EU firms will be forced to report data breaches to authoritie, after European lawmakers approved the first ever EU-wide legislation on cybersecurity today.
The “milestone” deal will combat the threat of cybercrime, following a growing number of highly-publicised cases such as attacks on TalkTalk and Carphone Warehouse in the past year.
The European Commission welcomed the agreement, with Andrus Ansip, the Commission’s president for the digital single market, saying in a statement:
The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions.
Last night's agreement is an important step in this direction, but we cannot stop here: we plan an ambitious partnership with the industry in the coming months to develop more secure products and services.
Under the new Network and Information Security Directive (NISD), companies can be sanctioned if they fail to report cybercrime to national authorities, and firms in certain “key sectors” will have to make sure they are able to resist attacks.
Identifying what companies fall under these rules will be up to individual member states, but critical sectors include energy, transport, banking, finance, health and water. Internet companies like Google and Amazon were also mentioned as likely to be covered by the new legislation.
Experts believe the deal will have “huge implications” for cybersecurity, as Andrew Rogoyski, head of cyber security at CGI, said:
The NISD is going to significantly increase the focus on cybersecurity at board level – the obligation to publicly declare a breach will send shivers up the spines of chief executives everywhere.
As concerns about cybercrime grow, national governments have also been ramping up their efforts. Chancellor George Osborne recently announced he will doube the UK’s cybersecurity spend to an extra £1.9bn over the next five years.