The European Commission has developed an ambitious cyber security strategy with an accompanying legislative proposal, but experts caution that the entire process still is in its early stages.

The European Union strategy and a proposed directive for consideration by the E.U. legislature would require an estimated 42,000 companies from 27 E.U. member states to alert regulators when they have suffered a significant cyber security breach incident.

It also would require E.U. members to appoint a national authority responsible for network and information security and to set up a computer emergency response.

Furthermore, anything approved by the European Parliament would still have to be subsequently approved by E.U. member states.

Some experts criticize the European Union's approach as being overly broad.

“It's quite an ambitious set of proposals that cover a lot of ground,” said Mark Young, a senior associate with law firm Covington & Burling L.L.P. in London.

Mr. Young said the directive requires the 27 E.U. member states to share intelligence with one another, “and that's obviously quite a controversial topic.”

Stephen Wares, who leads Marsh Inc.'s cyber risk practice in London, said the strategy “will make it much easier for business to operate across the European Union and for (information technology) vendors to sell their products in the European Union, if we got some harmonization” around security practices.

“It should be possible to build better network security standards” once data breach incident data is aggregated, which will “allow insurers to price their insurance products a lot better and address different industries” in a “much more knowledgeable way,” Mr. Wares said.

%%BREAK%%

However, Jim Halpert, a partner with law firm DLA Piper in Washington, said, “It's not generally clear how the European standards would be developed,” and whether they would be consistent with or different from international standards.

“It's also unclear how the (breach) reporting would really work and whether it would be a two-way street” between the European governments and business, he said. “But this is a very long road, and it's just beginning, so there can be a lot of changes here,” Mr. Halpert said.

The European Union proposal is “ambiguous to the point of very possibly, or quite likely, creating an overly regulatory framework,” said David LeDuc, senior director of public policy for the Washington-based Software and Information Industry Association.

Mr. LeDuc said his organization feels strongly that any cyber security framework should “embrace innovation and retain a certain level of flexibility” and avoid creating specific sets of standards and a “check-the-box” approach.

But Mr. Wares said the proposal is “in a very, very early draft stage, and there's a long, long way to go before it gets to implementation. So there is plenty of time for various industry groups to do whatever lobbying they deem necessary in order to get to a place where they feel comfortable with it.”

Kevin Kalinich, Chicago-based national managing director for network risk at Aon Risk Solutions, said, “It's broad, but it also leaves some room for discretion.” The validity of the criticism that it is overly broad “will depend on how they enforce it,” he said.

Jerry Irvine, chief information officer for Chicago-based Prescient Solutions, an information technology outsourcing company, said in light of the E.U. strategy's “desired outcome of being a framework for each of the E.U. states, it's very difficult for them to get too specific in it. They're trying to give the E.U. states the ability to get in and do their own thing, but wanted to set some sort of guidelines.”

It is “simply a framework. It's really not the end process, and part of the problem with that is that each of the European countries is going to develop their own standards at a very high cost,” Mr. Irvine said.