Data leakage regulation proposed by EU

The European Union has proposed a new cyber security directive aimed at maintaining trust in networks and information systems. The directive, which is subject to EU parliamentary approval, includes several key provisions, such as a data breach notification law and the establishment of a Computer Emergency Readiness Team (CERT) in each member state.

One of the incidents that sparked the need for this directive was the hacking of Dutch SSL certification authority Diginotar in 2011. Hackers stole SSL certificates from Diginotar, allowing them to make unsafe websites appear secure. This incident affected trust in the Internet and highlighted the need for stricter cyber security measures.

Under the new EU Cybersecurity Directive (NIS-2), organizations in the energy, transport, health, Internet, and public administration sectors will be obliged to report serious security incidents to relevant authorities. A serious security incident is defined as one that significantly impairs the operability of networks and information systems.

The directive does not explicitly state whether the establishment of a CERT is mandatory for all member states. However, Francis Maude, Cabinet Office minister in the United Kingdom, proposed the establishment of a CERT for the UK last year.

The proposed directive also does not specify whether the requirement to report security breaches applies to businesses of all sizes. According to the proposal, organizations with at least 50 employees or 10 million euros in annual turnover in Germany from 18 specified sectors will be obliged to report every security incident that significantly impairs the operability of networks and information systems.

The proposed directive follows an online public consultation with businesses of all sizes. Just over half of the respondents agreed that a requirement to report security breaches would not cause significant additional costs (52.5%). Some respondents (19.8%) said that a requirement to report security breaches would not cause additional costs at all. One in four respondents (44.4%) believed that a requirement to notify and report incidents to NIS authorities would be necessary to make private companies and public administrations systematically report about cyber security incidents.

The directive does not provide details on the consequences for organizations that fail to report security breaches or establish a CERT. However, the directive is intended to prevent similar incidents and ensure the security of networks and information systems, thereby maintaining trust in the digital world.