The EU has long been considering the implementation of frameworks and legal solutions to address mounting concerns in regard to cyber security. In addition to the introduction of a new strategy in this regard, the Commission made a proposal in February 2013 to introduce a directive to facilitate the creation of a harmonised network and to standardise information security throughout the EU.
One of the key elements of this directive will involve an obligation to all companies to have their infrastructure audited to make sure they are prepared for cyber attacks. It will also impose a duty to notify national authorities of cyber security incidents that may have a significant impact. Furthermore, market operators will likely be considered liable whether they maintain their own networks or such maintenance is outsourced. There is substantial concern as to how the private sector will be affected by the proposed directive.
The EU strategy has been slated to target a number of internet based companies including but not restricted to payment services, social networks, search engines, cloud services, e-commerce platforms and voice-over-internet-protocol providers.
The proposals are currently being distributed among several committees including those for Civil Liberties, Justice and Home Affairs, the Internal Market and Consumer Protection. With so many committees involved and elections in the EU in May 2014, time is pressing to properly formulate this directive before the mandate of the current administration expires.