Saturday

30th Sep 2023

EU reaches deal on flagship cybersecurity law

  • Parliaments, the judiciary and central banks, as well as the fields of public security, defence and law enforcement, are excluded from the new rules (Photo: Tirza van Dijk)
Listen to article

The European Parliament and EU member states reached an agreement in the early hours on Friday (13 May) over new rules intended to protect Europe's public and private critical entities from cyberattacks.

The updated legislation, also known as NIS2, aims to increase cooperation and cybersecurity resilience among member states by establishing new measures and reporting obligations for operators of essential services like banking and energy.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

"We are shielding our economies and our societies against cyber threats. Enhancing preparedness, resilience, protecting our democracy," said EU commission vice-president Margaritas Schinas after the deal was reached.

Under the previous rules, EU countries could choose which entities fell into the category of "critical" or "essential" services.

But the update of the Network and Information Security Directive (NIS2) introduces common rules for medium and large bodies operating within critical sectors, such as energy, transport, health and digital infrastructure.

These include providers of telecom services and energy supplies, rail infrastructure managers, financial services, waste and water management operators, postal and courier services, medical device manufacturers, and public administrations.

But parliaments, the judiciary and central banks, as well as entities in the areas of public security, defence and law enforcement, are excluded from the scope.

"This … is going to help more than a 100,000 vital entities to tighten their grip on security and make Europe a safe place to live and work," said lead Dutch liberal MEP Bart Groothuis.

Companies and public operators will have to analyse cybersecurity risks and put in place measures to prevent potential cyberattacks, such as basic computer hygiene, encryption, or multi-factor authentication.

They will also have to report any potential cyberattacks and remedies that they have taken in response to such incidents — facing sanctions if found in breach of the rules.

The EU agency for cybersecurity (ENISA) has been carrying out testing exercises since last year to prepare a fast European response when facing cross-border cyberattacks.

But the NIS2 will establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) to support and coordinate crisis management of large-scale cyberattacks in the 27-nations bloc.

The updated legislation also introduces a voluntary "peer-learning mechanism" carried out by designated experts in a bid to increase mutual trust and exchange good practices and information among EU member states.

Nevertheless, all EU countries will have to carry out a self-assessment regarding technical capabilities and financial resources prior to the peer-reviewing — as requested by MEPs during the negotiations.

Once formally adopted, member states will have nearly two years to transpose it into national law.

Feature

Nordic parliaments agree mutual defence on cyberattacks

A cyberattack against one of the Nordic parliaments will be seen as an attack on them all, MPs at the annual council of Denmark, Finland, Iceland, Norway, Sweden, the Faroe Islands, Greenland and Åland agreed this week.

Opinion

How to enhance EU cybersecurity

The Hungarian hacking allowed Russian intelligence to read 'over the shoulder' of an EU member state for an extended period of time. The difficulty for the EU is that it's not one nation, but a combination of 27 cybersecurity policies.

Magazine

To lead in cyberspace, the EU needs to avoid digital tribalism

To avoid digital tribalism the EU needs a strategy to better engage with the Global South, including the emerging digital powers such as Brazil, Egypt, Ghana, India, Indonesia, Jamaica, Kenya, Mexico, Singapore, South Africa, and Senegal.

AI will destroy more female jobs than male, study finds

About four percent of global female employment is subject to potential automation through generative AI technologies, compared to only 1.4 percent of male employment. The trend is even more pronounced in high-income countries, a new study reveals.

Column

EU lobbying clean-up — what happened to that?

Six months after Qatargate, as institutional inertia and parliamentary privileges weigh in, the sense of gravity and collective resolve have all but disappeared. MEPs show little enthusiasm for reform of the rules that today allow them significant outside paid activities.

Latest News

  1. EU women promised new dawn under anti-violence pact
  2. Three steps EU can take to halt Azerbaijan's mafia-style bullying
  3. Punish Belarus too for aiding Putin's Ukraine war
  4. Added-value for Russia diamond ban, as G7 and EU prepare sanctions
  5. EU states to agree on asylum crisis bill, say EU officials
  6. Poland's culture of fear after three years of abortion 'ban'
  7. Time for a reset: EU regional funding needs overhauling
  8. Germany tightens police checks on Czech and Polish border

Stakeholders' Highlights

  1. Nordic Council of MinistersThe Nordic Region is stepping up its efforts to reduce food waste
  2. International Medical Devices Regulators Forum (IMDRF)Join regulators, industry & healthcare experts at the 24th IMDRF session, September 25-26, Berlin. Register by 20 Sept to join in person or online.
  3. UNOPSUNOPS begins works under EU-funded project to repair schools in Ukraine
  4. Georgia Ministry of Foreign AffairsGeorgia effectively prevents sanctions evasion against Russia – confirm EU, UK, USA
  5. International Medical Devices Regulators Forum (IMDRF)Join regulators & industry experts at the 24th IMDRF session- Berlin September 25-26. Register early for discounted hotel rates
  6. Nordic Council of MinistersGlobal interest in the new Nordic Nutrition Recommendations – here are the speakers for the launch

Join EUobserver

Support quality EU news

Join us