The European Union is readying an approach to cybersecurity that may subject services as Google and Facebook to breach notification requirements that mirror those for banks and health-care providers.
The Network and Information Security Directive, a proposal under consideration by the European Commission, would require companies in industries deemed critical to strengthen digital safeguards and report breaches to national authorities.
The directive represents one of the first attempts to legislate a rule for security breaches that crosses borders. That stands in contrast to the U.S., which has yet to adopt a national notification law and leaves companies to comply with a series of notification requirements set by states.
Members of the European Parliament who have been negotiating the rules have agreed to extend the reach of the directive to social networks, cloud computing platforms, commerce sites and other digital platforms, according to a report Friday by Reuters.
Under the terms of the directive, which was proposed in 2013, companies that operate so-called critical infrastructure in any of the 28 countries that constitute the EU will be required to report “significant security incidents” as well adopt measures to lessen the risk of cyber threats.
In addition to Internet companies, the directive would require companies in the financial, energy, health and transportation industries to report incidents “having a significant impact on the security of core services.” The EU currently requires telecommunications companies to report such incidents.
Members of the commission are expected to start work this September on a final version of the rule.
Ninety percent of large corporations and 74% of small businesses in the U.K. experienced a security breach in the past year, according to survey published recently by PwC.