heise Security - 26 November 2012
To improve cyber security, the EU is considering making it mandatory for businesses to report cyber attacks. Although a big supporter of self regulation, Neelie Kroes, the EU Commissioner for the Digital Agenda for Europe, told German Süddeutsche Zeitung newspaper that she did not think there would be much progress with it in this case.
Together with the European Commissioner for Home Affairs, Cecilia Malmström, and the EU's High Representative for Foreign Affairs and Security Policy, Catherine Ashton, Kroes plans to propose a European cyber security strategy before the end of the year. The proposal is to be followed by a draft law that will regulate the consequences for internet service providers and data centre operators.
Similar plans were announced by the German Ministry of the Interior in early November:
A proposed law on IT security is to regulate the reporting duties of businesses; the proposed law will generally cover, for example, telecommunications providers.
To ensure an optimum outcome, the Ministry said that these companies, which are "responsible for the backbone of the information society", must guarantee the security of personal data as well as fully protect their infrastructures against unauthorised access. The proposal wasn't exactly greeted with enthusiasm by the German IT industry.
At the German government's IT summit, the Federal Minister of Economics and Technology, Philip Rösler, said that he advocates a voluntary incident reporting strategy for businesses. He added that a single-handed German effort would threaten the German economy's ability to compete. http://www.h-online.com/security/news/item/EU-plans-to-implement-mandatory-cyber-incident-reporting-1756784.html