Out-Law / Your Daily Need-To-Know

EU urged to focus on ‘critical infrastructure’ to boost cyber security

Out-Law News | 11 Nov 2014 | 5:10 pm | 1 min. read

There is an “uneven landscape” for cyber security readiness in Europe which should be tackled by investing in “critical infrastructure”, a senior official of an advocacy body for the global software industry has said.

Thomas Boue, public policy manager with the US-based BSA / The Software Alliance, told EurActiv: “To build a foundation for cyber protections in Europe we need to start with Europe’s most critical infrastructure, ensuring from the outset that EU laws are helping to secure that which needs protecting the most.”

Boue said a draft EU network and information security (NIS) directive should first focus on “Europe’s most critical networks and infrastructure, such as transport, energy and banking, in order to establish a foundation for cyber security readiness first and foremost in those areas where disruption would have major security and public safety impacts”.

According to Boue, the directive “should build on the regulatory infrastructures already in place that support critical systems and infrastructure”.

“Keeping the directive’s reporting requirements focused on critical infrastructure and excluding information society services would eliminate conflicts or redundancies in process,” Boue said. “If business-to-business services like cloud services are included in the scope directly, it would create a situation where a single incident would be reported by both an IT service provider and the operator of the infrastructure. There would then be two (or more) reports for what is ultimately one problem, wherein only one entity has an clear and complete understanding of the impact of the incident on the critical network or service.”

The European Commission published the draft directive in February 2013 in a bid to ensure that banks, energy companies and other businesses involved in the operation of critical infrastructure maintained sufficiently secure systems. Under the regime public administrators and 'market operators' would have to notify designed regulators of "significant" cyber security incidents that they experience.

Under the Commission's proposals not all breaches reported to the regulators would necessarily be conveyed to the public, but regulators would be required to determine on a case-by-case whether it was in the public interest to inform them. The regulators would be obliged to share information with one another on cyber security risks in accordance with the proposed framework.