EU proposes new cybercrime reporting rules

European cybercrime centre A European cybercrime centre was opened in The Hague last month

Related Stories

Over 40,000 firms, including energy providers, banks and hospitals could be required to report cyber-break-ins under new rules proposed by the EU.

It is part of a move to intensify global efforts to fight cybercrime.

Digital agenda commissioner Neelie Kroes said that Europe needed to improve how it dealt with cybersecurity.

But firms are concerned that reporting online attacks and security breaches might damage their reputations.

Many breaches

The EU is keen that member states share information about attacks and shore up their cyber-defences.

Under the proposals, each country would have to appoint a Computer Emergency Response Team and create an authority to whom companies would report breaches.

These new bodies would decide whether to make the breaches public and whether to fine companies.

Announcing the changes, Ms Kroes said: "Europe needs resilient networks and systems and failing to act would would impose significant costs on consumers, businesses and society."

According to the EU, only one in four European companies has a regularly-reviewed, formal ICT security policy. Even among ICT companies, the figure is only one in two, it said.

A recent study by accountants PwC suggested that three quarters of UK small businesses, and 93% of large ones, had recently suffered a cybersecurity breach.


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 43.

    The different rules in different countries in Europe is consistently an issue with software design and legal compliance. This variation in rules mean that now I am running all personal my servers in Germany as I want to work with hosting companies bound by stricter laws. I would not host my servers in the UK or Italy as the legal standards are too low in privacy and security.

  • rate this

    Comment number 42.

    Government has outsourced much of the storage of the data it holds to data centres run by private companies. Private companies are now a huge risk and there is unhealthy reluctance to regulate them properly.

  • rate this

    Comment number 41.

    Just what we need another EU institution to put a reporting system in place...

  • rate this

    Comment number 40.

    We have seen security lapses in all walks of life from banks to hospitals to social networking sites.
    As soon as computers are involved security is reduced whatever the situation. The sooner people understand that the better.

  • rate this

    Comment number 39.

    @weeljing - if a company has followed industry best practice then a fine would not be required as the fines should be for companies that have been negligent in their duty of care to their customers. So hacking just to get companies fined would only cause those companies that deserve to be fined to get fined. If anything, this kind of hacking would help customers.

  • rate this

    Comment number 38.

    the EU plan to tackle invasion of private data: invade private data

  • rate this

    Comment number 37.

    As someone who also works in the industry and have studied the growing trend of 'cybercrime'. You can have the most secure, up-to-date, all singing all dancing system, but if your users are uneducated and are giving out details, then your system is useless.

    Bottom line, user awareness and training is as vital as a firewall or IDPS. Humans are easy targets for social engineering.

  • rate this

    Comment number 36.

    If companies actually have somehting to lose (even if it is just face) then they might actually do a proper job of defending themselves against attack.

    As a bonus, it will then allow an analysis of what protection technologies fail to do what they say on the tin, so that they can be taken out of comission and/or improved.

    Win all round, except for some shareholders ... well guess what, boo hoo.

  • rate this

    Comment number 35.

    Cyber-attacks can never be totally eliminated; the attackers are as good at breaking-in as the owners are at developing security systems.
    I don't think regular persons have latched on to the risk because thus far no real damage has been done that effects them directly.
    The most critical of secretive information should be maintained where it can't be hacked i.e. power grid information.

  • rate this

    Comment number 34.

    It should not be the responsibility of the government to check that people's front doors are closed and locked anymore than it should be their responsibility to make companies responsible for their actions. If a company gets hacked, it should be the companies fault, not the hackers for not keeping data secure!!!!

  • rate this

    Comment number 33. by accountants PwC suggested that three quarters of UK small businesses, and 93% of large ones, had recently suffered a breach....

    So the breaches are already reported then; or is said study just an extrapolation of a small, unrepresentative, dataset?

  • rate this

    Comment number 32.

    Will these just become new snooping laws, which invade our privacy?

  • rate this

    Comment number 31.

    I don't know what the fuss is about security. I've just won the Nigeria state lottery.

  • rate this

    Comment number 30.

    The problem is that many companies have a very cavalier approach to security. It is cheaper to run with minimal security which places customer data in danger. These are the kind of companies that do not want the hacks made public as it will show that they did not follow industry best practice in order to do everything they could to prevent (or reduce the chances of) the hack.

  • rate this

    Comment number 29.

    Security breaches will happen - just the same as breakins used to.
    What is needed is to prevent the massive data collection going on by companies - data collection that goes far beyond what is actually needed. Register to send comments to the BBC, register to send them to the RSPCA, register ........ for everything. All the time being asked for your name, address, contact details. NOT needed

  • rate this

    Comment number 28.

    I do not quite see what should be the outcome of this measure. It does not seem include anything to help to improve on IT security to the companies.

    Just to report that: " ... we have been hacked twice last week . ... yeah, we too ... " is not going to be awfully helpful I guess.

    Sure, EU could collect more money on fines (hopefully at least as much as the whole body would cost)

  • rate this

    Comment number 27.

    More EU red tape.

    That makes a nice change.

  • rate this

    Comment number 26.

    Hackers will hack simply so that the hacked firm gets a fine.

  • rate this

    Comment number 25.

    Businesses lose customers/ investor confidence in the case of a security breach... bureaucrats only lose face. Government agencies store the most sensitive data and have the worst IT systems. I'd start with them. Quis custodiet ipsos custodes?

  • rate this

    Comment number 24.

    "Over 40,000 firms, including energy providers, banks and hospitals could be required to report cyber-break-ins".

    Required to! What a wonderful democratic organisation the EU is!


Page 5 of 7


More Technology stories



BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.