Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Draft EU Bill Would Require Breach Notifications

A draft proposal for the Cyber Security Strategy of the European Union has been circulating ahead of official publication, which would require public and private organizations to disclose cyber attacks, regardless if PII was exposed.

A draft proposal for the Cyber Security Strategy of the European Union has been circulating ahead of official publication, which would require public and private organizations to disclose cyber attacks, regardless if PII was exposed.

According to the Financial Times, who broke the story on Friday, the EU is seeking to ensure that tech companies and critical infrastructure implement high security standards.

In an interview with the Financial Times, Neelie Kroes said the directive was raising the game. “We are creating incentives for private companies to improve their track records in network security, and helping national governments to use the learning from this to improve overall national capabilities.” 

The draft proposal is designed to help the EU address systemic attacks against internet-centric infrastructure, FT reported, due to the fact that countries in the EU have fallen behind the US and other economies when it comes to protecting users online from attack. Unlike other proposals where notification is required in the event that personal data is compromised, this new proposal covers any significant security event, from DDoS attacks, and network breaches, to fraud and natural disasters.

The problem is that requiring organizations to report means they first have to know they’ve been attacked. Many organizations never know there has been a breach, and often those who discover one do so long after it’s happened. Purchasing logging and other defensive technologies can help with compliance, but that assumes that they’re implemented properly and monitored – again something that doesn’t always happen. On top of this is the process of reporting, and the additional costs that organizations will incur in order to comply.

The proposal is expected to be released to the public later this month. Additional coverage from TechWeek Europe, after viewing the document in full, and be viewed here.  

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.