Clear definitions of cyber security terms lacking under NIS Directive, new report finds

Out-Law News | 17 Sep 2013 | 1:38 pm | 3 min. read

Companies are being asked to report cyber security incidents, security breaches and data breaches they experience without the European Commission being clear what those terms refer to, according to a report commissioned by a group of MEPs.

The report on data and security breaches and cyber security strategies (172-page / 4.96MB PDF), formed by the economic and scientific policy department at the European Parliament on behalf of the committee for industry, research and energy, found a lack of clarity in how terms such as 'cyber security incident', 'security breach' and 'data breach' have been defined. 

The European Commission has laid out plans to require public administrators and 'market operators', such as banks and energy companies, to notify designated regulators of "significant" cyber security incidents that they experience under its draft Network and Information Security (NIS) Directive. Separately, proposed reforms to the EU's data protection framework would require personal data breaches to be notified to regulators and the public, under certain conditions. 

However, the report said that the terms 'cyber security incident', 'security breach' and 'data breach' are defined differently by standard-setting bodies and under different legislation and guidance. 

"Many of the proposals to tackle cyber security are based on an unclear definition of the supposed root cause of incidents, security breaches or data breaches," the report said. "Consistent and unambiguous definitions across legislative instruments are often lacking." 

According to the report, 10% of financial services companies do not have an "ICT security plan", whilst "large discrepancies" were found in how prepared businesses across all sectors and national borders are to deal with cyber security incidents. 

The report also said that although there are a variety of bodies working in the field of cyber security, such as the European Network and Information Security Agency (ENISA), the European Public–Private Partnership for Resilience (EP3R) and the Computer Emergency Response Team (CERT) for EU institutions, there are challenges in "understanding who talks to whom and how co-ordination and co-operation is achieved". 

"No-one currently has a clear understanding of how all the different pieces fit together," it said. 

The report also identified an "overlap" in the various security and breach notification requirements either already set out in EU law or which are proposed. 

In addition to there being reporting requirements set out in the draft NIS Directive and under the proposed EU data protection reforms package, the Commission has proposed that companies providing trust services should report security breaches to regulators. Already, telecoms companies operating within the trading bloc have to notify to regulators some personal data breaches they experience. 

The report said that the NIS Directive would, with the exception of a framework already in place in India, be "the only regime encompassing a broad security incident reporting mechanism". However, it said that the Commission may have underestimated the true costs businesses will face to comply with the regime. 

"The calculated administrative burden placed on covered entities to comply may be based on erroneous assumptions stemming from confusion as to how security risk management assesses the measures that firms may implement under either critical infrastructure or data protection regimes which apply to the sorts of incidents intended to be covered by the proposal for a NIS Directive," the report said. 

"In its conservative understanding of risk management measures, the proposed Directive may have an untoward effect on the competitiveness and innovation of users and providers of cloud computing services and managed security service providers," it said. 

The report labelled the Commission's NIS Directive proposals "unambitious and unbalanced in its focus on the public rather than the private sector". It said the Commission may have focused on setting "hard policy" because of the perception that businesses themselves have been unwilling to address cyber security issues. 

However, the Commission's proposals do not account for some private sector initiatives, including the role that managed security service providers perform already in automatically collecting data on security incidents, the report said. It said that it was wrong for mandatory reporting requirements to be set and called on a voluntary approach to reporting of cyber security incidents to be adopted to avoid unnecessary duplication with other reporting rules companies are subject to. 

"As the objective of the proposal for a NIS Directive appears to be the better understanding of trends and patterns in incidents, the rationale for mandating reporting (as is more common in a public data breach notification regime) is unclear," the report said. "In the main sectors (critical infrastructure providers and practice from elsewhere) voluntary mechanisms are the norm." 

"Establishing mandatory reporting while encouraging firms to take up risk analysis in the context of an instrument concerned with incident reporting appears paradoxical because risk analysis for cyber security is highly context dependent and what may be a significant risk for one organisation (thus passing a threshold for notification) could be trivial for another," it said.