EU lawmakers and member states agree on first cyber-security law
16th Dec 2015
The European Parliament and governments of EU member states have agreed on the first cyber-security law, which makes it mandatory for companies to report serious breaches or they will face sanctions.
After lengthy negotiations, an agreement was reached for a new NIS (Network and Information Security) Directive, amid the ongoing threat of cyber-attacks.
The security and breach notification requirements apply to companies that provide essential services in the transport, energy, health, and finance sectors.
Online companies including Google, eBay, and Amazon all come under the new measure.
Andrus Ansip, the European Commission”s digital chief, said that the new law would increase consumers trust in internet services, stating that “The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. This agreement is an important step in this direction”.
Nicola Fulford, a data protection partner at Kemp Little, commenting on the news by saying that the mandatory breach requirements could prove ineffective in the long term.
“The risk with this situation is that consumers can get data breach fatigue – they become jaded and stop paying attention to data breach notifications,” she noted. “The likely result here is inaction. After a certain number of warnings consumers fail to follow practical advice from banks or merchants to help mitigate the impact of a data breach.”
Fulford added that there was element of a “boy who cried wolf”, which was “one argument against mandatory breach notifications”.
In acknowledging that the UK has no mandatory reporting law, Fulford said: “An organisation’s first priority should be to stop breaches from happening in the first place. The mandatory security provisions in the NIS Directive will hopefully encourage companies to bolster their security systems and prevent attacks from happening.”