login
login
Image header Agence Europe
Europe Daily Bulletin No. 10677
Contents Publication in full By article 14 / 21
SECTORAL POLICIES / (ae) digital

Cyber-security - ENISA criticises gaps in application of legislation

Brussels, 29/08/2012 (Agence Europe) - In a new report (“Cyber Incident Reporting in the EU”), the European Network and Information Security Agency ENISA takes stock of the existing and future legislation of the European Union on network security and incident reporting. Although the analysis flags up major progress, it also reveals gaps in the national implementation of the measures, with incidents which are not detected or reported. The authors of the report stress that “cyber incidents are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes”.

Cyber-security incidents have a significant impact on society and ENISA quotes five examples of the problems which have occurred most frequently between 2010 and 2012, with a serious impact on millions of citizens and businesses each time: 1) millions of business network passwords were exposed; 2) the storm Dagmar wrecked millions of Scandinavian communication links; 3) a British data centre failure interrupted millions of business and company communications worldwide; 4) a certification authority was breached, exposing the communications of millions of users; and 5) a Chinese telecoms provider hijacked 15% of the world's internet traffic for 20 minutes.

The report gives an overview of existing and future legislation regarding clauses on the obligatory reporting of incidents. It highlights common factors and differences between the various articles of current legislation and looks ahead to the EU cyber security strategy. The study also identifies areas for improvement. For example, only one of the incidents mentioned above fell within the scope of the national regulators' mandate, indicating that there are gaps in the regulation. Thus, at European level, the sharing of incident reports should be improved. With this in mind, ENISA announces that a working group of the agency has developed both a common set of security measures and an incident reporting format for the national regulators, to ensure a more consistent implementation of article 13a of the “Telecoms Package” (obligatory incident reporting). ENISA also announces that it has recently received reports on the 51 major incidents reported by the regulatory authorities, describing the impact, root causes, measures taken and lessons learned regarding these incidents. (IL/transl.fl)

= = = = = = = = = = = = =