Via a report on The Next Web, the European Parliament has just recently passed a measure that would create the first-ever Europe-wide cyber-security laws. Which makes sense in a way; if the E.U. is to be an economic powerhouse that works together closely then Union-wide cyber-security regulation is needed. Get everyone on the same page.
The problem? Companies like eBay, Amazon, and Google, along with leading online brands, and companies in energy, transport, health, and banking, will have to prove that they are "cyberattack-proof," which is essentially impossible.
They will have to do this under the Network and Information Security Directive. The rules require the companies under its purview provide secure networks, and to report serious data breaches. Companies below a certain unspecified size, and social networks like Facebook, will be exempt from the regulation.
Neither what "secure" means, nor what form the sanctions would take, have been determined.
The draft rules still have to pass through a few committees before being finalized and enforced, but they are, according to Kirsty Styles of The Next Web, part and parcel of the recent push to further integrate and align the concerns of European Union member countries, despite protests and pubic sentiment growing against it.
The problem with these rules, of course, is that unless the regulations are written, implemented, and enforced very specifically and very carefully, they are basically impossible to comply with. Even tech companies with the best intentions with their security and the fullest efforts to protect their data are not invulnerable. Skilled hackers can always find a way in.
The regulations would, at the least, have to include provisions that excluded from penalty companies that put good faith efforts into their security. Otherwise the sanctions would inevitably be further punishing companies who had already been hacked despite a lack of negligence on their part.
In addition to these being regulations bringing E.U. members closer together, it also is another step in European regulators' effort to control the business and data practices of large tech companies, especially companies based in the United States. An E.U. court recently ruled that tech companies can't send data to the United States for processing. And Google has undergone a near-endless saga of anti-trust battles and being forced to modify its search results due to the newly created 'right to be forgotten.'
The European Union must be careful. It certainly, and rightfully, has an interest in overseeing how tech companies operate within its member states. But too much regulation implemented too carelessly could lead to an inhospitable environment for business.