The new law is a cornerstone of the EU’s broader strategy to deal with waves of cyberattacks that have come with the coronavirus pandemic, geopolitical tensions and, most recently, the war in Ukraine. Major incidents include cybercriminal “ransomware” attacks, such as those against US oil pipeline operator Colonial and the Irish healthcare system, as well as cyberespionage against EU agencies, departments and commissions.
Under the new directive, key European companies and organisations will have to establish and audit cybersecurity response plans, file cybersecurity incidents with authorities within 24 hours, and use state-of-the-art cybersecurity technology to prevent hacking, or face hefty fines.
Representatives of the European Commission, Parliament and the Council of the European Union agreed on details of the Network and Information Security Directive (NIS2 Directive) in late-night talks in Brussels.
Dutch Liberal MP Bart Groothuis, who led the negotiations on behalf of the European Parliament, said the law “will help hundreds of thousands of entities tighten their grip on security and make Europe a safe place to live and work, if we are attacked on an industrial scale, We need an industrial-scale response.”
The law is an amendment to the EU’s first-ever cybersecurity legislation, which was passed in 2016 as a first step towards giving EU authorities oversight and control over cybersecurity. Member states have long been touched by the issue because it is closely linked to their national security, but the proliferation of disruptive cyberattacks over the past few years has forced EU governments to cooperate more closely at the European level.
Strengthening cybersecurity in Europe “goes to the heart of many other policies, from developments in artificial intelligence, semiconductors and the defence sector, to our ability to keep lights and hospitals open,” said Eva May, a centre-right European Parliament member from BulgariaDELLsaid in a text message.
The law imposes a long list of requirements on companies, organisations and public services, including patching software vulnerabilities, preparing risk management measures, sharing information and notifying authorities of incidents within 24 hours, and providing a full report within three days. MPs finalised fines ranging from 1.4-2% of turnover for operators, organisations that breach basic cybersecurity guarantee obligations, interestingly, these figures are roughly equivalent to the ransomware groups typically demand when they breach major organisations .
“The trade-off is. Do I pay the ransom, pay the fine, or invest in security before I get hacked,” said lead MEP Groothuis.
Negotiators also agreed to bring key public administrations under the purview of the law, meaning many government services must also comply with these requirements. Governments must also develop policies to help cyber authorities carry out preventive actions to prevent hacking and attacks, rather than simply waiting to respond to a crisis.
“This deal is not a silver bullet, but the scale of this challenge means we must build an arsenal to protect our digital networks from harm,” said Bulgarian parliament member Medel.
The law will require formal approval by EU member states and the European Parliament. It will then be up to governments to enforce these rules.
