The European Union on Thursday announced a strategic plan designed to prevent and respond to cyberdisruptions and attacks. The heart of the plan: a requirement that all member states and key Internet enablers --including some U.S.-based companies -- must report attacks. Web-based companies and critical infrastructure operators such as e-commerce platforms, social networks and members of the energy, transport, banking and healthcare services, would have to report security incidents and adoptrisk management strategies.
Details of the EU StrategyThere are five priorities in the EU's cybersecurity strategy: achieving cyber resilience, slashingcybercrime, developing a cyberdefense policy and capabilities relating to the Common Security and Defence Policy (CDSP), developing the industrial and technological resources for cybersecurity, and establishing a coherent international cyberspace policy forthe EU that promotes the Union's core values.Member states will have to adopt a strategy and designate a nationalnetwork and information security (NIS) authority that has adequate funds and human resources for its task. They will also have to create a joint early warning system on cyberthreats.The European Network and Information Security Agency (ENISA) will work with standardization bodies and all relevant stakeholders to develop technical guidelines and recommendations for the adoption of NIS benchmarks and good practices.The directive must be implemented within 18 months after its adoption by the EC and the European Parliament.Who Will Be Affected?Essentially, any company that offers service online will have to report cyberincidents.That will include Apple, Google, Amazon, Sony, Microsoft, Facebook, Twitter, LinkedIn, DropBox, Picasa and Wordpress.Although the EU has regulations in place to improve cybersecurity, itsprevious efforts have been on too small a scale and too fragmented, the EU argues in the NIS directive.For example, existing EU rules require only telecoms companies and data controllers to adopt security measures, and only telecom companies have to reportsignificant security incidents.
No comments:
Post a Comment