Connect with us

Hi, what are you looking for?

Europe

EU lands new law to fight off hackers in critical sectors

Faced with a flurry of cyberattacks, the European Union is asking its critical sectors to harden their defenses.

Early on Friday, negotiators of a new EU cybersecurity directive struck a deal that will force sensitive industries such as banking, energy, telecoms and transport to better protect their networks and invest in cybersecurity, in an effort to stop hackers from disrupting society’s critical functions. Public administrations are also affected by the directive.

The new law is a cornerstone of a wider EU strategy to respond to the multiple waves of cyberattacks that accompanied the coronavirus pandemic, renewed geopolitical tensions between the West, Russia and China, and more recently the war in Ukraine. Major incidents included cybercriminal “ransomware” attacks like the ones on U.S. oil pipeline operator Colonial and Ireland’s health care system, to cyber espionage campaigns on agencies and ministries across the EU.

Under the new directive, critical companies and organizations will have to set up and audit cybersecurity response plans, flag cybersecurity incidents to authorities within 24 hours and use state-of-the-art cybersecurity technologies to prevent hacks — or face sizeable fines.

Representatives of the European Commission, Parliament and EU Council agreed on the details of the Network and Information Security Directive (NIS2 Directive) during late-night talks in Brussels.

The law “is going to help over a hundred thousand entities to tighten their grip on security and make Europe a safe place to live and work,” said Bart Groothuis, the Dutch Liberal MEP who led the negotiations on behalf of the European Parliament. “If we are being attacked on an industrial scale, we need to respond on an industrial scale.”

The law is a revamp of the EU’s first-ever cybersecurity legislation, which was adopted in 2016 and was a first step in giving EU authorities oversight and control over cybersecurity. Member countries had been touchy about the issue for a long time, as it is closely linked to national security, but the flood of disruptive cyberattacks in past years forced EU governments to work more closely at the European level.

Strengthening Europe’s cybersecurity “cuts to the heart of many other policies, from the development of AI, semiconductors, and the defence sector, to our ability to keep the lights on and hospitals open,” Eva Maydell, a center-right European Parliament member from Bulgaria who worked closely on the law, said in a text message.

The legislation imposes a long list of requirements on companies, organizations and public services, including patching software vulnerabilities, preparing risk management measures, sharing information and informing authorities about incidents within 24 hours as well as providing a full report within three days.

Organizations would face fines of 2 percent of turnover for operators of essential services and 1.4 percent for important service providers, negotiators decided. Those figures roughly correspond to what ransomware groups generally demand in ransom payments when they hack major organizations, they said.

“The trade-off becomes: Do I pay the ransom, pay the fine, or rather invest in security prior to getting hacked,” Groothuis, the lead MEP, said.

Negotiators also agreed to include key public administrations within the scope of the law, meaning many government services will have to comply with the requirements too. National governments will also have to come up with policies to help cyber authorities launch preventive operations to prevent hacks and attacks, rather than simply responding to crises.

“This agreement is not a silver bullet, but the scale of this challenge means we must build an arsenal to protect our digital networks against harm and foul play,” said Maydell, the Bulgarian MEP.

The law will need formal approval from EU member countries and the European Parliament. Then, it’s up to national governments to implement the rules.

This article is part of POLITICO Pro

The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology


Exclusive, breaking scoops and insights


Customized policy intelligence platform


A high-level public affairs network

Click to comment

Leave a Reply

Your email address will not be published.

You May Also Like

Europe

Edi Rama is the prime minister of Albania. Mark Rutte is prime minister of the Netherlands. As Russia launched its brutal invasion of Ukraine...

Technology

High-ranking European Parliament members clashed on Twitter late on Monday after a Greek left-wing lawmaker posted a draft program of the chamber’s inquiry committee’s...

Europe

The Belgian state didn’t violate the rights of a person suffering from depression when it accepted her decision to go ahead with a euthanasia...

Technology

Press play to listen to this article A key member of the committee overseeing the Netherlands’ intelligence agencies has resigned to ring the alarm...

Europe

Lee Cain is a founding partner at strategic advisory firm Charlebye and a former No. 10 director of communications. “With public sentiment, nothing can...

Europe

BIRMINGHAM, England — Britain can’t say it wasn’t warned. The U.K.’s new prime minister used to be a center-left Liberal Democrat. Now she’s a...

Technology

BUCHAREST — Governments shouldn’t shut down the internet to quell protests, the newly elected head of the United Nations’ telecoms agency suggested on Friday....

Europe

European Council President Charles Michel said EU leaders will discuss the security of critical infrastructure at a summit on Friday, following damage to Nord Stream...