European Commission officials who pushed through new cybersecurity legislation set to take effect next week are expecting EU countries to introduce high fines against companies that disobey the rules.
So far, only the UK has announced the level of fines that firms will face if they do not inform regulators when they suffer a major cybersecurity incident. British authorities can impose sanctions of up to £17 million, or €19 million, if firms do not report serious data breaches.
The British fine is similar to the high sanction level that companies face if they break the EU data protection regulation, known as the GDPR, which will also take effect two weeks after the cybersecurity law. Under the GDPR, companies can be hit with fines of up to €20 million or 4% of their global turnover, whichever is higher.
Commission officials expect other EU countries to set similarly high fines under the cybersecurity law.
“Everybody is talking about the GDPR, but the NIS directive will make a very big difference,” one official said, referring to the cybersecurity law, known as the network and information security directive.
Companies operating “critical infrastructure” like banking, transport and water management systems, as well as digital services including cloud providers or online marketplaces, will be forced to tell authorities when they are hacked, under the new cybersecurity rules.
The directive is the first piece of EU-wide cybersecurity legislation, and national governments will need to start enforcing the law on 9 May. Under the new rules, national governments can choose the maximum level of fines that regulators can raise against companies.
Commission officials told reporters on Friday (4 May) that they are still waiting until 9 May to see what exact level of fines other countries will choose.
“We expect other member states to go for high fines,” one official said.
EU countries are required to send the Commission their national versions of the directive by next week. So far, only Cyprus has notified the EU executive of its law. Another “five to ten” countries are ready to send their legislation next week, while others might be delayed, the official said.
Some serious data breaches might require companies to alert different national authorities under both the cybersecurity legislation and the GDPR. The Commission will publish a document explaining how authorities should make sure that they do not double up on fines if companies break both of the laws by failing to report those incidents.
“We need to make sure once we have the full mapping of how the member states have transposed [the NIS directive], that there is no overlapping, no unnecessary accumulation,” one official said.
The legislation also requires national governments to appoint a team of experts that will respond to cybersecurity incidents and communicate with authorities in other EU countries when hackers attack critical infrastructure.
Officials said most member states have already started setting up those units. They pointed to last year’s massive WannaCry and NotPetya attacks, which hit companies across Europe, as the first test of that new network. Shortly after those incidents, authorities around the EU informed each other about the impact on firms in each of their countries.
Cybersecurity is a sensitive area of EU policy because national governments are wary of sharing too much sensitive information about security vulnerabilities with other countries.
But one Commission official said last year’s attacks helped European politicians to recognise the importance of the new cybersecurity law.
“The news has very much brought this to the attention of decision makers,” the source said.
“The understanding, the knowledge and the willingness to act on cybersecurity at the European level has grown, as well as the investments domestically.”
Separately from the NIS directive, the Commission proposed another piece of EU legislation in September 2017 that will give more power to the bloc’s cybersecurity agency ENISA and introduce an EU-wide system for certifying the security level of internet-connected products. That legislation is currently in negotiations in the European Parliament and among national diplomats.