The UK government is consulting on a proposed EU directive on network and information security.
The UK Government is interested in receiving evidence from any organisation that could be affected by the measures as set out in the Directive. ...In particular it is interested in the effects associated with the introduction of mandatory reporting of incidents with a ‘significant impact’, and the costs and benefits to organisations of being compliant with the proposed measures.
One of the more controversial measures in the proposed directive mandates compulsory reporting of cybersecurity incidents having “a significant impact on the provision of core services” to the national regulator. This requirement would apply not only to traditionally regulated services such as telecoms or financial services, but also to “enablers of Internet society services”, a very broad category which is likely to include, at a minimum, social networks, app stores, electronic payment processing services and cloud services.
Senior government figures have expressed significant misgivings about the proposed Directive, which suggests that the government may be receptive to critical viewpoints. Last month, Minister for the Cabinet Office, Francis Maude told the Financial Times (paywall, also quoted here) that “a system based on trust about the handling of information between companies is far better than one based on legislation”.
The deadline for responses is Friday 21 June. For more information, see the consultation website.