EU Agrees New Cybersecurity Legislation for Critical Services Organizations
The European Union (EU) has reached a political agreement on new legislation that will impose common cybersecurity standards on critical organizations in the sector.
The new directive will replace the existing EU rules on the security of networks and information systems (NIS Directive), which requires an update due to the “increased degree of digitization and interconnection of our society and the ‘increasing the number of cyber-malicious activities worldwide’. . ”
The NIS 2 Directive will cover medium and large organizations operating in critical sectors. These include providers of electronic communications utilities, digital services, wastewater and waste management, critical product manufacturing, postal and courier services, healthcare and public administration.
Among the provisions of the new legislation are the reporting of cybersecurity incidents to the authorities within 24 hours, the correction of software vulnerabilities and the preparation of risk management measures.
It also aims to create stricter enforcement requirements and harmonize sanctions regimes among member states. Essential service operators would face fines of up to 2% of annual turnover for non-compliance, while for major service providers, the maximum fine would be 1.4%.
The measures were initially proposed by the EU Commission in December 2020.
The political agreement will have to be formally approved by the EU member states and the European Parliament. Once approved, Member States will have to transpose the new requirements into national law within 21 months.
Commenting on the announcement, Margrethe Vestager, Executive Vice President of a Digital Europe, said: “We have been working hard for the digital transformation of our society. In recent months, we have launched a number of building blocks, such as the Digital Markets Act and the Digital Services Act.Today, Member States and the European Parliament have also reached an agreement on NIS 2. This is another important step forward in our digital strategy. European Union, this time to ensure that citizens and businesses are protected and have access to essential services ”.
Margaritis Schinas, Vice President of Promoting Our European Lifestyle, stated: “Cybersecurity has always been essential to protecting our economy and our society from cyber threats; it is becoming critical as we move forward in the digital transition. The current geopolitical context makes it even more urgent for the EU to ensure that its legal framework is appropriate for its purpose. By accepting these stronger standards, we are fulfilling our commitment to improving our cybersecurity standards in the EU. Today, the EU is showing its clear determination to defend its readiness and resilience in the face of cyber threats, which are aimed at our economies, our democracies and peace. “
The announcement follows a series of significant cybersecurity initiatives by government agencies. These include President Joe Biden’s Executive Order last year requiring zero confidence in federal agencies, new legislation in the U.S. imposing information obligations on critical infrastructure organizations, and the bill. Telecommunications Product and Infrastructure Security (PSTI) in the UK, which will set new cybersecurity standards for manufacturers. , importers and distributors of connectable devices on the Internet.
Last year, the EU set out plans to set up a Joint Cyber Unit to improve its ability to respond to growing cyber attacks on member states.