Mandatory breach reporting in new EU cybersecurity plan

The European Commission has published a far-reaching new cybersecurity plan for its member nations, aiming to protect an open internet as well as online freedom and commerce.

As part of the proposed plan, financial services, transport, energy and health sectors, app stores, cloud computing providers and search engines would all have to report "major security incidents on their core services".

Social networks and public administrations are also covered by the breach reporting requirements and must adopt risk management practices.

Member states are to adopt a network and information security strategy, along with funding and staffing to prevent, handle and respond to risks and incident, the directive proposes.

Improved collaboration between countries in the EU and outside the union is also mooted, as well as sharing early warnings and regular peer reviews and attack simulations.

A "secure infrastructure" is proposed for information sharing by the EU, including the establishment of pan-European Computer Emergency Response Teams (CERTs).

Achieving cyber resilience while reducing online crime form part of the EU's net security vision.

The union also intends to develop cyber defence policy and capabilities, and industrial and technological resource for improved security.

The EU quotes estimates from security vendor Symantec that puts yearly cybercrime losses at 290 billion euros (A$378 billion).

McAfee that claims profits from illegal cyber activities are at 750 billion (A$977 billion) annually.