EU lawmakers reach agreement on stronger cyber rules for critical sectors

The European Parliament and EU member states on Friday announced an agreement on setting a higher baseline for cybersecurity standards in key sectors, including energy, transportation, and healthcare.

Once adopted, the revised directive — called NIS2 — would replace the first EU-wide law on cybersecurity that was set in 2016. NIS2 was introduced by the EU’s executive branch in December 2020, and expands the scope of cybersecurity regulations to medium and large entities in digital services, waste water and waste management, critical manufacturing, postal and courier services, public electronic communications services, and other critical sectors at the central and regional level.

Additionally, the new directive has stricter enforcement requirements, new information sharing provisions, and would establish the European Cyber Crises Liaison Organisation Network (EU-CYCLONE) to help coordinate responses to large-scale cybersecurity incidents.

Companies subject to the rules are required to assess their cyber risk, notify authorities and take steps to reduce those risks, and face fines for non-compliance of €10 million or 2 percent of global annual turnover, whichever is greater.

The European Commission applauded the agreement, which is still subject to final approval by the European Parliament and European Council.

“It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected. In today's cybersecurity landscape, cooperation and rapid information sharing are of paramount importance,” said European Commissioner for Internal Market Thierry Breton in a statement. “With the agreement of NIS2, we modernise rules to secure more critical services for society and economy.”