchdog added.
The Commission is seeking to expand the existing security breach notification regime that operates in the telecoms sector.
Currently telecoms operators and internet service providers are required, under the EU's Privacy and Electronic Communications Directive, to "take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services" and take measures to "prevent and minimise the impact of security incidents on users and interconnected networks." The Directive requires that the network or service providers notify national regulators of any "breach of security or loss of integrity that has had a significant impact on the operation of networks or service".
Regulators can share details of the incidents with regulators in other EU member states and can require that the public is also notified of breaches if it is in the public interest for the notification to be made, under the terms of the Directive.