Draft EU Bill Would Require Breach Notifications

A draft proposal for the Cyber Security Strategy of the European Union has been circulating ahead of official publication, which would require public and private organizations to disclose cyber attacks, regardless if PII was exposed.

According to the Financial Times, who broke the story on Friday, the EU is seeking to ensure that tech companies and critical infrastructure implement high security standards.

In an interview with the Financial Times, Neelie Kroes said the directive was raising the game. “We are creating incentives for private companies to improve their track records in network security, and helping national governments to use the learning from this to improve overall national capabilities.” 

The draft proposal is designed to help the EU address systemic attacks against internet-centric infrastructure, FT reported, due to the fact that countries in the EU have fallen behind the US and other economies when it comes to protecting users online from attack. Unlike other proposals where notification is required in the event that personal data is compromised, this new proposal covers any significant security event, from DDoS attacks, and network breaches, to fraud and natural disasters.

The problem is that requiring organizations to report means they first have to know they’ve been attacked. Many organizations never know there has been a breach, and often those who discover one do so long after it’s happened. Purchasing logging and other defensive technologies can help with compliance, but that assumes that they’re implemented properly and monitored – again something that doesn’t always happen. On top of this is the process of reporting, and the additional costs that organizations will incur in order to comply.

The proposal is expected to be released to the public later this month. Additional coverage from TechWeek Europe, after viewing the document in full, and be viewed here.