(BRUSSELS) – A new draft law, agreed Thursday by a European Parliament committee, would set tighter cybersecurity obligations in terms of risk management, reporting obligations and information sharing.
According to the draft legislative text adopted by the Industry Committee, EU countries would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes.
Global ransomware damage costs could reach EUR 17 billion by 2021, 57 times the costs in 2015, according to latest forecasts. It is predicted that companies will suffer a ransomware attack every 11 seconds by 2021, up from every 40 seconds in 2016.
“Cybercrime doubled in 2019, ransomware tripled in 2020 and yet our companies and institutions are spending 41 percent less on cyber security than in the US,” said said lead MEP Bart Groothuis: “We must strengthen the EU’s cybersecurity and create the tools to handle cyber incidents together when they occur.”
The new directive would oblige more entities and sectors to take measures, compared to the existing legislation. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors would be covered by the new security provisions.
In addition, the new rules would also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers.
All medium-sized and large companies in selected sectors would be covered by the legislation.
Concretely, the requirements include incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. Member states would be able to identify smaller entities with a high security risk profile, while cybersecurity would become the responsibility of the highest managerial level.
The directive also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.
The original cybersecurity directive was set up in 2017. However, EU countries implemented it in different ways, thereby fragmenting the single market, which led to insufficient levels of cybersecurity. Given the current high level of cybersecurity threats, this updated legislation is much needed, say MEPs.