Europe moves closer to stricter cybersecurity standards, reporting regs
More types of biz fall under expanded rules – and fines for those who fall short
Europe has moved closer toward new cybersecurity standards and reporting rules following a provisional network and information systems agreement dubbed NIS2 by the European Council and Parliament.
Once approved, NIS2 [PDF] will replace the current Directive on Security of Network and Information Systems, aka NIS, which was adopted in 2016. The new directive sets more stringent requirements — and possible sanctions, including fines — for a larger number of sectors that must comply with the computer security rules.
It also aims to eliminate "the wide divergences" among EU member states' risk management and security reporting rules by establishing uniform criteria for assessing, reporting on, and taking steps to reduce cyber risk.
While the original rules applied to the healthcare, digital infrastructure and service providers, transportation, water supply, banking and financial infrastructure and energy sectors, NIS2 expands the list of covered industries.
The updated security regulations will apply to all medium and large entities across the following sectors and services: providers of public electronic communications networks or services, waste water and waste management, manufacturing of certain critical products (such as pharmaceuticals, medical devices and chemicals), food, digital services such as social networking services platforms and datacenter services, space, postal and courier services.
NIS2 will also apply to public administration entities at central and regional level, while member states have the authority to decide that the directive will apply at the local level as well.
Some key industries are excluded from the regulations. These include defense and national security agencies, public security, law enforcement and the judiciary. Parliaments and central banks are also exempt.
Baseline practices included in NIS2 cover basic computer hygiene, cybersecurity training, the use of cryptography, human resource security, access control policies and asset management, as well as incident response and crisis management, vulnerability handling and disclosure, and policies and procedures to assess the effectiveness of cybersecurity risk management measures, according to a European Commission fact sheet.
- UK mulls making MSPs subject to mandatory security standards where they provide critical infrastructure
- The UK loves cybersecurity so much, it's going to regulate managed service providers' infosec practices in law
- EU-US Trade and Technology Council meets to coordinate on supply chains
- Europe proposes tackling child abuse by killing privacy, strong encryption
NIS2 also sets up a European cybercrisis liaison organization network, dubbed EU-CyCLONe, to help manage large-scale online attacks across Europe, and also to coordinate vulnerability disclosure and increase information sharing and cooperation between government and private sector organizations.
Meanwhile, companies that don't comply with the new risk management and reporting rules face fines of up to €10 million or two percent of their global annual turnover, whichever is higher.
Once adopted by the Council and European Parliament, member states will have 21 months to incorporate NIS2 into their national laws.
European Commissioners, for their part, welcomed the agreement.
"In today's cybersecurity landscape, cooperation and rapid information sharing are of paramount importance," said Thierry Breton, commissioner for the internal market, in a statement. "With the agreement of NIS2, we modernize rules to secure more critical services for society and economy. This is therefore a major step forward." ®