Firms supplying essential services, such as for energy, transport, banking and health, or digital ones, such as search engines and cloud services, will have to ireport cyber-attacks under the first EU-wide rules on cybersecurity, approved by MEPs. The new EU law lays down security and reporting obligations for “operators of essential services”. EU member states will have to identify organisations in those fields.
The EU Parliament’s rapporteur Andreas Schwab said: “Cybersecurity incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cybersecurity protection makes us all vulnerable and poses a big security risk for Europe as a whole. This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures in the future.”
Comment
Matthias Maier, Security Evangelist at Splunk said: “As industries strive for digital transformation, critical systems are becoming more connected, and cyber attackers already have them in their sights. As a result, this legislation is a necessary step forward. Meeting this new reporting requirement will demand that organisations establish resilient security procedures. They need to have the ability to quickly determine the scope of an attack. By monitoring the data generated across the IT estate and taking an analytics driven approach to investigating suspicious activity, European firms can detect attacks early, make the right decision about how to respond, and ensure they are able to report on all the details if the worst case happens.”
Member states
Member states will have to set up a network of Computer Security Incident Response Teams (CSIRTs) to handle incidents and risks, discuss cross-border security issues and identify coordinated responses. Member states will have a couple of years to turn the EU directive into their national laws and six more months to identify operators of essential services.
