EU’s New Cybersecurity Directive Orders States To Set Up Emergency Response Teams, Better Risk Mgmt For Verticals

With hacking and malware on the rise, Europe is cracking down on cybersecurity: today the European Commission, working with the High Representative of the Union for Foreign Affairs and Security Policy, is launching a new cybersecurity strategy along with a proposed directive on how to implement it (both embedded below). Among other things, the directive calls for each member state of the EU to set up “CERT”s — Computer Emergency Response Teams — to deal with hacking and malware crises, along with plans for how to deal with major incidents; it also wants to put more pressure on private companies in different vertical sectors like banking to be more forthcoming in reporting major breaches.

Points like these could prove to be sensitive issues because of the costs for implementing them; and the potential damage the publicity around breaches could cause for affected organizations.

“Sometimes companies want to avoid [publicity on breaches],” admittedĀ Neelie Kroes, European Commission Vice-President for the Digital Agenda, today. “But you can’t say that it is unique when you have a breach, it is normal, so no reason you should not be mentioning it and learning from it.”

Kroes is due to hold a press conference with Catherine Ashton, EU’s High Representative for Foreign Affairs and Security Policy and Cecilia Malmstrom, Member of the EC in charge of Home Affairs, to present the strategy and directive. The work builds on findings released by ENISA, the European Network and Information Security Agency, in January, that detailed trends in the biggest cyberthreats of the moment, and who is affected most.

We’ll be watching that and updating the story accordingly, but as we understand it, here are the main points that will be covered in the strategy, whose objective is to generally improve cybersecurity across Europe, laying the groundwork for more ICT investments from public and private organizations longer-term:

— Each member state must set up a Computer Emergency Response Team (CERT).
— Each member state must nominate a competent authority to deal with network and information security, where companies would report breaches. These authorities need to put in place plans for dealing with major incidents. (Not clear whether these authorities will be public organizations or whether they can be run by private firms.)
— These national authorities will be required to form a network and to work with ENISA to lift overall security.
— Specific sectors like banking, transport, energy, health, Internet companies and public administrations must adopt risk management practices and report major incidents. TechCrunch understands this is an extension of existing scheme in Framework Directive for e-communications.

“The goal is to support Member States to get better at cybersecurity, not dictate the exact methods for achieving this outcome,” a spokesperson noted in an email on the directive.

With the cybersecurity proposals coming in at the same time that the EU is debating wider budget negotiations, those who are keen to put the directive in place argue that Europe has not done enough to date when it comes to its Internet safety, and that this will have an impact longer term when it comes to investments in ICT in Europe.

At the moment ICT accounts for 5% of GDP in the EU and is growing, but proposed EU budget spend for ICT is just 2.5% of the region’s overall budget, equivalent to 0.02% of GDP in the EU. “If ICT spending falls below 2% of the MFF we fall below what developing countries invest in ICT,” a spokesperson for Kroes noted in an email.

Update: From the press conference: “The principles we hold offline should be the same as those we hold online. It has to remain free and open,” said Ashton, “but we have to recognize responsibility.” She also mentioned that working on cybercrime will involve coordination between civilian and military organizations. Asked on how the military fits into this: she later noted that NATO and other organizations would be involved.

“Internet is very important for our economy and values,” said Kroes. “We are all aware of the phishing scams… and natural disasters like storms. We need to protect our networks and make them resilient.”

There were also questions probing on how much member states are able to negotiate with other governments such as China’s: China is among the countries from which many attacks allegedly originate. Kroes would not comment on these individual discussions but this issue could prove to be a lever for states and businesses that claim that doing more at home will only work if there is cooperation with organizations further afield — and that they should need to invest in their end of the deal until the others start to play ball.