Europe has a new cybersecurity law, and you'd better watch out
The next time there's a serious cybersecurity breach, firms like Google and Amazon will have to report the incident and give full disclosure, or face various sanctions.
That's because the European Union's lawmakers just agreed on the bloc's first cybersecurity law called the Network and Information Security Directive.
The EU said in a statement that the new laws will "improve cybersecurity capabilities in Member States" and "improve Member States' cooperation on cybersecurity."
"The Internet knows no border - a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction," said European Commission's digital chief, Andrus Ansip.
The law will not only cover security and reporting obligations for companies in critical sectors such as transport, energy, health and finance but more significantly for the big Internet companies like Google and all web-based service providers.
Specific cases of cross border security breaches will be dealt with by teams called 'Computer Security Incidents Response Teams'.
What happens next
These moves are likely to come into effect in full when the text of the agreement is formally approved by the European Parliament and Council. It will then have to be published in the EU Official Journal, after which it officially enters European law.
Head of Cyber Security, Andrew Rogoyski, CGI told Techweek Europe that, "the key obligations emerging from this directive will be that "operators of essential services" will have to take "appropriate security measures" and to notify serious incidents to the relevant national authority."
What that jargon means: private internet companies in Europe are legally obliged to inform national authorities of cybersecurity breaches.
He also said that the visibility of data breaches will increase, which will help to leverage public concern over the safety of online systems.
While pushing for stringent security measures on the one hand, EU member states have at the same time been demanding its polar opposite when it comes to encryption - demanding that cryptographic protocols are weakened.
A number of EU nations have been nudging internet companies to include encryption backdoors in their software to get access, if and when the need arises.
The Wall Street Journal recently quoted an EU official as saying, "Communication between terrorists is increasingly taking place using highly sophisticated encryption techniques and this needs to be addressed."
The WSJ reported that the first half of 2015 saw the number of data requests by EU states increase 20% to 13,000. Requests from Apple climbed 48% to about 16,000.
The most significant move towards relaxing encryption in Europe is perhaps Britain's Investigatory Powers bill.
Dubbed as a snooping charter by detractors, the new set of rules was largely seen as a reaction to the Snowden revelations. The bill will place legal obligation on companies to help bypass encryption models when seen as necessary. It's due to be debated by MPs next year.
The American FBI is also pushing for a similar war on encryption. At a cybersecurity conference in New York last month, FBI Director James Comey revealed that once Islamic State commanders discover someone willing to die for a cause, the conversations move to more encrypted platforms, thus "going dark." The Paris attackers too had supposedly used Telegram, which is encrypted making surveillance tough for authorities.
The problem, of course, is the ambiguity of the word necessary: when giving governments access to all private communication between citizens under an ambiguous definition is alarming to say the least.
More in Catch: