EU close to passing first-ever uniform cyber security rules

The European Union is one step closer to introducing uniform cyber security rules which would require all member states to implement mandatory data breach notifications and establish their own cyber attack response teams.

The EU currently has no common approach to cyber security or incident reporting.

However a new set of rules, known as the network and information systems (NIS) directive, has passed a major final hurdle by winning the endorsement of the vast majority of members of its internal market committee.

The rules now only need to be passed by the EU council and full parliament, both of which have already offered their in principle support to the scheme.

The European cyber regime has been many years in the making and will see all member states name all the organisations in their respective countries that qualify as “operators of essential services” to be subject to the new rules.

“Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify [authorities of] significant cyber incidents," said Andreas Schwab, the EU parliamentarian driving the reforms.

“Member states will also have to cooperate more on cybersecurity, which is even more important in light of the current security situation in Europe.”

The rules, including the mandatory data breach notifications, will not apply to businesses that are not identified as running essential services. However, the EU is also looking to add global internet giants, such as Amazon and Google, to the list of entities to be subject to the NIS directive.

Schwab insisted that the only real impact on these suppliers of digital services is that they will asked to keep the EU in the loop on any serious intrusions or targeted attacks.

“We only demand that they notify structured attacks to national authorities. And we don't talk here about every single incident, but only about a serious level of incidents that has to be reported. So the workload is quite small,” he said.

The governments of member states, however, will need to adopt a national NIS strategy and set up a computer security incident response team (CSIRT) to handle threats, incidents, and to liaise will their fellow teams in neighbouring countries.

One the NIS directive is passed, EU member states will have 21 months to add them to domestic legislation and another six months to come up with a list of their essential services operators.