EU Cyber Security Directive would burden business, government says

The proposed EU Directive for Network and Information Security would impose a £15.28m net cost to UK business per year due to increased security spending, the government estimates. The main affected groups would be the energy, health, transport and finance sectors, ‘information society enablers’ such as cloud services and social networks, and public administrations.

The Directive would introduce compulsory reporting of security breaches that have a significant impact on the provision of core services. The cost estimate does not include the cost of reporting incidents. However, in future years, security costs could drop dramatically as the security levels only need to be maintained rather than established.

The government received 97 responses to its consultation and received additional comments though seminars. ‘Stakeholders struggled to identify the exact impact that a mandatory reporting requirement would have – more information was required in regards to the reporting threshold’, the government says.

The proposal’s reporting requirement, and that included in the draft EU Data Protection Regulation could put some organisations under a double duty in terms of reporting losses of personal data, unless the proposals are streamlined. Respondents to the consultation also noted that mandatory reporting could cover incidents that are already reported to the sector regulator.

Negotiations on the cyber security directive are ongoing in the Council of the EU, the European Parliament and the Commission. CERT-UK, the national Computer Emergency Response Team - the government’s response to cyber security threats - will be operational in early 2014.

See responses to the UK consultation, and an impact assessment.