EU considering mandatory network and information security directive
U.S. companies with operations in Europe would have to comply with a proposed European Union (EU) directive on network and information security that would require firms in certain sectors to report security breaches to national authorities.
"Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores, e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services," the EU said in a statement.
The EU estimates that the total cost for enterprises to comply with the directive's requirements would range between €1 billion and €2 billion. The compliance costs for small and medium size enterprises would be between €2,500 and €5,000.
Stewart Baker, a partner at Steptoe & Johnson LLP in Washington and a former assistant secretary at the Department of Homeland Security, said the proposed EU directive would be a "game changer" for U.S. companies. "It covers banks, aviation, and Internet companies, including cloud and e-commerce providers. If companies are required to report breaches in Europe, they won't be able to avoid reporting breaches in the U.S. as well," Baker said in an interview with Bloomberg.
Benjamin Power, partner at the law firm Wilmer Cutler Pickering Hale and Dorr, told the Wall Street Journal that the directive, if approved by the EU, would be a "commanding directive--it's certainly not voluntary."
By contrast, President Barack Obama plans to issue a U.S. directive after his State of the Union address on Tuesday that would include voluntary guidelines for U.S. critical infrastructure firms to beef up their cybersecurity efforts, according to the Bloomberg report. Currently, most U.S. states have some data breach reporting requirements for disclosures of personal information by companies.
Although the proposed EU directive is far from law, if the EU approves it EU countries will have to enact the legislation. The reporting requirements and legal liability would impose additional costs on U.S. companies with operations in Europe.