Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

MEP wants trigger for reporting cyber attacks to be changed


Banks, energy companies and businesses involved in the operation of telecommunications networks would have to tell regulators about more cyber security incidents and threats they face under plans outlined by an MEP.

According to a list of amendments (54-page / 354KB PDF) proposed to the European Commission's draft Network and Information Security (NIS) Directive, a Hungarian MEP wants the threshold for notifying regulators to be lowered from what the Commission has proposed.

Under the Commission's draft NIS Directive, public administrators and 'market operators', including banks, energy companies and telecoms firms, would be required to notify designated regulators of "significant" cyber security incidents that they experience.

However, one Hungarian MEP, Ágnes Hankiss, has said organisations subject to the regime should have to report to regulators "both incident and threat information having impact on the security of the core services they provide".

Hankiss also outlined a proposed amendment in an effort to define what 'threat information' should be said to relate to under the Directive. The term should mean "information that describes an attack that results in an incident or an attempt to cause an incident and includes cyberattack signatures", she said.

Under the original Commission proposals, 'threat information' is not defined, but 'incident' refers to "any circumstance or event having an actual adverse effect on security".

Hankiss' proposals were contained in a document published by the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee. Early last month the committee's rapporteur on the NIS Directive plans, Swedish MEP Carl Schlyter, published a draft opinion in which he recommended that new requirements be placed on software producers to fix faults with the systems that suffer security breaches. 

"Software producers shall be responsible for correcting security breaches, within 24 hours of being informed for serious cases, and 72 hours for cases were the effects are unlikely to result in any significant financial loss or serious breach of privacy," draft new rules proposed by Schlyter said. "Commercial software producers shall not be protected from 'no-liability' clauses when it can be demonstrated that their products are not properly designed to handle foreseeable security threats." 

However, in this most recent document containing all the proposed amendments from the LIBE Committee to the Commission's draft, Schlyter outlined changes to the 'no-liability' clause rules he had previously set out.

Under his updated proposals, commercial software producers would only be held responsible for cases of "gross negligence regarding safety and security". This would be regardless of whether they have "non liability clauses" in their contracts.

Schlyter sought to justify his proposals by stating that a culture change was needed within the software community to improve the security of products.

"In the license agreement, commercial software producers absolve themselves from all liability that may arise due to a poor security mind-set and inferior programming," Schlyter said. "To promote the software producers to invest in security measures, a different culture is required. It can only be realised if the software producers are held responsible for any shortcomings in security."

MEPs and EU Ministers both have to agree on final wording of the NIS Directive before it can take effect.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.