EU proposes new law for reporting cyber hacking

7 February 2013
By Sofia Mitra-Thakur
Mobile version
Share |
Firms will have to report cyber attacks if the proposals are approved

Firms will have to report cyber attacks if the proposals are approved

Around 42,000 firms in the European Union, including airports, banks and hospitals, would have to inform regulators whenever their computers are hacked, under a proposed EU law to be published this week.

The law could set a global precedent for safeguarding critical infrastructure against digital attacks that have hit companies and government departments in an era of increasing "cyber-crime" and "cyber-terrorism".

But some businesses worry they face extra costs.

Under the draft law, EU member states would have to draw up a monitoring system for companies that are critical to the economy.

Those firms would then have to report major online attacks to national authorities and reveal security breaches.

Almost 15,000 transport companies, 8,000 banks, 4,000 energy firms, and 15,000 hospitals will have to report cyber attacks if the proposals are approved by EU governments and the European Parliament.

Public administrations and operators of critical Internet services would also have to report.

Firms with fewer than 10 employees would not be covered by the legislation.

"As the online world becomes a part of everything we do, securing that world is essential to ensuring a society that remains secure, prosperous and free," EU telecoms chief Neelie Kroes said in a speech last week.

Inefficient measures on cyber security carry an economic cost in lost trade, an EU poll showed. 

In 2012, 38 per cent of the EU's Internet users said they were concerned about making payments online.

The proposed law would require all 27 EU states to appoint a national authority responsible for network and information security and to set up a computer emergency response team to handle security incidents.

Some firms say the regulations are too vague and could mean extra costs.

They also worry that being forced to divulge attacks on their networks to a regulator could be bad for their reputations.

In deciding whether to make a cyber attack public, the national authority would have to weigh the public interest in knowing about the incident against possible reputation damage.

The proposed legislation leaves it up to national authorities to decide whether companies would face any penalty for failing to report a cyber-attack.

"It is not about the criminalisation of attacks," one EU official said.

Share |

Latest Issue

E&T cover image 1408

"What the Scottish independence referenda could mean for engineers and engineering on both sides of the border"

E&T jobs

E&T Marketplace

The essential source of engineering products and suppliers.

E&T podcast

Tune into our latest podcast

iTunes logo

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T