EU lawmakers reach agreement on first cybersecurity law

Earlier this week, EU lawmakers and member states reached an agreement on its first cybersecurity law.

The law requires companies such as Google, Amazon and Ebay – but not social networks like Facebook – to report serious breaches to national authorities. Firms that fail to report can be punished though sanctions.

The Network and Information Security Directive

Under the new law, the Network and Information Security Directive, firms operating in critical sectors such as transport, energy, health and finance will see stricter security and reporting obligations, than internet firms.

The European Commission’s Digital Chief, Andrus Ansip, was quoted by Reuters as saying: “The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. This agreement is an important step in this direction.”

Commenting on the new law, Chris Wysopal, CTO and CISO, Veracode said: “It’s good to see agreement from EU lawmakers that something needs to be done about the state of cybersecurity across the region. Alerting impacted organisations, businesses and people of breaches that could impact them is a step in the right direction.

“Hopefully this will open everyone’s eyes to what’s been happening for years and put pressure on organisations to double down on their security efforts. Any legislation needs to be prescriptive to create a baseline for what’s considered reasonable security, otherwise it will be difficult to drive change. One way to do this would be taking the Network and Information Security Directive one step further and crafting some form of liability to enforce reasonable efforts are being taken to secure systems. A good starting point would be to address the woeful state of application security across sectors such as transportation, energy, health and finance.”

US lawmakers pushing for more control

The EU agreement comes as US policymakers strengthen their push to give law enforcement agencies access to encrypted communications after recent terrorism attacks.

Internet firms incorporated stronger encryption in their products after revelations of US spying were uncovered by former US contractor Edward Snowden in 2013.