The European Union (EU) parliament has approved a new set of cybersecurity laws, ordering firms in “essential service” industries like banking, health, energy and transport to bolster their defenses against cyber-attacks.
The EU network and information security (NIS) directive represents the first EU-wide standards on cybersecurity. According to an EU parliament statement, they are designed to increase cooperation between member states as well as to prevent attacks on EU countries’ interconnected infrastructure.
EU Parliament rapporteur Andreas Schwab said:
“Cybersecurity incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cybersecurity protection makes us all vulnerable and poses a big security risk for Europe as a whole.”
Requirement to Report Breaches
Of note is a provision within the laws covering digital service providers — such as cloud services, search engines and online marketplaces.
As well as taking measures to protect their infrastructure, these companies will also have to report any major breaches or security incidents to national authorities.
Given the law’s specific mention of online financial services, and KYC/AML requirements for bitcoin exchanges falling in line with those covering banks, there’s no doubt digital currency service providers will need to take extra care to protect their clients’ property and personal data.
The European parliament approved new regulations to cover bitcoin exchanges earlier this year. While not seen as particularly restrictive, the regulations called for “precautionary monitoring” of the industry and the appointment of a watchdog to keep an eye on its development.
Another set of proposed rules are aimed at making trading more transparent and preventing tax evasion. It should be noted, however, that most digital currency exchanges operating in the EU already have customer identification requirements similar to those of banks.
What EU Countries Will Need to Do
For NIS, Union member states will need to identify which companies are operating as “essential services” using set criteria, e.g: is the service critical for society and the economy? Is a security incident at those companies likely to have “significant disruptive effects” on providing their services?
A new EU-wide strategic co-operation group will form to share information and assist EU member states in building their cybersecurity capacity. The existing European Network and Information Security Agency (ENISA) will assist with implementation.
They will be required to form a network of “Computer Security Incident Response Teams” (CSIRTs) to handle incidents, identify risks, and formulate a set of responses.
The NIS directive will come into force 20 days after publication in the EU Official Journal, after which member states will have 21 months to draft individual national laws that comply.
Will the new laws make any difference to the way European bitcoin exchanges handle security and customers’ personal information?
Images courtesy of User Irinawave, Wikimedia Commons.