Companies told to disclose data breaches

The EU's online security body is calling for mandatory reporting on security and data breaches by businesses
Written by Nick Heath, Contributor

The EU's online security body is calling for laws to force companies to reveal when their computer systems have been breached.

The European Network and Information Security Agency (Enisa) wants mandatory reporting on security and data breaches by businesses.

Enisa called for the change in its General Report 2007, where it also detailed the spread of Computer Emergency Response Teams (Certs) to 14 EU states, up from eight in 2005.

Certs, dubbed 'digital fire brigades', help countries combat distributed denial of service attacks and spam generated by hijacked botnet computers.

Enisa has also launched a three-year programme it says will "mitigate the risk of a digital 9/11" by improving the resilience of public electronic communications in Europe.

Andrea Pirotti, executive director of Enisa, said in a statement: "Europe must take security threats more seriously and invest more resources in NIS [network and information security].

"Therefore, Enisa calls for the EU to introduce mandatory reporting on security breaches and incidents for business, just as the US has already done.

"The member states should undertake concerted efforts to reduce the imbalances in security levels, with more cross-border co-operation."

Over the past year Enisa has also compiled a study on a European Information Sharing and Alert System to inform the public and SMEs about online threats, vulnerabilities and attacks, as well as putting together a report on the risks of social-networking websites.

Editorial standards