THE EUROPEAN COMMISSION (EC) has published draft IT security rules that will require certain firms to report all "major security incidents".
The mandatory disclosure plans are designed to cover organisations that run "critical national infrastructure", the definition of which will impact firms such as Apple, Facebook and Google.
"Operators of critical infrastructures in some sectors, enablers of information society services and public administrations must adopt risk management practices and report major security incidents on their core services," the EC said.
The EC defines information society services as "app stores, e-commerce platforms, internet payment, cloud computing, search engines, social networks".
This would means huge firms like Apple, Facebook, Google, Microsoft, Amazon and Twitter would have to publicise breaches, which could cause major security and trust concerns among consumers.
The INQUIRER contacted some of these firms for comment on the proposals but had received no reply at time of publication.
The plans were originally unveiled in December 2012, when the EC promised to instigate new laws forcing businesses to disclose data on significant incidents within 24 hours.
Lawyer Stewart Room from Field Fisher Waterhouse said the proposals could have a huge impact on the technology world.
"Essentially, the internet as a whole has now been recognised as part of critical infrastructure, just like utilities. Until now, cyber security law has focused on telcos and ISPs, the trunk and access layers of e-comms if you like, but the change brings in 'over the top providers'," he said.
"No doubt the EU will play down the cost of implementing the law, but such claims should be resisted - the cost will be massive to the internet economy."
In the past the security community has been hostile to the idea of forced disclosure. When the policy was announced in 2012 many security researchers claimed the policy would do more harm than good, warning the strategy's 24-hour disclosure deadline was too short. µ