BRUSSELS (Reuters) - The European Union may force companies operating critical infrastructure in areas such as banking, energy and stock exchanges to report major online attacks and reveal security breaches, a draft EU report seen by Reuters on Monday said.
The European Union’s executive Commission is due to present a proposal on cybersecurity in February once it has received feedback from the European Parliament and EU countries.
EU moves to protect critical infrastructure echo similar concerns worldwide amid an increasing number of cyber attacks globally that can disrupt important areas of the economy, from online banking to stock exchanges.
“Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported,” the report said.
Unlike the United States where companies are required to report online attacks, which supporters say forces companies into keeping cyber defenses tight, the EU has a piecemeal approach.
Some countries like Britain oppose mandatory reporting, which it believes would encourage companies to cover up online breaches because they do not want to alarm their customers.
An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption.
“We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximize security,” the official said.
European companies in critical areas of the economy “lack effective incentives to provide reliable data on the existence or impact” of network security incidents, the report said.
Companies fear that revealing their vulnerability could cost them customers, but authorities are eager for increased transparency to try and shut down methods hackers use to exploit networks before they can do widespread damage.
“Cyber security incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity, or mobile networks,” the report said.
The EU proposal would require companies in critical infrastructure areas to conduct risk assessments and work with national authorities to ensure a minimum standard across the 27-country bloc.
Inconsistent measures on cyber security also carry an economic cost. In 2012, 38 percent of the EU’s Internet users say they were concerned about making payments online, an EU poll showed.
Editing by Foo Yun Chee and Claire Davenport