"We need to be careful that positive outcomes and information sharing about the cyber risk is the result, rather than honest disclosure being driven underground by fear of reputational damage," he said.
As it stands, the proposals are still open to some interpretation, for instance which incidents large organisations will have to report. The document describes these as being any "having a significant impact on the security of core services."
Major security incidents - database breaches or sudden loss or important services for instance - would need no definition but, interestingly, in the EU definition 'major' includes more basic problems such as "the unavailability of an online booking engine that prevents users from booking their hotels."
Exactly when the proposed law will come into effect will depend on its adoption by the Council and European Parliament, after which member states will have a further 18 months to act.
Sign up for Computerworld eNewsletters.