Friday

9th Dec 2022

Brussels tightens cybersecurity rules days after attack

  • The policy deems 10 sectors as 'essential infrastructure' - energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space (Photo: The Preiser Project)

The European Commission announced on Wednesday (16 December) a reform of the bloc's cybersecurity rules - just days after the European Medicine Agency was subjected to a cyberattack connected to its evaluation of Moderna's Covid-19 vaccine.

"The time of innocence is over. We know that we are a prime target," said commission vice-president Margaritis Schinas.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

"There are many state and non-state actors that simply want to see Europe fail and many key competitors that use this avenue to explore our vulnerabilities and succeed obtaining a competitive advantage," he added, warning that cyberattacks against the bloc's critical infrastructure increased during the Covid-19 pandemic.

The EU last year recorded 450 cybersecurity incidents involving European critical infrastructure like finance and energy, while the pandemic has accelerated the digitalisation of work and exposed new security weaknesses.

European companies are seen as less well-prepared in cybersecurity than firms in Asia and America.

Meanwhile, the cost of cybercrime to the global economy during this year is estimated to be €5.5 trillion - double 2015's figure.

The commission proposal, which builds on the 2016 EU cybersecurity law (NIS), focuses on protecting the essential infrastructure of medium or large companies and public bodies operating in 10 sectors - energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space.

Also deemed important entities are: postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online market places, online search engines, and social networking service platforms.

Additionally, smaller players could also fall under the scope of the rules - if they have a high-security risk profile.

Elections not included

While EU officials acknowledge the use of political cyberattacks, the reform falls short of including election administration among its priorities.

The plans also include an "EU-wide Cyber Shield" which would connect operations of national authorities and EU-level security centres, using artificial intelligence to detect early signs of attacks, and scaling up cooperation between countries and organisations like Nato.

Nato has seen "more frequent and more sophisticated cyberattacks" and "established cyber as a military domain, alongside air, land and sea," Nato chief Jens Stoltenberg said on Tuesday.

Under the new rules, all these essential entities will be required to notify cyberattacks, within 24 hours of being made aware, to the relevant national authority.

The European Union Agency for Cybersecurity would compile and keep track of these incidents in monthly reports.

Companies that failed to comply with the rules can face a range of sanctions, which include fines from €10m to two percent of their global annual revenue.

"In a case where a company continues not to fulfil its obligations, in this category, we can go up to suspension of authorisation. That is the last resort. [But] we may also have temporary bans against any persons discharging managerial responsibility," said EU commissioner for the internal market Thierry Breton.

Brussels also wants to reinforce the sanction system, with a proposal for member states to agree on sanctions by a qualified majority, instead of unanimity - a sensitive subject for EU countries.

Brussels imposed this year the first-ever cyberattacks-related sanctions on people and organisations linked to North Korea, China and Russia - including a travel ban and an asset freeze.

The proposal needs to be discussed and adopted by EU countries and MEPs before it can go into effect.

Once agreed upon, member states would then have to adopt and apply the new rules within 18 months.

Interview

Cyberattack behind Tigray blackout, says Ethiopia

Hirut Zemene is Ethiopia's ambassador to the European Union. She is demanding for "a balanced view and understanding" by the EU of the conflict in Tigray region. The country is vying for national elections in May.

Interview

Lithuania bids to host EU cyber-centre

Lithuania wants a new EU cyber-security centre to hang its flag in a historic TV tower in Vilnius, on one of Europe's modern front lines.

Cybercrime rises during coronavirus pandemic

Cybercrime and cyberattacks have increased due to the coronavirus outbreak. As a result, the World Health Organization, hospitals and research centres are being targeted by organised cybercriminals - searching for information, intelligence, and systems access.

Europol busts global cybercrime gang

A loose network of cyber criminals recruited from an online Russian forum managed to infect thousands of computers in an effort to steal online banking credentials. The gang has been dismantled, with some now on the run.

EU creates new cyber unit, after wave of online attacks

The European Commission unveiled its plans to build a new task force to respond to an increasing number of cyberattacks on the bloc - coordinating existing operations between EU institutions, agencies and national authorities.

Illegal pushbacks happening daily in Croatia, says NGO

More than 1,600 testimonies of alleged illegal pushbacks of migrants and refugees throughout the EU has been published, collated by the Border Violence Monitoring Network and the Left party — adding to the mounting evidence of abuse.

Stakeholders' Highlights

  1. Nordic Council of MinistersLarge Nordic youth delegation at COP15 biodiversity summit in Montreal
  2. Nordic Council of MinistersCOP27: Food systems transformation for climate action
  3. Nordic Council of MinistersThe Nordic Region and the African Union urge the COP27 to talk about gender equality
  4. International Sustainable Finance CentreJoin CEE Sustainable Finance Summit, 15 – 19 May 2023, high-level event for finance & business
  5. Friedrich Naumann Foundation European DialogueGender x Geopolitics: Shaping an Inclusive Foreign Security Policy for Europe
  6. Obama FoundationThe Obama Foundation Opens Applications for its Leaders Program in Europe

Latest News

  1. EU lets Croatia into Schengen, keeps Bulgaria and Romania out
  2. Energy crisis costs thousands of EU jobs, but industrial output stable
  3. Illegal pushbacks happening daily in Croatia, says NGO
  4. No, Bosnia and Herzegovina is not ready for the EU
  5. EU takes legal action against China over Lithuania
  6. EU Commission shoring up children's rights of same-sex parents
  7. The military-industrial complex cashing-in on the Ukraine war
  8. EU delays Hungary funds decision, as Budapest vetoes Ukraine aid

Stakeholders' Highlights

  1. EFBWW – EFBH – FETBBA lot more needs to be done to better protect construction workers from asbestos
  2. European Committee of the RegionsRe-Watch EURegions Week 2022
  3. UNESDA - Soft Drinks EuropeCall for EU action – SMEs in the beverage industry call for fairer access to recycled material
  4. Nordic Council of MinistersNordic prime ministers: “We will deepen co-operation on defence”
  5. EFBWW – EFBH – FETBBConstruction workers can check wages and working conditions in 36 countries
  6. Nordic Council of MinistersNordic and Canadian ministers join forces to combat harmful content online

Join EUobserver

Support quality EU news

Join us