European legislators have agreed on a new cyber-security law that will require critical infrastructure operators, as well as internet service providers, to report breaches.
The new Network and Information Security Directive, which will now have to be approved by the European Parliament and the Council of Europe, will establish rules for reporting cyber-attacks valid across the continent.
"If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure,” said Andrus Ansip, European Commission Vice-President for the Digital Single Market.
“The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. Last night's agreement is an important step in this direction.”
Electricity, oil and gas suppliers will be covered by the directive, as well as transport infrastructure operators and companies including airlines and railways. Healthcare providers and financial institutions will also be obliged to report cyber-attacks under the directive, as will internet service providers including search engines and online retailers. Companies which fail to report incidents to their respective national authorities will face sanctions. Social networks such as Facebook and Twitter are excluded from the directive.
After approval, EU member states will have 21 months to implement the directive into their national laws and a further six months to identify critical infrastructure and service operators.
“The agreement constitutes a major step in improving the resilience of our network and information systems in Europe, one of the objectives of the EU cyber-security strategy and a cornerstone of our efforts towards creating a Digital Single Market,” said Günther H. Oettinger, Commissioner for the Digital Economy and Society.
“Improving cooperation and information exchange between member states is a key element of the agreed rules and will help us tackle the increasing number of cyber-attacks.”
The Commission plans to launch a public-private partnership on cyber-security in 2016.