Cyber-security Legislation: EU Consultation

July 22, 2012

The European Commission is seeking the views of governments, businesses and citizens about their experiences and possible responses to cyber incidents which cause disruption to essential Network and Information Systems (NIS), including the Internet.

The Commission says that it has launched the consultation to help it prepare a legislative proposal on network and information security, which will be an element of the EU strategy on cyber-security. The Commission states that any feedback will help it to draw up an approach to possible future risk management and security breach reporting requirements that would affect businesses in particular. The consultation runs until 12 October 2012.

The EU Commission highlights increased concerns about cyber-security, citing the following:

·        Cyber incidents are becoming more frequent. In 2011, web-based attacks increased by 36% over one year and there was a five-fold increase in companies reporting security incidents with a financial impact between 2007 and 2010 (5%-20%). And the risk is growing. In the next decade there is a 10% risk of a major Critical Information Infrastructure incident causing more than $250 billion in economic damage, according to the World Economic Forum.

·        Cyber incidents can be triggered by accidents like natural events, human errors and technical failures or by more sinister causes such as malicious attacks, economic espionage, terrorism and state-sponsored activity. They can also have serious consequences for society and the economy when affecting critical sectors such as finance, health, energy and transport and erode public trust for activities online in general.

The Commission recognise that this is also a global challenge since many cyber incidents and attacks originate outside the EU. Later this year the European Commission and EU High Representative for Foreign Affairs and Security Policy will present a joint Strategy on cyber-security. The overarching aim of the Strategy is to ensure a secure and trustworthy digital environment where EU fundamental rights and core values, are promoted and protected.

As far as Network and Information Systems are concerned, the Commission’s aim would be to enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU.

The Commission is considering the introduction of a requirement to adopt risk management practices and to report security breaches affecting networks and information systems that are critical to the provision of key economic and societal services (eg finance, energy, transport and health) and to the functioning of the Internet (eg e-commerce, social networking). The only sector where companies are currently required under EU law to adopt risk management practices and to report security incidents is the electronic communications sector (telecoms operators and Internet Service Providers) under Article 13(a) and (b) of Directive 2002/21.

The link for the public consultation is at