EU Hammers Out Cybersecurity RulesEurope Seeks Minimum Security Standards, Cross-Border Incident Response
European Union lawmakers and member states have hammered out landmark proposed cybersecurity rules that would set minimum levels of security across a number of critical infrastructure sectors.
Under a draft of the law - known as the Network and Information Security Directive - approved Dec. 7, organizations in the energy, transportation, financial services, health and water supply sectors would have to demonstrate that they are "robust enough to resist cyberattacks" as well as report any serious information security breaches to authorities.
In addition, operators of online marketplaces, search engines and cloud infrastructure - including Amazon, eBay and Google - would be required to demonstrate that their infrastructure is secure, although exemptions will be in place for "micro and small digital companies."
Push for EU Cybersecurity Rules
"Today, a milestone has been achieved: We have agreed on first ever EU-wide cyber-security rules, which the [EU] Parliament has advocated for years," said Andreas Schwab, a member of the European Parliament for Germany. Schwab is also the Parliamentary rapporteur - or liaison officer - for the Internal Market Committee, which reached the agreement with the European Council, which represents the governments of the 28 member countries. The Internal Market Committee and Council Committee of Permanent Representatives will now consider formal approval, after which the rules could be voted on by the full Parliament and potentially become law.
Upsides for Law Enforcement
The new agreement between EU lawmakers and the European Council should help combat online crime, says Alan Woodward, a University of Surrey computer science professor. He's also a cybersecurity adviser to the association of European police agencies - Europol - and its EC3 European Cybercrime Center.
"I very much welcome this move," he tells Information Security Media Group. "One of the aspects that has hampered law enforcement in previous years was the fact that criminals could hide across the border - even within Europe. The formation of EC3 at Europol was intended to tackle that directly, and it has had some terrific successes."
The push now is for EU governments to work more closely together on broader cybersecurity issues. "These rules do that," he says. "The fact that the MEPs and then the Council agreed to this so quickly is a mark of how seriously people are taking the cyber threat. Europe has seen the benefit from having EC3 and the cross-border cooperation that brings, and now the [EU government] wants to ensure that everyone is singing off of the same hymn sheet."
Greater EU coordination and cooperation among the energy, transportation, health and banking and water supply sectors, as well as requiring such organizations to alert authorities in the event of a breach, has long been on the EU Parliament's agenda, Schwab notes. Now, thanks to the agreement, "member states will have to cooperate more on cybersecurity - which is even more important in light of the current security situation in Europe," he says (see Threat Intelligence Lessons from Paris Attacks).
The draft rules would also require member states to:
- Define critical operators: Member states must define which organizations inside their country provide critical services in the energy, transportation, banking, financial, health and water supply sectors.
- Participate in a strategic cooperation group: This new group will exchange information and best practices between EU member states as well as create guidelines and help member states improve their cybersecurity capabilities.
- Maintain computer security incident response teams: Each member state will create a CSIRT - often referred to as a computer emergency response team, or CERT - to handle cybersecurity incidents as well as coordinate incident response with their counterparts in other countries.
Aim: Safer Single Market
Schwab has also called the agreement an "important step for [creating a] common and safe digital single market in Europe."
The underlying goal is to create a minimum level of cybersecurity - and related laws and policing - in each EU member state, such that businesses will trust that their data will be handled safely anywhere in Europe.
"The best analogy was the EU Data Protection Directive, which in the U.K. appeared as the Data Protection Act," Woodward says, referring to how member states will take an EU-level requirement and then enact it using their national laws. "As a result of that original directive and the individual laws it spawned, people have confidence that wherever they send their data in Europe it will have the same degree of protection. If we can genericize this to cybersecurity in its wider context, that would be a major step forward."
Gateway to Further Regulation?
But one unanswered question is the degree to which the EU may now try to regulate more than just critical infrastructure sectors. Notably, Schwab suggests that the new cybersecurity agreement will pave the way for greater regulation of online platforms, which refers to everything from e-commerce vendors and search engines to social networks and cloud-based infrastructure providers.
In April, for example, the EU's digital commissioner, GÃ¼nther Oettinger, warned that Europe was "dependent on a few non-EU players worldwide" owing to the region having "missed many opportunities" to develop its own online platforms. Without naming names, Oettinger said Europe would need to "replace today's Web search engines, operating systems and social networks" with homegrown alternatives.
But some European lawmakers warn that such an approach might stifle business innovation.
In September, for example, Ed Vaizey, U.K. Minister of State for Culture, Communications and Creative Industries, told the country's House of Lords that the EU's push to more heavily regulate online platforms has a "political overtone" reflecting some countries' distrust of services created by or managed from other countries, such as the United States.
"My instinct is that those concerns are based on the fact that those platforms are not based or grown out of the member states themselves, and if they were of a different nationality those concerns might melt away," he said. "So we need greater clarity ... from those member states that are talking about platform regulation about what they mean by platforms and what specific regulation they are talking about and what ill they are trying to cure."