MEPs on Thursday approved rules requiring EU countries to comply with stricter supervision and enforcement measures and harmonize sanctions.
New legislation sets stricter requirements for businesses, governments and infrastructure
Divergent national cybersecurity measures make EU more vulnerable
New "essential sectors" such as energy, transportation, banking and health are covered by the law
The legislation, already agreed upon by members and the Council in May of this year, will establish more stringent cybersecurity requirements for risk management, reporting requirements and information sharing. The requirements include incident handling, supply chain security, encryption and vulnerability disclosure.
More entities and sectors must take measures to protect themselves. "Essential sectors" such as energy, transportation, banking, healthcare, digital infrastructure, public administration and space will be covered by the new security provisions.
During the negotiations, MEPs insisted on the need for clear and precise rules for companies, and urged that as many government and public entities as possible be included within the scope of the directive.
The new rules also protect so-called "key sectors," such as postal services, waste management, chemicals, food, medical device manufacturing, electronics, machinery, motor vehicles and providers of ICT products or services. All medium and large enterprises in certain sectors will be covered by the legislation.
It also establishes a framework for better cooperation and information exchange between different authorities and member states and creates a "European vulnerability database."
"Ransomware and other cyber threats have plagued Europe for far too long. We must take action to make our companies, governments and society more resilient to hostile cyber operations," said MEP and Rapporteur Bart Groothuis (Renew, NL) (1).
"This European directive is going to help some 160,000 entities strengthen their grip on security and make Europe a safe place to live and work. The law should also enable information sharing with the private sector and partners around the world. If we are attacked on an industrial scale, we must respond on an industrial scale," he said.
"This is the best cybersecurity legislation this continent has ever seen because it will make Europe proactive and service-oriented in dealing with cyber incidents," he added.
The EP adopted the text by 577 votes to six and 31 abstentions. After Parliament's approval, the Council must also formally approve the law before it is published in the EU's Official Journal.
The Directive on Network and Information Security (NIS) was the first piece of EU legislation on cybersecurity, and specifically aimed at achieving a high common level of cybersecurity across all member states. Although the directive increased the cyber security capabilities of member states, its implementation proved difficult, resulting in fragmentation at different levels within the internal market. In response to the increasing threats posed by digitization and the rise in cyber-attacks, the Commission put forward a proposal to replace the NIS Directive to strengthen security requirements, address the security of supply chains, streamline reporting requirements and introduce stronger oversight measures and enforcement requirements, including harmonized sanctions across the EU.
https://www.europarl.europa.eu/meps/en/197780/BART_GROOTHUIS/home
