UK government launches consultation on draft EU Cyber Security Directive - closing 21 June 2013
The European Commission published a draft EU Directive on network and information security in February 2013. Under the draft Directive, certain organisations would be subject to potentially onerous reporting obligations in the event that they experience breaches in network security. The UK government has launched a consultation process to assess the potential impact of this legislation on UK business. This initial impact assessment will be used to influence the drafting of the Directive, attempting to ensure that the reporting requirements are effective without placing unnecessary burdens on businesses.
Affected organisations are encouraged to respond online; the Consultation is open until 21 June 2013.
The draft Directive
The European Commission published a draft EU Directive on network and information security on 7 February 2013, together with a cyber security strategy. The Directive is designed to protect businesses within the internal market by encouraging EU-wide cooperation and communication in relation to network security incidents and risk management.
The Directive’s reporting requirements for market operators
The draft EU Directive makes it compulsory for certain organisations to report network security incidents. These reports would be submitted to a designated national ‘competent authority’ which would be established in order to monitor and enforce the Directive at a national level.
Industry sectors likely to be affected by the notification requirements include public administration, finance, energy, transport, health and ‘internet society services’ (e.g. search engines, app stores, cloud service providers, social networks and e-payment providers). The reporting obligation would arise where the incident has a significant impact on the security of the affected organisation’s core services. The draft Directive currently provides no criteria for assessing whether an impact is ‘significant’.
The UK government’s consultation is designed to assess the potential cost of compliance with the proposed measures, as against the benefits to be derived, and also assesses the extent to which organisations already report incidents internally or externally.
What is the focus of the government Consultation?
The government has invited organisations to submit feedback in relation to five key areas:
- Overview of their organisation
Including size, sector and international range of operations. This will help the government to better assess whether certain businesses are more likely to be adversely affected by the proposals.
- Existing incident reporting mechanisms
Respondents are asked to outline any existing procedures for reporting security breaches. These might be regulatory requirements, voluntary agreements or internal corporate policies. Respondents should also specify the types of security incidents experienced, together with their average cost.
- Estimate of additional compliance costs
Organisations should give a genuine estimate of the cost of compliance with the new requirements, should the draft Directive be implemented without amendment. Analysis should include an estimate of the increased number of reported incidents, together with any other possible implications such as where security incidents are made public.
- Benefits of the proposed measures
Organisations are also requested to say whether they expect to benefit from the new regime. For example, the European Commission hopes that the proposed measures will ultimately reduce the frequency and severity of security incidents. The European Commission also anticipates that improving network security will boost consumer confidence and consequently improve business revenue. The UK government has invited organisations to comment on whether these anticipated benefits are realistic.
- Any other concerns or issues with the draft Directive
Lastly, the government is keen for organisations to raise any other issues or concerns that they may have about the draft Directive.
Responding to the Consultation
The consultation is open until 21 June 2013. Organisations are encouraged to respond using the online survey form. Submissions may be made anonymously in order to address concerns about discussing commercially sensitive material. All submissions will be taken into consideration when the government prepares its Impact Assessment, which is due to be published during the summer.
Should the draft Directive be implemented in its current form, it could impose a significant cost and administrative burden on UK business. Although the government broadly supports the Commission’s plans, it has stated it does not want the requirements to impose “unnecessary burdens” and is particularly concerned about the compulsory nature of the reporting requirements. This consultation represents an opportunity for organisations to highlight to the UK government any concerns that they may have with the proposals and to help shape the provisions of the draft Directive.