The European Union (EU) has reached political agreement on new legislation that will impose common cybersecurity standards on critical industry organisations.
The new directive will replace the existing EU rules on the security of network and information systems (NIS directive), which need to be updated due to “the increasing degree of digitization and interconnectedness of our society and the growing number of malicious cyber activities globally”. .”
The NIS 2 guideline will cover medium and large organizations operating in critical sectors. These include providers of public electronic communications services, digital services, sewage and waste management, manufacturing of critical products, postal and courier services, healthcare and administration. public.
Among the provisions of the new legislation are the reporting of cybersecurity incidents to the authorities within 24 hours, the fixing of software vulnerabilities and the preparation of risk management measures.
It also aims to create stricter enforcement requirements and harmonize sanctioning regimes between Member States. Operators of essential services would face fines of up to 2% of annual turnover for non-compliance, while for large service providers the maximum fine would be 1.4% .
The measures were originally proposed by the European Commission in December 2020.
The political agreement will have to be formally approved by EU member countries and the European Parliament. Once adopted, Member States will have to transpose the new requirements into their national legislation within 21 months.
Commenting on the announcement, Margrethe Vestager, Executive Vice President for a Europe Fit for the Digital Age, said: “We have worked hard for the digital transformation of our society. Over the past few months, we have put in place a number of building blocks, such as the Digital Markets Act and the Digital Services Act. Today, Member States and the European Parliament also secured agreement on NIS 2. This is another important breakthrough in our European digital agenda, this time to ensure that citizens and businesses are protected and trust essential services.”
Margaritis Schinas, Vice President for Promoting Our European Way of Life, said: “Cybersecurity has always been key to protecting our economy and society from cyber threats; it becomes critical as we move forward in the digital transition. The current geopolitical context makes it even more urgent for the EU to ensure that its legal framework is fit for purpose. By agreeing to these further strengthened rules, we are fulfilling our commitment to improve our cybersecurity standards in the EU. Today, the EU shows its strong determination to champion preparedness and resilience against cyber threats, which target our economies, our democracies and peace.”
This announcement follows a number of significant cybersecurity initiatives by government agencies. These include President Joe Biden’s executive order last year imposing zero-trust requirements on federal agencies, new legislation in the United States imposing reporting obligations on critical infrastructure organizations, and the proposed UK Product Security and Telecommunications Infrastructure (PSTI) Act, which will impose new cybersecurity standards on manufacturers. , importers and distributors of Internet-connectable devices.
Last year, the EU presented plans to create a joint cyber unit to improve the ability to respond to growing cyber attacks against member states.