New EU Cybersecurity Rules

March 4, 2013

EU CybersecurityAllegations regarding cybersecurity attacks sanctioned by the Chinese government against targets in the United States have attracted significant attention to the safeguards applied to protect information security.  Debate continues in the United States as to the appropriate legal and regulatory framework to promote cybersecurity most effectively.  In contrast to the United States, the European Union is moving rapidly toward adoption of a new set of cybersecurity requirements.

The proposed new European cybersecurity rules address several key security issues.  They require European governments to establish effective cybersecurity enforcement organizations.  The rules require that governments create authorities tasked with the specific mission of monitoring and facilitating computer system security.  They also require establishment of Computer Emergency Response Teams in each EU country.

The proposed rules require affected parties to report computer security breaches to the government monitoring authorities.  They would also encourage all EU governments to share information regarding cybersecurity threats and breaches.

Data privacy breaches would be included within the scope of the EU rules.  All incidents that have a “significant impact” on services must be reported, regardless of whether they are the result of deliberate cyberattacks, natural events, or human error (including maintenance failures).  This is an important point, as it demonstrates that the EU properly recognizes that computer security involves protection against the full range of threats, not merely the actions of parties with malicious intent.

The proposed rules are based on the assumption that the current European framework for computer security is inadequate.  EU officials are primarily concerned that the wide range of approaches now taken by the different European governments toward computer security and the reluctance of governments to share cybersecurity information have created a climate which is extremely insecure.  The proposed new rules are intended to address those concerns.

In the United States, the Obama Administration supported federal legislation which would have established voluntary cybersecurity standards.  Congress has, to date, been unwilling to implement cybersecurity standards.  In the absence of Congressional action, President Obama recently issued an executive order establishing a process to develop voluntary cybersecurity requirements for the private sector.

The new European rules are being reviewed by the European Parliament and the EU member nations.  Although the rules are likely to be modified during the multi-year review process, it is anticipated that some version of new cybersecurity requirements will ultimately be implemented in Europe.

The European effort to establish an effective formal framework to foster computer security is timely and important.  The United States should pursue a similar strategy.  The basic cybersecurity principles reflected in the European initiative are sound and appropriate for use in the U.S., as well.

Authorities in the United States should recognize that isolation is not feasible in the world of connected communications and computing networks upon which modern commerce depends.  The EU and nations around the world are moving aggressively to create a robust and effective system for cybersecurity enforcement.  It is time for the United States to do the same.