Cyber security information sharing : an overview of regulatory and non-regulatory approaches

Cyber security incidents are constantly increasing in frequency and magnitude, becoming more complex and unconstrained by borders. These incidents can cause major damage to the economy, and hence, cyber security is one of the biggest issues governments and businesses in the European Union (EU) and globally are currently facing. The borderless nature of cyber incidents and attacks, regardless of sector or area, calls for rapid, cross-border and cross-sector responses. Efforts to prevent, better cooperate in relation with, and to be more transparent about cyber incidents must still improve. In the cyber security community, there is currently a strong need for the exchange of data to support the management of vulnerabilities, threats and incidents, as well as other cyber security activities. This study aims to present the regulatory and non-regulatory approaches of EU Member States as well as EEA and EFTA countries to share information on cyber incidents, the different sector regulation challenges of managing cyber security issues, and their key practices in addressing them. This study identifies three types of approaches to share information on cyber security incidents: 1) traditional regulation; 2) alternative forms of regulation, such as self- and co-regulation; 3) other approaches to enable information sharing, such as information and education schemes. The proposed NIS Directive (European Commission, 2013a) and the accompanying Impact Assessment of the European Commission (European Commission, 2013b) identify six key sectors to preserve the good functioning of the internal market. These sectors are public administrations, finance and banking, energy, transport, health and Internet services. The information sharing initiatives in this report were identified and structured based on these criteria.