The European Union (EU) has reached political agreement on new legislation that will impose common cybersecurity standards on critical industry organizations.
The new directive will replace the EU’s existing rules on the security of network and information systems (NIS Directive), which requires updating because “of the increasing degree of digitization and interconnectedness of our society and the rising number of cyber malicious activities at the global level.”
The NIS 2 Directive will cover medium and large organizations operating in critical sectors. These include providers of public electronic communications services, digital services, wastewater and waste management, manufacturing of critical products, postal and courier services, healthcare and public administration.
Among the provisions in the new legislation are flagging cybersecurity incidents to authorities within 24 hours, patching software vulnerabilities and preparing risk management measures.
It also aims to create stricter enforcement requirements and harmonize sanctions regimes across member states. Operators of essential services would face fines of up to 2% of annual turnover for failing to comply, while for important service providers, the maximum fine would be 1.4%.
The measures were originally proposed by the EU Commission in December 2020.
The political agreement will need to be formally approved by EU member countries and the European Parliament. Once passed, member states will need to transpose the new requirements into national law within 21 months.
Commenting on the announcement, Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age, said: “We have been working hard for digital transformation of our society. In the past months, we have put a number of building blocks in place, such as the Digital Markets Act and the Digital Services Act. Today, Member States and the European Parliament have also secured an agreement on NIS 2. This is another important breakthrough of our European digital strategy, this time to ensure that citizens and businesses are protected and trust essential services.”
Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.