CYBER SECURITY : COMMISSION PLANS TO PLACE OBLIGATIONS ON PRIVATE SECTOR.

The European Commission intends to place additional obligations on the private sector in order to step up the fight against cyber attacks, according to an EU official. Companies in charge of critical infrastructures, for example, will be required to report serious security incidents to national cyber security authorities to be set up by member states. These measures feature in the draft directive on the security of networks and information systems that the executive will present in early February.

The draft directive will form part of the EU's future cyber security strategy (comprehensive communication) that will be proposed in parallel by Commissioners Neelie Kroes (Digital Agenda) and Cecilia Malmstrom (home affairs), together with High Representative for Foreign Affairs Catherine Ashton (see box).

Cyber security aims to protect networks and information systems from cyber incidents. These have multiple origins, including natural disasters, human error, information system failures and attacks by criminals and terrorists.

"The route we have taken in the last ten years has not delivered results, namely to try to promote voluntary progress in terms of cyber security," said a European source, who added that progress is "not sufficient". Fewer than ten states are achieving results in this area (Britain, France, Germany, Estonia, Finland, the Netherlands, Sweden and Denmark).

The Commission will therefore propose a draft directive to bolster the security of networks and information systems in the European Union. It first planned to present a regulation (uniform application across the European Union), but "we have opted for an approach that is not too intrusive," added the same official. The idea is to give the states the powers needed to improve protection against cyber attacks.

In practice, the EU executive intends to require member states to set up special cyber security authorities. These new bodies will have sufficient capacity to form part of the future European cyber security network, a platform where they can exchange information on cyber incidents and react to cases having a cross-border impact, by preparing emergency plans, for instance. The European Network and Information Security Agency (ENISA) will play a key role.

In addition to setting up the European cyber security network, it will help national authorities build up sufficient capacities (eg they will have to be capable of reporting and analysing cyber incidents) and "will decide...