The European Commission is seeking the views of governments,
businesses, citizens about their experiences and EU possible responses
to cyber incidents which cause disruption to essential Network and
Information Systems (NIS), including the internet.
The Commission has launched this
consultation to help it prepare a legislative proposal on network and
information security, which will be an important element of the upcoming
EU strategy on Cyber security. Feedback received will help the
Commission draw up an approach to possible future risk management and
security breach reporting requirements that would affect businesses in
particular. The consultation runs until 12 October 2012.
Background
Cyber incidents are becoming more
frequent. In 2011, web-based attacks increased by 36% over one year and
there was a five-fold increase in companies reporting security incidents
with a financial impact between 2007 and 2010 (5%-20%). And the risk is
growing. In the next decade there is a 10% risk of a major Critical
Information Infrastructure incident causing more than $250 billion in
economic damage, according to the World Economic Forum.
Cyber incidents can be triggered by
accidents like natural events, human errors, technical failures or by
more sinister causes such as malicious attacks, economic espionage,
terrorism and state-sponsored activity. They can also have serious
consequences for society and the economy when affecting critical sectors
such as finance, health, energy and transport and erode public trust
for activities online in general...
This is also a global challenge
since many cyber incidents and attacks originate outside the EU. Later
this year the European Commission and EU High Representative for Foreign
Affairs and Security Policy will present a joint Strategy on cyber
security. The overarching aim of the Strategy is to ensure a secure and
trustworthy digital environment where EU fundamental rights and core
values, are promoted and protected.
As far as Network and Information
Systems are concerned, the aim would be to enhance preparedness,
strengthen the resilience of critical infrastructure as well as to
foster a cyber-security culture in the EU.
The Commission is considering the
introduction of a requirement to adopt risk management practices and to
report security breaches affecting networks and information systems that
are critical to the provision of key economic and societal services
(e.g. finance, energy, transport and health) and to the functioning of
the Internet (e.g. e-commerce, social networking). The only sector where
companies are currently required under EU law to adopt risk management
practices and to report security incidents is the electronic
communications sector (telecoms operators and Internet Service
Providers) under Article 13 a) and b) of Directive 2002/21.