Businesses forced to admit data breaches under EU cybersecurity plan

Each country in the European Union will have to set up national authorities charged with defending against online attacks under a new EU cybersecurity strategy, which will also see major companies and utilities forced to report any security breaches.

The European Commission's Cyber Security Strategy, announced on Thursday, sets out how Europe plans to prevent and respond to online security incidents. It aims to beef up the continent's agencies and mechanisms dealing with cybercrime in the private and public sector; cut cybercrime; develop common European policies; and improve tech to defend against cybercrime.

Among the measures the strategy recommends are that each European country set up a CERT authority and designate a "competent authority" to manage online security for EU organisations. Such national cybercrime units would share information with each other, law enforcement agencies as well as data protection authorities, and publicly publish early warnings of online threats.

Private sector impact

The Commission also has its eye on the private sector. "Since the large majority of network and information systems are privately owned and operated, improving engagement with the private sector to foster cybersecurity is crucial. The private sector should develop, at technical level, its own cyber-resilience capacities and share best practices across sectors," the strategy says.

Read this

The poster child for cybersecurity done right: How Estonia learnt from being under attack

Read now

But the Commission is hoping to go further, intending to legislate to force big companies to disclose when they have suffered an online attack.

"Private actors still lack effective incentives to provide reliable data on the existence or impact of [network and information security] incidents, to embrace a risk management culture or to invest in security solutions," the strategy says, adding that key companies in the transport, banking, stock exchanges, online infrastructure providers, and public sector organisations would in future be obliged to study the online risks their companies face, make sure their IT is up to scratch, and share their information with their national cybercrime unit.

"While the private sector should continue to play a leading role in the construction and day-to-day management of the internet, the need for requirements for transparency, accountability and security is becoming more and more prominent," the strategy says.

Such measures are set out in the Commission's network and information security directive. If the directive is approved by the European Parliament and Council, EU countries will then be charged with translating it into law locally.

"The need for requirements for transparency, accountability and security is becoming more and more prominent" — EU strategy

As well as pushing for legislation, the Commission is also ready to get its wallet out, promising funding to help European countries find and plug gaps in their online security, as well as finance research into cybercrime.

The strategy follows the launch of the European Cybercrime Centre in the Netherlands last month, and is intended to be Europe's focal point for fighting online crime and sharing information on security threats.

Almost half of the countries worldwide with the best cybersecurity are found in Western Europe, according to a report by Microsoft.