We are currently experiencing an unprecedented period of radical social, technological, economic, and political change. Policymakers across the globe are rushing to cope with this shifting landscape and must adapt or die. In Europe, the lack of a coherent, international approach to deal with the growing problem of failed states and autocratic governments is already threatening to rip apart the European Union. Failing to produce a cybersecurity policy that correctly aligns the interests of private and public stakeholders across the continent would be just as dangerous.
According to the EU Agency for Network and Information Security (ENISA), lapses of cybersecurity currently result in annual losses in the range of €260 – €340 billion worldwide and the number of cyber-related incidents is increasing exponentially. In Europe, as elsewhere, human mistakes, technical failures, and malicious attacks continually expose individuals and institutions to enormous risk. The recent terrorist attacks in Paris only further underscore the need for an effective solution.
Thankfully, after years of debate and negotiation, European officials are seeking to implement the first EU-wide cybersecurity rules: the Network and Information Security (NIS) Directive. At the same time, it remains to be seen whether the agreement’s proposed “stick” rather than “carrot”- driven approach will strike the right balance.
The new agreement requires that critical operators of essential services and digital service providers ensure that their digital infrastructure can withstand cyber-attacks and notify the authorities in the case of a serious breach. The challenge, however, is that many breaches go unnoticed for months or even years. If they are identified at all, the prevailing corporate culture of occluding bad news often makes matters worse increasing reputation risk and public mistrust. In the status quo, firms often conceal attacks because of the increased likelihood of a public backlash and potential damage to their business.