The European Commission (EC) has launched a public consultation on cyber security that will run until 12 October 2012.
The EC is seeking the views of governments, businesses and citizens about their experiences and possible EU responses to cyber incidents that disrupt essential networks and information systems.
The consultation is aimed at helping the EC prepare a legislative proposal on network and information security, which will be an important element of the upcoming EU strategy on cyber security.
Feedback received will help the EC draw up an approach to possible future risk management and security breach reporting requirements that would affect businesses in particular.
Later this year, the EC and EU High Representative for Foreign Affairs and Security Policy will present a joint strategy on cyber security.
The aim of the strategy is to ensure a secure and trustworthy digital environment and to enhance preparedness, strengthen the resilience of critical infrastructure and foster a cyber security culture.
The EC is considering a requirement to adopt risk management practices; and to report security breaches affecting networks and information systems critical to the provision of key economic and societal services. These include finance, energy, transport and health, and the functioning of the internet.
The only sector where companies are currently required under EU law to adopt risk management practices and to report security incidents is the electronic communications sector, which includes telecoms operators and internet service providers.
The EC has also launched a public consultation into net neutrality. The EC vice-president for the digital agenda, Neelie Kroes, is keen to establish the facts around managing internet traffic across Europe and ensuring customers buying services are getting a fair deal.
The consultation on cyber security comes a month after the European Parliament adopted a resolution on critical information infrastructure protection, and two months after the director of the CIA publicly described cyber security as the battleground of the future.
But the battleground is confused, according to Sam Jardine, senior associate in the technology, media and telecommunications group at international law firm Eversheds.
"Nation states, supranational bodies, businesses and criminals are all players. Nation states are both the hunter and the hunted, actively targeting others’ infrastructure; the current US administration is widely believed to have developed and deployed the Stuxnet virus, which severely degraded Iran’s nuclear and utilities programs," he said.
The EC consultation on cyber security is a preliminary foray into the feasibility of proper supranational legislation, said Jardine.
"It’s too early to tell whether the US, China or other global actors will desire some shaping involvement. It’s safe to say that there isn’t a great deal of cyber trust at present. Which means that cyber paranoia will prevail for the time being," he said.