Brussels, 23 July 2012
Digital Agenda – Commission consults on a future EU Network and Information Security legislative initiative
The European Commission is seeking the views of governments, businesses, citizens about their experiences and EU possible responses to cyber incidents which cause disruption to essential Network and Information Systems (NIS), including the internet.
The Commission has launched this consultation to help it prepare a legislative proposal on network and information security, which will be an important element of the upcoming EU strategy on Cyber security. Feedback received will help the Commission draw up an approach to possible future risk management and security breach reporting requirements that would affect businesses in particular. The consultation runs until 12 October 2012.
Cyber incidents are becoming more frequent. In 2011, web-based attacks increased by 36% over one year and there was a five-fold increase in companies reporting security incidents with a financial impact between 2007 and 2010 (5%-20%). And the risk is growing. In the next decade there is a 10% risk of a major Critical Information Infrastructure incident causing more than $250 billion in economic damage, according to the World Economic Forum.
Cyber incidents can be triggered by accidents like natural events, human errors, technical failures or by more sinister causes such as malicious attacks, economic espionage, terrorism and state-sponsored activity. They can also have serious consequences for society and the economy when affecting critical sectors such as finance, health, energy and transport and erode public trust for activities online in general.
This is also a global challenge since many cyber incidents and attacks originate outside the EU. Later this year the European Commission and EU High Representative for Foreign Affairs and Security Policy will present a joint Strategy on cyber security. The overarching aim of the Strategy is to ensure a secure and trustworthy digital environment where EU fundamental rights and core values, are promoted and protected.
As far as Network and Information Systems are concerned, the aim would be to enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU.
The Commission is considering the introduction of a requirement to adopt risk management practices and to report security breaches affecting networks and information systems that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking). The only sector where companies are currently required under EU law to adopt risk management practices and to report security incidents is the electronic communications sector (telecoms operators and Internet Service Providers) under Article 13 a) and b) of Directive 2002/21.
The link for the public consultation:
Neelie Kroes' website
Follow Neelie Kroes on Twitter