Cybersecurity: MEPs strengthen EU-wide requirements against threats

Met dank overgenomen van Europees Parlement (EP) i, gepubliceerd op donderdag 28 oktober 2021.

The new draft law would set tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing.

According to the legislative text adopted on Thursday by the Industry Committee, EU countries would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes.

Compared to the existing legislation, the new directive would oblige more entities and sectors to take measures. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors would be covered by the new security provisions. In addition, the new rules would also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would be covered by the legislation.

Concretely, the requirements include incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. Member states would be able to identify smaller entities with a high security risk profile, while cybersecurity would become the responsibility of the highest managerial level.

The directive also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.

The original cybersecurity directive was set up in 2017. However, EU countries implemented it in different ways, thereby fragmenting the single market, which led to insufficient levels of cybersecurity. Given the current high level of cybersecurity threats, this updated legislation is much needed, say MEPs.

Quote

“Cybercrime doubled in 2019, ransomware tripled in 2020 and yet our companies and institutions are spending 41 percent less on cyber security than in the US. We must strengthen the EU’s cybersecurity and create the tools to handle cyber incidents together when they occur. We cannot stop all cybercrime from occurring, but we can protect ourselves better than before and better than others. This new legislation makes the EU a safe place to work and do business”, said lead MEP Bart Groothuis (Renew, NL).

Next steps

The draft negotiating mandate - the report - was adopted with 70 votes to 3, with 1 abstention. MEPs also voted to open negotiations with Council with 71 votes to 2, with 1 abstention. The mandate will be announced in plenary session on 10 November.

Background

An EP briefing note highlights that cyber-attacks, besides being among the fastest-growing form of crime worldwide, are also growing in scale, cost and sophistication. In 2017, Cybersecurity Ventures forecast that global ransomware damage costs would reach US$20 billion by 2021, 57 times more their amount in 2015. It also predicted that companies would be suffering a ransomware attack every 11 seconds by 2021, up from every 40 seconds in 2016.

The latest Threat landscape 2021 report from the European Union Agency for Cybersecurity (ENISA) highlights that cybersecurity attacks have continued to increase through the years 2020 and 2021, not only in terms of vectors and numbers but also in terms of their impact. The COVID-19 pandemic has also had an impact on the cybersecurity threat landscape.


1.

Relevante EU dossiers