Parliament want to better protect Europeans and businesses against growing cyber threats. Learn more in our interview with MEP Bart Groothuis.
As network and information systems become a central feature of everyday life, cybersecurity threats have expanded. They can cause financial damage and go as far as disrupting water and power supplies or hospital operations. Strong cybersecurity is crucial to protect people, to embrace the digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.
Learn more about why cybersecurity in the EU should matter to you
On 11 November Parliament adopted its negotiating position on the revision of the directive on the security of network and information systems. We asked Groothuis (Renew, the Netherlands), the MEP in charge of the file, to explain what the Parliament wants.
What are the most prominent cybersecurity threats?
Ransomware is by far the most significant threat. It tripled worldwide in 2020 and we see another peak coming this year. Ten years ago, ransomware targeted individuals. Someone had to pay €100 or €200 to the hacker. Nowadays, the average payment is €140,000. Not only large companies, but also small enterprises are being attacked and they have to pay because they cannot operate otherwise.
It is also the most significant threat because it is an instrument of foreign policy for rogue states.
- A type of malware that infects computer systems, preventing the victim from using the system and data stored on it. The victim usually receives a blackmail note by pop-up, asking for the payment of a ransom to regain access.
How does this ransomware pandemic affect the life of a citizen or company?
We see ransomware targeting nearly everything that offers services to citizens. It might be a local municipality, a hospital, a local manufacturer.
The Parliament and Council are working on cybersecurity legislation. The goal is to better protect these entities against these hackers. EU companies that provide essential or important services will have to take cybersecurity measures and governments need to have the capabilities to help these companies and share information with them and other governments.
What does Parliament want?
Parliament wants the legislation to be ambitious. The scope should be wide, we should cover and help entities that are vital to our way of living. Europe should be a safe place to live and do business. And we should not wait: we need this new legislation fast.
Why is speed important?
In cybersecurity, you need to make sure that you are not the weakest. EU businesses are already investing 41% less than companies in the US. And the US is moving fast; Biden is creating emergency legislation and you do not want to be in a situation where Europe becomes more attractive to ransomware hackers in comparison to other parts of the world. Investments in cybersecurity need to be made now.
The second reason is that there are problems in the cybersecurity community that need to be fixed as soon as possible. Cybersecurity professionals often have GDPR concerns: can they or can they not share cybersecurity data? There should be a solid legal basis to share cybersecurity data to help prevent cyberattacks.
What challenges could the Parliament face in the negotiations?
There will be debate on the scope, on which entities should be included, and we will have to discuss the administrative impact on companies. Parliament believes that the legislation should protect companies, but it should also be practical and doable; what can we reasonably ask? Another issue is the core of the internet, the root level domain name service. The European Commission and the Council want to bring this into the scope of the rules and regulate it. I very much oppose that, because Russia and China will want to do the same and we should keep the core free and open and retain our multi stakeholder model.
Why is it important to have common cybersecurity rules in all EU countries?
The basis of this legislation is the functioning of the internal market. It shouldn’t matter if you do business in Slovakia, Germany or the Netherlands. You want to make sure that there is a common level of cybersecurity requirements and that the country that you are in has cybersecurity infrastructure.
This interview was conducted before the directive on the security of network and information systems (NIS2) was adopted by Parliament in November 2022