You are here

EU lawmakers and member states agree on first cyber-security law

Mandatory breach requirement has 'boy who cried wolf' element, says data protection partner

10 December 2015

Add comment

The European Parliament and governments of EU member states have agreed the first cyber-security law, making it mandatory for companies to report serious breaches or face sanctions.

After lengthy negotiations between the parties, an agreement was reached for a new Network and Information Security (NIS) Directive, amid the ongoing threat of cyber-attacks.

The security and breach notification requirements apply to companies that provide essential services in the transport, energy, health, and finance sectors.

Online companies including Google, eBay, and Amazon all come under the measure.

Andrus Ansip, the European Commission's digital chief, said the new law would increase consumers trust in internet services.

'The internet knows no border - a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. This agreement is an important step in this direction,' he remarked.

Commenting on the news, Nicola Fulford, a data protection partner at Kemp Little, said the mandatory breach requirements could prove ineffective in the long term.

'The risk with this situation is that consumers can get data breach fatigue - they become jaded and stop paying attention to data breach notifications,' she remarked.

'The likely result here is inaction. After a certain number of warnings consumers fail to follow practical advice from banks or merchants to help mitigate the impact of a data breach.'

Fulford added that there was element of a 'boy who cried wolf', which was 'one argument against mandatory breach notifications'.

In acknowledging the UK has no mandatory reporting law, Fulford said: 'An organisation's first priority should be to stop breaches from happening in the first place.

'The mandatory security provisions in the NIS Directive will hopefully encourage companies to bolster their security systems and prevent attacks from happening.'

Matthew Rogers is an editorial assistant at Solicitors Journal
matthew.rogers@solicitorsjournal.co.uk
 | @sportslawmatt

Categorised in:

Procedures