The new laws will target “key sectors” according to the European Commission.
EU countries and lawmakers agreed last week to tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers, according to a report in Reuters. The announcement comes amid concerns about cyber attacks by state actors and other malicious players.
The European Commission two years ago proposed rules on the cybersecurity of network and information systems called NIS 2 Directive, in effect expanding the scope of the current rule known as NIS Directive. The European Commission welcomed the new rules in a statement.
Targeting businesses of all sizes in a wide range of sectors
The new rules cover all medium and large companies in essential sectors – energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, waste water, digital infrastructure, public administration and space.
According to the EC, all medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online market places, online search engines, and social networking service platforms will also fall under the rules.
The companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines up to 2% of global turnover for non-compliance.
EU countries and EU cybersecurity agency ENISA could also assess the risks of critical supply chains under the rules.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, commented on the new rules. “We have been working hard for digital transformation of our society. In the past months we have put a number of building blocks in place, such as the Digital Markets Act and the Digital Services Act. Today, Member States and the European Parliament have also secured an agreement on NIS 2. This is another important breakthrough of our European digital strategy, this time to ensure that citizens and businesses are protected and trust essential services.”
“Cyber threats have become bolder and more complex,” said EU industry chief Thierry Breton. “It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected,”