Policy & Law
The European Union has officially published guidelines for a central cybersecurity framework that will allow countries to share information about threats and require companies to disclose when they've suffered major security breaches. The proposal, which was first reported last month, must be approved by the European Parliament before going into effect; it's meant to improve what the EU calls "fragmented" past efforts. If it's passed, countries will have 18 months to adopt a Network and Information Security plan, and to designate an authority to manage cybersecurity. From there, the EU will organize a system to share information and conduct peer reviews of individual countries' systems, though it says it's not looking to dictate specific policies.
A larger effort to centralize cybersecurity
Currently, EU cybersecurity is primarily managed by the European Network and Information Security Agency (ENISA), and this proposal will build on previous laws and projects, with ENISA helping member states develop their own framework. It's a change from previous piecemeal or voluntary systems, but not an unprecedented one. Currently, telecommunication companies must report security, but under this framework, cloud service providers, banks, energy and transportation companies, and others would all need to create a cybersecurity plan and disclose major online attacks. A European Cybercrime Center (EC3), meant to help consolidate cybercrime investigations across Europe, previously opened in mid-January.