Sunday

4th Dec 2016

Companies must report cyber attacks, EU says

  • "There is no true freedom without security," said EU digital agenda commissioner Neelie Kroes. (Photo: European Commission)

Large EU-based companies will have to disclose major cyber-attacks to designated national authorities, under new legislative rules proposed by the European Commission on Thursday (7 February).

“Under our proposal, sectors using telecoms networks in ways vital to our economy and society would have to manage risks and report significant incidents,” EU digital agenda commissioner Neelie Kroes told reporters in Brussels.

Dear EUobserver reader

Subscribe now for unrestricted access to EUobserver.

Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.

  1. Unlimited access on desktop and mobile
  2. All premium articles, analysis, commentary and investigations
  3. EUobserver archives

EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.

♡ We value your support.

If you already have an account click here to login.

Speaking alongside EU commissioner for home affairs Cecilia Malmstrom and EU foreign policy chief Catherine Ashton, Kroes said companies dealing with energy, transport, banking, healthcare and Internet fall under the directive.

The scope reaches just over 40,000 firms in the EU. Hardware manufacturers and software developers are exempt.

Member states will need to come up with plans to better manage risks. They will also need to create a so-called cooperation network to pool and share knowledge with other member states and the commission.

The directive also calls for Computer Emergency Response Teams (Certs) to handle incidents.

A chief authority will need to be appointed to prevent, handle and respond to risks and incidents. He or she would be the go-to-point for companies required to report serious breaches and can decide to make it public or keep it secret.

The ideas have already attracted critics.

For one, German Green euro-deputy Jan-Philip Albrecht told this website in an email that making IT firms report only major incidents means they would not have to reveal known other vulnerabilities and risks.

“This leads to action only after the damage has already been done ... it also falls back behind the ‘responsible disclosure’ practices about vulnerabilities that are already established in the IT security industry today,” he said.

But the commission hopes the directive will help reverse a growing reluctance, in its view, among people to make purchases off the Internet or use online services like banking.

Few companies publicly report cyber attacks in fear of damaging their reputation and losing clients. Each attack costs anywhere between several thousand to several million euros of damage.

Over 90 percent of large corporations had their systems hacked in 2012 though the figure drops to 76 percent for small businesses, says the commission.

In one case, Dutch certificate authority DigiNotar went bust in 2011 after failing to disclose that hackers had stolen valuable data. The cyber invaders took digital certificates and circulated them online for widespread fraudulent use.

Larger companies like Amazon are also victims.

Last year, one of the online giant’s retailers had its database breached with hackers accessing the personal details of some 24 million customers. More recently, on 31 January 2013, Amazon’s homepage was briefly taken offline.

The origins of the attacks are rarely made public, though former Google CEO Eric Schmidt points the finger squarely east at China in a book that comes out in April.

A preview from the Wall Street Journal published on 1 February quotes the book as saying China is “the most sophisticated and prolific” hacker of foreign-based companies.

Ashton, who presented a EU cyber security strategy alongside the commission’s draft proposals, refused to respond to a reporter’s question if China was indeed a major culprit.

“I’m not going to comment on what intelligence operations across the European Union are discovering about the origin of cyber attacks...suffice it to say, in my discussions across the world, cyber security is increasingly becoming part of the dialogue of our discussion,” she said.

News in Brief

  1. Talks on wholesale roaming rules to start
  2. Lead MEP Dieselgate committee: Italy and Slovakia will cooperate
  3. Transparency NGO sues EU commission on Turkey deal
  4. Pro-EU liberal wins UK by-election
  5. Finnish support for Nato drops, Russia-scepticism grows
  6. Cyprus talks to resume in January
  7. Documents from German NSA inquiry released
  8. Transport commissioner 'not aware' of legal action on emissions

Stakeholders' Highlights

  1. CESIElects Leaders and Sets Safety & Health at Work and Gender Equality Among the Guidelines For Next Term
  2. European Gaming & Betting AssociationContinues to Grow its Membership and Welcomes its Newest Member Association
  3. ACCASupports the Women of Europe Awards, Celebrating the Women who are Building Europe
  4. European Heart NetworkWhat About our Kids? Protect Children From Unhealthy Food and Drink Marketing
  5. ECR GroupRestoring Trust and Confidence in the European Parliament
  6. UNICEFChild Rights Agencies Call on EU to put Refugee and Migrant Children First
  7. MIRAIA New Vision on Clean Tech: Balancing Energy Efficiency, Climate Change and Costs
  8. World VisionChildren Cannot Wait! 7 Priority Actions to Protect all Refugee and Migrant Children
  9. ANCI LazioRegio-Mob Project Delivers Analysis of Trasport and Mobility in Rome
  10. SDG Watch EuropeCivil Society Disappointed by the Commission's Plans for Sustainable Development Goals
  11. PLATO15 Fully-Funded PhD Positions Open – The Post-Crisis Legitimacy of the EU (PLATO)
  12. Access NowTell the EU Council: Protect our Rights to Privacy and Security