EU wants to force firms to report cyberattacks

More than 40,000 companies across the EU could be forced to warn regulators if their systems are hacked, under new cybersecurity proposals to be published today.

Firms involved in ‘critical infrastructure’ – including banks, search engine providers, cloud providers and hospitals – would be required to report to new national authorities to be set up in each member state, along with a a Computer Emergency Response Team (CERT).

“At the end of the day openness and transparency about your experience is going to result in a better environment for all,” says Digital Agenda Commissioner Neelie Kroes.

According to Reuters, the rules would apply to around 15,000 transport companies, 8,000 banks, 4,000 energy firms and 15,000 hospitals. Firms with fewer than ten employees would be exempt.

After receiving a report, the national authority would then decide whether to make the attack public, weighing up public interest against the threat of reputational damage to the firm. It would also have the power to impose fines if a company failed to notify it of an attack.

According to the EU, only one in four European companies has a regularly-reviewed, formal ICT security policy. And, says Kroes, in just one year three quarters of small businesses in the UK and 93 percent of large ones suffered some sort of security breach.

But many companies fail to report breaches, putting customers at risk. Kroes cites the case of Diginotar, hacked in 2011. The company waited ten days before publicizing the breach, in the meantime issuing 530 fraudulent security certificates.

If the law is adopted, the new national authorities are likely to have a lot of fights on their hands as victims of cyberattacks try to plead reputational damage.