The European Union has included a data breach notification law in its new, proposed cyber security directive.
The proposed rule would oblige organisations in the energy, transport, health, Internet and public administration sectors to report any security incident that "seriously compromis[es] the operation of networks and information systems" to the relevant authorities.
The EU pointed to the example of Dutch SSL certification authority Diginotar. In 2011, hackers stole SSL certificates from the authority, allowing them to make unsafe websites look secure.
"Diginotar did not report that its systems were hacked and did not revoke the digital certificates that were fraudulently issued," the EU wrote. "This resulted in a large number invalid certificates circulating online, compromising the security of Internet services and eventually affecting trust in the Internet."
The proposed directive follows an online public consultation with business of all sizes. The EU says that just over half of respondents agreed that "a requirement to report security breaches would not cause significant additional costs (52.5%) and 19.8% said that it would not cause additional costs at all".
One in four respondents (44.4%) said that "a requirement to notify and report incidents to NIS authorities would be needed to make private companies and public administrations systematically report about cyber security incidents".
The directive, which is subject to EU parliamentary approval, also proposes that member states establish a Computer Emergency Readiness Team (CERT) to respond to information security incidents – something that Cabinet Office minister Francis Maude proposed for the UK last year.