Banks, energy providers and hospitals are amongst the 40,000 organisations which could be required to report breaches in their cyber security under proposed new European Union rules.
Each member state would have to appoint a Computer Emergency Response Team and set up an authority to whom companies would report breaches and decide whether to make them public … and impose financial penalties.
The EU claims that only one in four European companies has a formal ICT security policy which is regularly reviewed. The figure is allegedly only one in two, even in ICT companies. In the UK, three quarters of small businesses and 93% of large ones had recently suffered a cybersecurity breach, according to a recent study conducted by PricewaterhouseCoopers.
Europe needs to improve how it deals with cybersecurity, according to Digital Agenda Commissioner Neelie Kroes, who is a long-time campaigner for tighter rules. Announcing the changes, she said "Europe needs resilient networks and systems and failing to act would would impose significant costs on consumers, businesses and society." The EU wants member states share information about attacks and improve theri defences.
Many firms, however, are concerned that reporting online attacks and security breaches might damage their reputations.