Europe moves closer to stricter cybersecurity standards, reporting regs

More types of biz fall under expanded rules – and fines for those who fall short

Europe has moved closer toward new cybersecurity standards and reporting rules following a provisional network and information systems agreement dubbed NIS2 by the European Council and Parliament. 

Once approved, NIS2 [PDF] will replace the current Directive on Security of Network and Information Systems, aka NIS, which was adopted in 2016. The new directive sets more stringent requirements — and possible sanctions, including fines — for a larger number of sectors that must comply with the computer security rules.

It also aims to eliminate "the wide divergences" among EU member states' risk management and security reporting rules by establishing uniform criteria for assessing, reporting on, and taking steps to reduce cyber risk.

While the original rules applied to the healthcare, digital infrastructure and service providers, transportation, water supply, banking and financial infrastructure and energy sectors, NIS2 expands the list of covered industries.

The updated security regulations will apply to all medium and large entities across the following sectors and services: providers of public electronic communications networks or services, waste water and waste management, manufacturing of certain critical products (such as pharmaceuticals, medical devices and chemicals), food, digital services such as social networking services platforms and datacenter services, space, postal and courier services.

NIS2 will also apply to public administration entities at central and regional level, while member states have the authority to decide that the directive will apply at the local level as well.

Some key industries are excluded from the regulations. These include defense and national security agencies, public security, law enforcement and the judiciary. Parliaments and central banks are also exempt.

Baseline practices included in NIS2 cover basic computer hygiene, cybersecurity training, the use of cryptography, human resource security, access control policies and asset management, as well as incident response and crisis management, vulnerability handling and disclosure, and policies and procedures to assess the effectiveness of cybersecurity risk management measures, according to a European Commission fact sheet.

NIS2 also sets up a European cybercrisis liaison organization network, dubbed EU-CyCLONe, to help manage large-scale online attacks across Europe, and also to coordinate vulnerability disclosure and increase information sharing and cooperation between government and private sector organizations.

Meanwhile, companies that don't comply with the new risk management and reporting rules face fines of up to €10 million or two percent of their global annual turnover, whichever is higher.

Once adopted by the Council and European Parliament, member states will have 21 months to incorporate NIS2 into their national laws.

European Commissioners, for their part, welcomed the agreement. 

"In today's cybersecurity landscape, cooperation and rapid information sharing are of paramount importance," said Thierry Breton, commissioner for the internal market, in a statement. "With the agreement of NIS2, we modernize rules to secure more critical services for society and economy. This is therefore a major step forward."  ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Intel demands $625m in interest from Europe on overturned antitrust fine
    Chip giant still salty

    Having successfully appealed Europe's €1.06bn ($1.2bn) antitrust fine, Intel now wants €593m ($623.5m) in interest charges.

    In January, after years of contesting the fine, the x86 chip giant finally overturned the penalty, and was told it didn't have to pay up after all. The US tech titan isn't stopping there, however, and now says it is effectively seeking damages for being screwed around by Brussels.

    According to official documents [PDF] published on Monday, Intel has gone to the EU General Court for “payment of compensation and consequential interest for the damage sustained because of the European Commissions refusal to pay Intel default interest."

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022