18th Mar 2018

Companies must report cyber attacks, EU says

  • "There is no true freedom without security," said EU digital agenda commissioner Neelie Kroes. (Photo: European Commission)

Large EU-based companies will have to disclose major cyber-attacks to designated national authorities, under new legislative rules proposed by the European Commission on Thursday (7 February).

“Under our proposal, sectors using telecoms networks in ways vital to our economy and society would have to manage risks and report significant incidents,” EU digital agenda commissioner Neelie Kroes told reporters in Brussels.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

Speaking alongside EU commissioner for home affairs Cecilia Malmstrom and EU foreign policy chief Catherine Ashton, Kroes said companies dealing with energy, transport, banking, healthcare and Internet fall under the directive.

The scope reaches just over 40,000 firms in the EU. Hardware manufacturers and software developers are exempt.

Member states will need to come up with plans to better manage risks. They will also need to create a so-called cooperation network to pool and share knowledge with other member states and the commission.

The directive also calls for Computer Emergency Response Teams (Certs) to handle incidents.

A chief authority will need to be appointed to prevent, handle and respond to risks and incidents. He or she would be the go-to-point for companies required to report serious breaches and can decide to make it public or keep it secret.

The ideas have already attracted critics.

For one, German Green euro-deputy Jan-Philip Albrecht told this website in an email that making IT firms report only major incidents means they would not have to reveal known other vulnerabilities and risks.

“This leads to action only after the damage has already been done ... it also falls back behind the ‘responsible disclosure’ practices about vulnerabilities that are already established in the IT security industry today,” he said.

But the commission hopes the directive will help reverse a growing reluctance, in its view, among people to make purchases off the Internet or use online services like banking.

Few companies publicly report cyber attacks in fear of damaging their reputation and losing clients. Each attack costs anywhere between several thousand to several million euros of damage.

Over 90 percent of large corporations had their systems hacked in 2012 though the figure drops to 76 percent for small businesses, says the commission.

In one case, Dutch certificate authority DigiNotar went bust in 2011 after failing to disclose that hackers had stolen valuable data. The cyber invaders took digital certificates and circulated them online for widespread fraudulent use.

Larger companies like Amazon are also victims.

Last year, one of the online giant’s retailers had its database breached with hackers accessing the personal details of some 24 million customers. More recently, on 31 January 2013, Amazon’s homepage was briefly taken offline.

The origins of the attacks are rarely made public, though former Google CEO Eric Schmidt points the finger squarely east at China in a book that comes out in April.

A preview from the Wall Street Journal published on 1 February quotes the book as saying China is “the most sophisticated and prolific” hacker of foreign-based companies.

Ashton, who presented a EU cyber security strategy alongside the commission’s draft proposals, refused to respond to a reporter’s question if China was indeed a major culprit.

“I’m not going to comment on what intelligence operations across the European Union are discovering about the origin of cyber attacks...suffice it to say, in my discussions across the world, cyber security is increasingly becoming part of the dialogue of our discussion,” she said.

US free to grab EU data on American clouds

An obscure section in a US law is said to entitle authorities to access, without a warrant, data stored by any EU citizen on clouds run by American companies.


EU to force firms to report major cyber attacks

Negotiators from the European Parliament and national governments have reached an agreement on new cyber-security rules. Amazon, Ebay and Google are expected to be affected.


Why has central Europe turned so eurosceptic?

Faced with poorer infrastructure, dual food standards and what can seem like hectoring from western Europe it is not surprising some central and eastern European member states are rebelling.

News in Brief

  1. Sweden emerges as possible US-North Korean summit host
  2. Google accused of paying academics backing its policies
  3. New interior minister: 'Islam doesn't belong to Germany'
  4. Hamburg 'dieselgate' driver wins case to get new VW car
  5. Slovak deputy PM asked to form new government
  6. US, Germany, France condemn 'assault on UK sovereignty'
  7. MEPs accept Amsterdam as seat for EU medicines agency
  8. Auditors: EU farm 'simplification' made subsidies more complex

Stakeholders' Highlights

  1. Counter BalanceConmtroversial Turkish Azerbaijani Gas Pipeline Gets Major EU Loan
  2. World VisionSyria’s Children ‘At Risk of Never Fully Recovering', New Study Finds
  3. Macedonian Human Rights MovementMeets with US Congress Member to Denounce Anti-Macedonian Name Negotiations
  4. Martens CentreEuropean Defence Union: Time to Aim High?
  5. UNESDAWatch UNESDA’s President Toast Its 60th Anniversary Year
  6. AJC Transatlantic InstituteAJC Condemns MEP Ana Gomes’s Anti-Semitic Remark, Calls for Disciplinary Action
  7. EPSUEU Commissioners Deny 9.8 Million Workers Legal Minimum Standards on Information Rights
  8. ACCAAppropriate Risk Management is Crucial for Effective Strategic Leadership
  9. EPSUWill the Circular Economy be an Economy With no Workers?
  10. European Jewish CongressThe 2018 European Medal of Tolerance Goes to Prince Albert II of Monaco
  11. FiscalNoteGlobal Policy Trends: What to Watch in 2018
  12. Human Rights and Democracy NetworkPromoting Human Rights and Democracy in the Next Eu Multiannual Financial Framework

Latest News

  1. Brexit and trade will top This WEEK
  2. Dutch MPs in plan to shut EU website on Russian propaganda
  3. Four years on – but we will not forget illegally-occupied Crimea
  4. Evacuated women from Libya arrive newly-pregnant
  5. Merkel in Paris for eurozone reform talks
  6. Commission rejects ombudsman criticism over Barroso case
  7. Western allies back UK amid Russian media blitz
  8. Meet the European Parliament's twittersphere

Stakeholders' Highlights

  1. Mission of China to the EUDigital Cooperation a Priority for China-EU Relations
  2. ECTACompetition must prevail in the quest for telecoms investment
  3. European Friends of ArmeniaTaking Stock of 30 Years of EU Policy on the Nagorno-Karabakh Conflict: How Can the EU Contribute to Peace?
  4. ILGA EuropeCongratulations Finland!
  5. EUobserverNow Hiring! Sales Associate With 2+ Years Experience
  6. EUobserverNow Hiring! Finance Officer With Accounting Degree or Experience
  7. UNICEFCyclone Season Looms Over 720,000 Rohingya Children in Myanmar & Bangladesh
  8. European Gaming & Betting AssociationEU Court: EU Commission Correct to Issue Guidelines for Online Gambling Services
  9. Mission of China to the EUChina Hopes for More Exchanges With Nordic, Baltic Countries
  10. Macedonian Human Rights MovementCondemns Facebook for Actively Promoting Anti-Macedonian Racism
  11. Nordic Council of MinistersGlobal Seed Vault: Gene Banks Gather to Celebrate 1 Million Seed Collections
  12. CECEIndustry Stakeholders Are Ready to Take the Lead in Digital Construction