Legal practiceEU member states and lawmakers have clinched a deal to prevent cyber attacks by requiring Internet firms like eBay, Amazon and Google to boost their defences and report breaches, officials said Tuesday.
Advertisement
Known as the Network and Information Security Directive, it sets out security and reporting obligations for firms in critical sectors such as transport, energy, health and finance, with an onus on all Internet-based firms to take more responsibility.
The deal was finally worked out after hours of negotiations between the European Parliament and member states. Meanwhile, digital platforms such as search engines, e-commerce sites and cloud computing providers, will be subject to less stringent obligations.
“Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the [European] parliament has advocated for years”, said the European parliament’s rapporteur Andreas Schwab.
“Member states will have to cooperate more on cyber security – which is even more important in light of the current security situation in Europe”, said Schwab.
Energy, transport, banking, financial market, health and water supply companies will also have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks.
“Trust and security are the very foundations of a Digital Single Market”, said Andrus Ansip, European Commission VP for the Digital Single Market. “Improving cooperation and information exchange between Member States is a key element of the agreed rules and will help us tackle the increasing number of cyber-attacks”.
After that it will be published in the EU Official Journal and will officially enter into European law.
However, it will be the member states’ responsibility to identify the operators of essential services from the targeted sectors, based on whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety.
Advertisement
“Organisations will need to be able to demonstrate that they have taken “appropriate security measures”, he added.
