Retail and search websites could be forced to report every single cyber security incident they face – even if no data has been compromised – under new EU plans designed for essential services such as electricity or banking networks.
The plans are part of the Network & Information Security (NIS) Directive, which is scheduled to be agreed by June and to come into force in 2018. Figures published by PricewaterhouseCoopers show there were 42.8 million cyber-attacks globally in 2014, roughly 117,339 attacks each day.
A number of EU countries want the new rules to apply to operators of ‘digital service platforms’ such as Amazon as well as to operators of critical banking, energy, health and transport infrastructure, although the UK Government is resisting the move.
The NIS Directive was first published by the European Commission in February 2013 in a bid to bolster the security of critical infrastructure in the EU and ensure that cyber security incidents affecting that infrastructure are reported to regulators.
The Government believes that ‘digital service platforms’ fail the ‘essentiality’ test and should not be regulated through the NIS Directive. It says there is a distinction to be made between the need for a continuous supply of energy in the UK, for example, and the availability of digital service platforms such as Amazon.
While an extended outage caused by a cyber attack on Amazon’s market place could have major implications for businesses selling through that platform, it could not be compared with the potential seriousness of a cyber attack that knocks out the UK’s electricity grid.
The Government is also concerned about the administrative burden that could be placed on businesses subject to the NIS Directive.
Rachael Bishop, policy officer at the Department for Business, Innovation & Skills on cyber security EU and international policy said the UK does not want a regime where fines are levied willy-nilly.
Unless there is evidence of “consistent, wilful and continued failure” by organisations to comply, and only after an investigation has taken place and other measures, including security auditing, have been exhausted, Bishop said. The sanctions regime will “not be about penalising businesses for every breach”, she added. Other member states, however, have different plans.
