The European Union is replacing its bloc-wide cybersecurity directive in an effort to improve cyber resilience.
As if anyone needed reminding, this week the French health sector came under attack from cyber criminals in yet another indication of the growing threat of cyber-related crime. The cyber hack was aimed at the André Mignot hospital in Versailles on Saturday 3 December, according to the Agence régionale de santé (ARS) Île-de-France, France’s regional health service, prompting it to shut down its network as a security measure.
The attack is understood to be the second case of its kind in the country this year.
Thankfully, however, help would appear to be hand in the form of major new legislation from the European Union which aims to protect critical infrastructure, as the bloc is set to make major upgrades to its cybersecurity framework for the first time in years.
“If we are being attacked on an industrial scale, we need to respond on an industrial scale,” a top EU official said.
In November, the EU Parliament and European Council approved the implementation of a new policy known as the Network and Information Security Directive 2 (NIS 2.0). The framework will replace the original NIS Directive, which was introduced in 2016 as the first EU-wide cybersecurity legislation.
“We need to act to make our businesses, governments and society more resilient to hostile cyber operations,” Bart Groothuis, the lead member of the European Parliament, said in a statement. “This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work.”
NIS 2.0 aims to bolster the EU’s cybersecurity capabilities and resilience by expanding its coverage to include more sectors as well as increasing and harmonising baseline security requirements for member states.
Significantly, this expansion includes a focus on critical infrastructure such as energy systems, health care networks and transportation services.
The directive also introduces new mechanisms to encourage cooperation among national authorities and establishes a new centre to oversee a coordinated response to major cyber-attacks. The centre is called the European Cyber Crises Liaison Organisation Network.
“If we are being attacked on an industrial scale, we need to respond on an industrial scale,” Groothuis added.
Under the NIS 2.0 directive, the EU will also join the US and other countries in mandating stricter incident reporting requirements. The legislation will mandate that organizations across the board report cyber breaches and attacks within 24 hours of becoming aware of the incident. Companies that fail to do so can face steep fines.
NIS 2.0 has been in development for several years and is part of a wider EU campaign to engage stakeholders and bolster cybersecurity measures more broadly.
Indeed, in 2021, the EU requested the World Economic Forum’s Cyber Resilience in Electricity community to provide comments on plans to improve cybersecurity legislation. “In view of the unprecedented digitalization in recent years, the feedback from member states and society, and the need for a more harmonized implementation across member states, the time has come to refresh it,” the Forum stated in its report.
So far, the EU has introduced new legislation to strengthen security requirements for digital hardware and software products and critical energy infrastructure.
Now, NIS 2.0 is being advanced as cyber-attacks continue to rise in prevalence and sophistication—and continue to target critical infrastructure systems. In February, for example, major oil refining hubs in Belgium and the Netherlands were targets of cyber criminals, who attempted to interrupt the trade of refined products across the region.
“There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous,” Ivan Bartoš, the Czech deputy prime minister for digitalisation and minister of regional development, said in a statement after the Council’s vote, adding that NIS2 is “another step to improve our capacity to counter this threat”.
NIS 2.0 is expected to come into effect in the coming weeks and EU member states will then have 21 months to incorporate the new provisions into their national legislation. Officials are not waiting until then, however, and have already begun large-scale cyber-attack simulations to increase readiness.
“Cyberattacks are everywhere,” said Thierry Breton, EU commissioner for the internal market, in a statement on the cyber training exercises. “It is our shared responsibility to work collectively in preparing and implementing rapid emergency response plans.”
- • The obligation to declare a loss within 72 hours makes it possible to react as quickly as possible and contain the cyber threat, according to the EU. At the same time, companies, subcontractors and local authorities will be required to undergo safety audits in order to receive recommendations and thus meet stringent safety standards.
- • For companies that fail to cooperate or contravene the regulations, the NIS 2.0 Directive has also introduced revised sanctions. In the event of a security incident and a refusal to cooperate with the authorities, NIS 2.0 provides states with a right of injunction. Companies will therefore be forced to comply with the State’s request, and may be subject to fines of between 1.4% and 2% of turnover.