* Draft EU law would affect 42,000 companies
* Aimed at improving cyber security in vital sectors
* Firms worry about cost, possible reputation damage
By Ethan Bilby
BRUSSELS, Feb 6 Around 42,000 firms in the
European Union, including airports, banks and hospitals, would
have to inform regulators whenever their computers are hacked,
under a proposed EU law to be published on Thursday.
The law could set a global precedent for safeguarding
critical infrastructure against digital attacks that have hit
companies and government departments in an era of increasing
"cyber-crime" and "cyber-terrorism".
But some businesses worry they face extra costs.
Under the draft law, EU member states would have to draw up
a monitoring system for companies that are critical to the
economy. Those firms would then have to report major online
attacks to national authorities and reveal security breaches.
Almost 15,000 transport companies, 8,000 banks, 4,000 energy
firms, and 15,000 hospitals will have to report cyber attacks if
the proposals are approved by EU governments and the European
Public administrations and operators of critical Internet
services would also have to report. Firms with fewer than 10
employees would not be covered by the legislation.
"As the online world becomes a part of everything we do,
securing that world is essential to ensuring a society that
remains secure, prosperous and free," EU telecoms chief Neelie
Kroes said in a speech last week.
Inefficient measures on cyber security carry an economic
cost in lost trade, an EU poll showed. In 2012, 38 percent of
the EU's Internet users said they were concerned about making
The proposed law would require all 27 EU states to appoint a
national authority responsible for network and information
security and to set up a computer emergency response team to
handle security incidents.
Some firms say the regulations are too vague and could mean
extra costs. They also worry that being forced to divulge
attacks on their networks to a regulator could be bad for their
In deciding whether to make a cyber attack public, the
national authority would have to weigh the public interest in
knowing about the incident against possible reputation damage.
The proposed legislation leaves it up to national
authorities to decide whether companies would face any penalty
for failing to report a cyber-attack. "It is not about the
criminalisation of attacks," one EU official said.
(Additional reporting by Adrian Croft; Editing by Robin