The UK's Department for Business, Innovation and Skills (BIS) is consulting on one aspect of the proposed EU directive on network and information security (NIS), announced in February.
This mandates certain sectors to compulsory reporting of security breaches that have a significant impact on the provision of core services to a national competent authority that would enforce the directive. These sectors include public administration, the finance, energy, transport and health sectors, as well as to "enablers of internet society services" which includes app stores, cloud service providers, social networks and e-payment providers. These requirements are unlikely to apply to individual ecommerce web sites, unless they enable the provision of other information society services.
However the BIS' call for reviews and evidence, with the title "EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32", seeks input on just what a significant impact might be, and thus when notification would be necessary. Some example reporting thresholds are presented that incorporate the number of customers, citizens, clients, etc affected and the duration of the disruption or lack of availability. I note there is no mention of breaches of integrity or confidentiality, nor misuse of these systems whilst maintaining availability.
The consultation closes on 21st June. A response template is included within the document, and views can be returned using a web form, by email or by post.
Posted on: 28 May 2013 at 14:37 hrs