The Commission has published a draft Network and Information Security (NIS) Directive (48-page / 219KB PDF) under which banks, energy companies, platforms for online trade and cloud computing providers would be responsible for informing regulators of "significant" cyber security incidents that they experience. The Commission also published a cyber security strategy. (20-page / 128KB PDF)
The businesses required to adhere to the proposed Directive could potentially face sanctions for not having in place sufficiently secure systems and for failures to notify regulators of significant cyber breach cases affecting them.
Under the Commission's proposals not all breaches reported to the regulators would necessarily be conveyed to the public, but regulators would be required to determine on a case-by-case whether it was in the public interest to inform them. The regulators would be obliged to share information with one another on cyber security risks in accordance with the proposed framework.
The Commission is seeking to expand the existing security breach notification regime that operates in the telecoms sector.
"The current situation in the EU, reflecting the purely voluntary approach followed so far, does not provide sufficient protection against NIS incidents and risks across the EU," the preamble to the Directive said. "Existing NIS capabilities and mechanisms are simply insufficient to keep pace with the fast-changing landscape of threats and to ensure a common high level of protection in all the Member States."
Under the European Commission's proposals, "public administrations and market operators" will be required to put in place "appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations". The measures would have to be "appropriate" to address the particular security risks the individual organisations face.
In the event of a cyber security breach that has a "significant impact on the security of the core services they provide", the public administrators and market operators would have to notify designed regulators within EU member states of the incident.
The term 'market operators' refers to a range of businesses, including e-commerce platforms, online payment "gateways", social networks, search engines and cloud providers. It also encompasses energy suppliers, transport infrastructure bodies, banks and health care bodies, among others.
The rules would apply to market operators based outside of the EU but which operate within the trading bloc, and would also apply to them regardless of whether they outsource responsibility for IT security to third party providers. The national regulators would be responsible for determining whether it is in the public interest to inform the public of the notified incidents.
Under the proposed new regime, member states would have the power to provide for "effective, proportionate and dissuasive" sanctions to be levied against organisations that failed to comply with the security and notification rules.
The designated regulators across the EU would be required to cooperate by providing "early warnings" to one another on major cyber security risks. The bodies would have to ensure that "sensitive and confidential information" that they share is exchanged via "secure infrastructure", and they would be obliged to liaise closely with authorities responsible for overseeing compliance with data protection rules when breaches concern the loss of personal data.
Insurance data risks and cyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that the proposed new regime could herald a significant increase in the uptake of data risks and cyber liability insurance products.
"There will be a tipping point where suddenly the popularity and frequency of buying these insurance products will increase," Birdsey said. "At the moment there is a certain feeling in the market that companies are waiting for one another to buy these products because there are currently no data breach notification requirements on them, meaning incidents often go unreported. Businesses therefore consider themselves less exposed to financial and reputational risks as a result."
"If the Commission's proposals are introduced there will be greater intelligence available on the scale of cyber security breaches that are occurring in the private sector and this could trigger a wider recognition among businesses of the risks they face. It could prompt them to seek to transfer some of that risk off their balance sheets," he added.
"In cases, under the proposed new regime, where regulators determine that it is in the public interest to notify individuals about breaches, businesses could find that they face additional costs not merely associated with any financial losses or reputation harm suffered as a result of the breach," Birdsey said. "Businesses may find that they face pressure to put in place credit monitoring services to record and protect consumers whose data may be affected. This may present significant costs to firms and could prompt them to seek insurance products that account for the costs associated with such financial risks."