Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions regimes were agreed between MEPs and the Council Presidency on Thursday.
The agreed text will set tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing. The requirements include incident response, supply chain security, encryption and vulnerability disclosure, among other provisions.
More entities and sectors will have to take measures to protect themselves. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors would be covered by the new security provisions.
During negotiations, MEPs insisted on the need for clear and precise rules for companies, and pushed to include as many governmental and public bodies into the scope of the directive.
The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would be covered by the legislation.
The directive also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.
“Ransomware and other cyber threats have bullied Europe far too long. We need to act and make our businesses, governments and society more resilient to hostile cyber operations” said lead MEP Bart Groothuis (Renew, NL).
“This European directive is going to help about 160.000 entities to tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale” he said.
“The NIS2 is the best cyber security legislation this continent has yet seen, because it will transform Europe to handling cyber incidents pro-actively and service orientated” he added.
The informal agreement will now have to be formally endorsed by Parliament and Council to come into force. The Industry, Research and Energy Committee will vote on the text in a forthcoming meeting.
The latest Threat landscape 2021 report from the European Union Agency for Cybersecurity (ENISA) highlights that cybersecurity attacks have continued to increase through the years 2020 and 2021, not only in terms of vectors and numbers but also in terms of their impact. The COVID-19 pandemic has also had an impact on the cybersecurity threat landscape.
The original cybersecurity directive was set up in 2017. However, EU countries implemented it in different ways, thereby fragmenting the single market, which led to insufficient levels of cybersecurity.