The new draft law would set tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing.
According to the legislative text adopted on Thursday by the Industry Committee, EU countries would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes.
Compared to the existing legislation, the new directive would oblige more entities and sectors to take measures. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors would be covered by the new security provisions. In addition, the new rules would also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would be covered by the legislation.
Concretely, the requirements include incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. Member states would be able to identify smaller entities with a high security risk profile, while cybersecurity would become the responsibility of the highest managerial level.
The directive also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.
The original cybersecurity directive was set up in 2017. However, EU countries implemented it in different ways, thereby fragmenting the single market, which led to insufficient levels of cybersecurity. Given the current high level of cybersecurity threats, this updated legislation is much needed, say MEPs.
“Cybercrime doubled in 2019, ransomware tripled in 2020 and yet our companies and institutions are spending 41 percent less on cyber security than in the US. We must strengthen the EU’s cybersecurity and create the tools to handle cyber incidents together when they occur. We cannot stop all cybercrime from occurring, but we can protect ourselves better than before and better than others. This new legislation makes the EU a safe place to work and do business”, said lead MEP Bart Groothuis (Renew, NL).
The draft negotiating mandate – the report – was adopted with 70 votes to 3, with 1 abstention. MEPs also voted to open negotiations with Council with 71 votes to 2, with 1 abstention. The mandate will be announced in plenary session on 10 November.
Cyber incidents can impede economic activities and cause major damage to the European Union’s economy and society. A study highlights that cyber-attacks, besides being among the fastest-growing form of crime worldwide, are also growing in scale, cost and sophistication.
The latest forecast shows that global ransomware damage costs could reach €17 billion by 2021, 57 times the costs in 2015. It is predicted that companies will suffer a ransomware attack every 11 seconds by 2021, up from every 40 seconds in 2016. As a result, businesses have to invest more money to make cyberspace safer for themselves and their customers.