The Threat
Globalisation and advances in on-line commerce have been key to the success of many European businesses. The growth of the internet has enabled the UK in particular to tap into markets that were previously inaccessible, as a global leader in e-commerce. But as well as bringing new opportunities, this reliance on cyberspace also presents new challenges and risks.
The prospect of cyber-attacks on businesses in the UK has never been more potent. Based on the 2015 Information Security Breaches Survey Report by the Department for Department for Business, Innovation and Skills, 90% of large corporations and 74% of small businesses reported a cyber-breach in 2015. It has been estimated that the cost for the worst cyber-security breach estimated between £1.5m to £3.14m for large businesses and £75k to £310k for smaller ones.
Alongside international terrorism, the National Security Strategy categorised cyber-attacks as a Tier One threat to our national security and in recent months George Osborne raised the prospect that terror groups may launch deadly cyber-attacks on Europe.
A New Way Forward
Historically, the approach to cyber security amongst member states has varied considerably, with a patchwork of different legislative regimes. Those states with insufficient security measures diminished the EU’s overall protection and exposed it to attack.
Prompted by mounting concerns about online security issues, in July 2012 the European Commission launched a public consultation on a new strategy for network and information security. The results of this consultation were that 57% of respondents had experienced security problems in the previous year that had seriously impacted upon their activities.
As a result of these findings, on 7 February 2013 the Commission published a proposed new directive on cyber security, which would harmonise the way member states addressed information and network security. Alongside this directive, the European Commission published a Joint Communication setting out an EU cyber security strategy.
It was hoped that these measures would close any existing loopholes in the existing legislative framework of EU countries. At the same time, it demonstrates the Commission’s commitment to the issue of cyber security, both for its citizens and for businesses within and outside of the EU.
On 7 December 2015, negotiators of the European Parliament, the Council and the Commission agreed on the first EU-wide legislation on cybersecurity. The text will now be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.
In A New European Cyber Security Strategy – Part II, we will outline the key provisions of this historic cyber-security legislation.