A committee of the European Parliament has approved a new version of the NIS Directive, which governs cybersecurity in the European Union. It extends the scope of this text to include new sectors and proposes stricter obligations. The aim is to create a resilient Europe in response to increased cyber attacks.
Members of the European Parliament's Committee on Industry, Research and Energy adopted the revised Network and Information System Security (NIS) Directive on October 28, 2021. It sets stricter IT security requirements for companies, administrations and states.
Before being finalized, this text will have to be negotiated and approved in the trialogue, i.e. between representatives of the Parliament, the Council and the Commission.
Enhance security against cyber threats
The objective of this text is to "strengthen cybersecurity in the Union and create the tools to manage cyber incidents together when they occur".
Ransomware has tripled in 2020 and yet our companies and institutions spend 41% less on cyber security than in the US. We cannot prevent all cybercrime but we must protect ourselves better than before and better than others. Bart Groothuis, MEP and rapporteur of the text.
Adopted in July 2016, the NIS Directive was the first EU-wide legislation to establish minimum cybersecurity requirements for businesses and organizations providing essential services (ES), whose interruption would have a significant impact on the economy or society.
Entities covered by the NIS Directive must ensure a minimum set of safeguards to protect themselves from a cyber attack. These rules address governance, protection and defense. France transposed the NIS Directive in the law of February 26, 2018, the ordinance of May 23, 2018, and the decision of June 13, 2018.
A fragmented application of the NIS Directive
As the landscape of cyber threats has darkened over the last few years, some member states wanted to revise this directive to extend its scope and include new obligations.
Moreover, this directive whose transposition depends on the goodwill of each signatory, is still applied differently in different member states.
Thus, "essential sectors" such as energy, transport, banking, health, digital infrastructure, public administration and space would be addressed by the new security measures.
In addition, the new rules would protect so-called " critical sectors " such as postal services, waste management, chemicals, food, medical device manufacturing, electronics, machinery, motor vehicles and digital suppliers.
New security requirements
The requirements for those public and private actors - will include:
Food chain security.
The amended text also establishes a framework for better cooperation and information sharing between different authorities and member states. It also creates a European database of vulnerabilities.