The European Union (EU) has reached political agreement on new legislation that will impose common cybersecurity standards on critical industry organizations.
The new directive will replace the EU’s existing rules on the security of network and information systems (NIS Directive), which requires updating because “of the increasing degree of digitalization and interconnectedness of our society and the rising number of cyber malicious activities at the global level.”
The NIS 2 Directive will cover medium and large organizations operating in critical sectors. These include providers of public electronic communications services, digital services, wastewater and waste management, manufacturing of critical products, postal and courier services, healthcare and public administration.
Among the provisions in the new legislation are flagging cybersecurity incidents to authorities within 24 hours, patching software vulnerabilities and preparing risk management measures.
It also aims to create stricter enforcement requirements and harmonize sanctions regimes across member states. Operators of essential services would face fines of up to 2% of annual turnover for failing to comply, while for important service providers, the maximum fine would be 1.4%.
The measures were originally proposed by the EU Commission in December 2020.
The political agreement will need to be formally approved by EU member countries and the European Parliament. Once passed, member states will need to transpose the new requirements into national law within 21 months.
Commenting on the announcement, Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age, said: “We have been working hard for digital transformation of our society. In the past months, we have put a number of building blocks in place, such as the Digital Markets Act and the Digital Services Act. Today, Member States and the European Parliament have also secured an agreement on NIS 2. This is another important breakthrough of our European digital strategy, this time to ensure that citizens and businesses are protected and trust essential services.”
Margaritis Schinas, vice-president for Promoting our European Way of Life, stated: “Cybersecurity was always essential to shield our economy and our society against cyber threats; it is becoming critical as we are moving further in the digital transition. The current geopolitical context makes it even more urgent for the EU to ensure that its legal framework is fit for purpose. By agreeing on these further strengthened rules, we are delivering on our commitment to enhance our cybersecurity standards in the EU. Today, the EU shows its clear determination to champion preparedness and resilience against cyber threats, which target our economies, our democracies and peace.”
The announcement follows a number of significant initiatives taken by government bodies regarding cybersecurity. These include President Joe Biden’s Executive Order last year mandating zero trust requirements on federal agencies, new legislation in the US imposing reporting obligations on critical infrastructure organizations and the UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill, which will place new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices.
Last year, the EU set out plans to create a Joint Cyber Unit to improve the ability to respond to rising cyber-attacks on member states.