What can we help you with?
What's Going On

Legal Blog Legal Blog

Corporate concerns regarding draft EU cyber security incident rules

UK businesses have expressed “significant concern” about draft new EU rules which would force them to report certain cyber security incidents that they experience.


Following a call for evidence put out by the Government earlier this year in response to the publication of a new draft Network and Information Security (NIS) Directive, there were found to be many concerns among the corporate world about the proposed reporting obligations.


Businesses are said to be worried about how the suggested obligations would work alongside similar reporting obligations that are already in place in many industries. Corporations were also said to have concerns about how the reporting would work in light of new EU data protection laws currently being negotiated.


Under the plans, which were laid out by The European Commission in February, public administrators and companies such as banks and energy companies that operate in the public sphere, would be required to inform designated regulators of any “significant” cyber security incidents. They may even be required to report those incidents to the public.


The summary of responses to the call for evidence, published by the Department for Business, Innovation and Skills (BIS), said: “Many participants indicated that they were not in favour of these proposals and that there were issues in the practicalities of implementing them.”


UK businesses also reported that they believed the NIS Directive proposals could well penalise those with good cyber security already in place. They also had concerns that the tackling of security risks would take second place to the efforts to comply with the new reporting rules.


“There was a fear that compliance teams could be set up in place of more proactive cyber security teams to ensure a bottom line because it was mandated – cyber security would become a ‘stats game’. Genuine information sharing requires trust and mandatory reporting was unlikely to generate genuinely valuable data, simply compliance, the report read.


“Mandatory reporting potentially penalised those with better cyber security and reporting procedures in place as they would be required to disclose information that organisations operating at the minimum compliance level may not have detected,” the report added.


The UK Government has confirmed that it is to negotiate at EU level to find a solution that does not overburden the corporate or the public sector, and is capable of fostering positive change.

Go back