The European Commission proposed an overhaul of cybersecurity rules for critical sectors and a new cybersecurity strategy Wednesday, in an effort to strengthen defenses against major breaches and state-backed attacks.
The new proposals come in the wake of a major breach of the European Medicines Agency, which is currently involved in approving coronavirus vaccines, and a slew of other attacks that aimed to disrupt Europe’s strategic industries and public institutions in past years.
“The EU is stepping up to protect its governments, citizens and businesses from global cyber threats, and to provide leadership in cyberspace,” said Josep Borrell, the EU’s head of foreign policy.
In a first proposal, the Commission unveiled a revision of its 2016 Networks and Information Security (NIS) Directive that would put stricter requirements on “essential entities” across sectors including energy, transport, financial services, cloud, telecoms, health care, manufacturing and public administrations.
Notable additions to the scope of this “NIS 2” law are: medicines manufacturers and vaccine makers, telecommunications companies including videoconferencing services, cloud and data service providers, aerospace industry players and central government IT systems.
The rules aim to protect key assets and sensitive information of these “essential” organizations from getting hacked or spied on.
They would also impose lighter requirements on a separate category of “important entities,” a broad group of companies and organizations that have faced increasing cybersecurity challenges.
A second proposal for a directive on the protection of critical infrastructure would impose rules to protect physical assets, networks and grids from getting tampered with. The directive, originally drafted in 2008, would be updated to a Critical Entities Resilience Directive affecting a similarly wide range of essential service providers as the cybersecurity law.
The Commission and its diplomatic service also released a new Cybersecurity Strategy.
The strategy includes new mechanisms for industry players and public and security authorities to exchange threat intelligence and incident response information. This so-called “Cyber Shield” is meant to help European organizations react more quickly to attacks and share intelligence across sectors.
It also includes a number of measures for EU institutions and agencies to better protect their data, after years of rising concerns that the EU’s sensitive diplomatic communications were prone to breaches. New rules would be proposed in 2021 and the strategy supports the development of a “quantum communication infrastructure†for the exchange of information across Europe.
“The security of cyberspace has been tested globally in recent times therefore the new cybersecurity strategy is very timely. It sets a clearer framework on how to tackle cyber challenges,” said Juhan Lepassaar, executive director of the EU’s Cybersecurity Agency ENISA.
The document also lays out a plan to push back against “authoritarian regimes’ restrictions on the internet†by making it easier to impose sanctions on state-backed hacking groups and develop stronger international rules within the United Nations and other international fora.
The Commission also released its evaluation of how countries in the EU have so far implemented measures on 5G security, amid increasing pressure on Chinese telecom vendors Huawei and ZTE in Europe.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.
