Under an EU law proposed yesterday, a collection of firms across Europe would have to alert regulators when they’ve been hacked, suffered a data breach or been attacked online.

The law would also appoint a computer emergency response team (CERT) to all 27 EU members that would be responsible for network and information security, according to  the European Commission’s Cyber Security Strategy.

The commission acknowledges that “there are still gaps across the EU, notably in terms of national capabilities, coordination in cases of incidents spanning across borders, and in terms of private sector involvement and preparedness.”

A Reuters report earlier this week said about 42,000 firms – in particular those that are “critical to the economy” and those that deal directly with internet services — would be affected by the law.

If approved by EU governments and the European Parliament, data breach notification would become mandatory, yet the law failed to specify the penalty companies in violation of the law would have to endure if they failed to report an attack.

For more on the EU’s cybersecurity strategy, head to ENISA’s website, which lays out the agenda as a Network and Information Security (NIS) directive proposal and the European Commission, which lays out the information in a series of PDFs.

Categories: Government, Privacy

Comment (1)

  1. Anonymous

    re: no defined penalty

    How about a 24-hour disconnect from the internet.  With no exceptions for any government or ISP.   Can you imagine if europa.eu or RIPE.net had to disconnect from the internet for 24 hours?

Comments are closed.