re: setting up a competent authority
This is something they expect governments achieve, despite all the evidence to the contrary ???
Talks began on a new computer security law for Europe on Tuesday night. National ministers, the European Commission and MEPs got together for the first time in an attempt to nail down the wording in the proposed Network and Information Security (NIS) Directive. When it was proposed by the commission early last year, the draft …
They obviously have no idea what reporting to government agencies is really like. Reporting an incident will merely be a trojan horse to auditing your entire infrastructure and then being forced to upload it to an insecure government database.
And before the audit you will have to complete about an inch of vulnerability self assessment checklists for each system, for each year (or inch-equivalent - somewhere between 500 and 1000 questions). The questions will, of course, change from year to year, dampening excessive cloning. This manual effort will supplement the required vulnerability scans, further burdening employees who might otherwise be spending time patching and fixing the vulnerabilities, or requiring hire of additional employees or contractors.
"enablers of information society services" such as Google, Amazon, eBay and Skype"
It's a bit of an indictment that the companies chosen as example targets for the proposed directive are US. based. Are there no EU companies worthy even of being mentioned? It also makes the directive look like what it is, an attempt to try to control these US companies, the services of which very many EU citizens want to use.
How about instead of trying to regulate these companies which is a complete waste of time, try to remove the reasons why there are almost no EU companies that are able to provide these services.