The European Union has drawn up a set of rules governing the security of the region's digital infrastructure. Under the framework provisionally agreed last night by Members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers, transport, energy and other key companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is resilient enough to withstand online attacks. Similarly, major digital marketplaces like eBay or Amazon, search engines, and cloud services will be required to ensure that their infrastructure is secure, and to report major incidents. Smaller digital companies will be exempt from these requirements.
As a press release from the European Parliament explains: "MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors—energy, transport, banking, financial market, health and water supply—in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities."
Member states will be required to identify "operators of essential services" from these key sectors, using various criteria such as whether the service is critical for society and the economy, whether it depends on network and information systems, and whether an incident could have significant disruptive effects on its provision, or public safety.