EU Parliament committee adopts new cybersecurity law for critical services

The revision of the Directive on Security of Network and Information Systems (NIS2) will establish cybersecurity requirements for critical entities. [kb-photodesign/Shutterstock]

The leading committee of the European Parliament adopted on Thursday (28 October) a  legislative proposal intended to secure Europe’s critical entities from cyberattacks.

The Parliament’s committee on industry, research and energy (ITRE) endorsed the so-called NIS2 Directive, a revision of the Directive on Security of Network and Information Systems. The existing NIS Directive was the first EU-wide legislation to set up minimum cybersecurity requirements for businesses and organisations providing essential services.

Although the NIS Directive was only adopted in 2016, the fast-paced nature of the cyber environment prompted a revision of the legislation to strengthen the cybersecurity requirements and extend the scope to more entities with a high-risk profile, based on the criticality of their role in the economy and democratic processes.

“Not only do we see the amount of cyber-attacks increase, what is also increasing is the societal harm and societal impact,” Klara Jordan, chief public policy officer at CyberPeace Institute, told an event organised by EURACTIV on Tuesday (26 October).

Jourdan stressed that harmonising cybersecurity standards across the EU is made even more necessary given the interconnected nature of supply chains, as an attack can affect several countries at once.

Wider scope

While the purpose of NIS2 was to broaden the scope of the previous legislation, the parliamentary text has extended it even further, covering an estimated 160,000 entities.

The organisations covered by the new cybersecurity requirements will be identified via two sets of criteria. The objective criterion includes companies with a €10 million turnover and at least 50 employees. The qualitative criterion covers entities fundamental for the economic and democratic processes.

“For years, cybersecurity was a niche subject, it’s not anymore. Every professional will tell you it should be brought at the highest level; the CEO should be involved,” Bart Groothuis, the MEP responsible for the file, told EURACTIV, noting that the sanctions for demonstrable negligence aim to achieve just that.

The fines can amount to up to 2% of the company revenue, which is the same percentage ransomware attacks usually ask. Members of the senior management might also be hit by a temporary ban.

“The philosophy is not anymore, whether you’re vital, it is whether you’re vital to the business model of ransomware,” the Dutch lawmaker argued.

In the last year and a half, ransomware, in particular against supply chains, has been the top cyber threat in Europe, according to a report of the EU cybersecurity agency ENISA published on Wednesday (27 October).

“Member states want more flexibility to include companies and entities according to their risk assessment, and want to avoid red tape for small companies,” said Tamara Tafra, cybersecurity counsellor at the Croatian Permanent Representation to the EU.

The parliament’s text addresses this concern proposing automated reporting, which MEPs consider would minimise the administrative burden.

Parliamentary changes

While the general scope was extended, the text approved by the parliament excludes a specific category, root servers, which provide the basis on which the architecture of the internet is built.

The Internet Society, a global NGO, has warned that regulating root services might have the unintended consequences of fragmenting the internet, noting that other powers might seize the occasion to balkanise the internet pointing to China’s proposal for a new IP address in 2019 as a dangerous precedent.

Groothuis recognised that the current internet governance based on Domain Name Systems is too fragile vis-a-vis cyberattacks and should therefore be regulated. However, he criticised the EU Commission for proposing the regulation of root servers arguing that goes against the philosophy of free internet.

Another change made to the text is the differentiation of the reporting obligations. Information security is based on the CIA triad: confidentiality of the network, integrity of the data, and availability of your service (CIA).

For Groothuis, availability can easily be assessed and should be reported within 24 hours, while the integrity and confidentiality assessment can take up to three days, pointing to a similar proposal in the US that recently adopted the same approach.

Furthermore, the ITRE proposal includes provisions on how to exchange data in a GDPR compliant way to fight cybercrime and even includes a responsibility to share sensitive data.

Groothuis contended that the sharing of information has dropped significantly in recent years due to fear of liability. For instance, authorities might be aware of the IP addresses used by a certain ransomware group, past email addresses or bitcoin wallets.

Geopolitical context

Drawing from his previous experience as head of cybersecurity in the Dutch defence ministry, Groothuis considered the ambition of the proposal was dictated by the international scenario.

“When we started tackling in the Netherlands, internet banking crime was a huge problem. In three months, we crunched that by over 90% reduction. In the countries surrounding us, Belgium, Germany, it went up at 90% in the same period,” the lawmaker said, noting how cyberattacks tend to always target the weakest link.

Groothuis notes that the median spending of a US company is already 41% more than a European one, and the gap might further increase as Washington is mobilising more and more resources following a series of high-level attacks such as the Colonial Pipeline one.

He also advocates for an active cyber defence posture anticipating upcoming risks from hostile powers, singling out China and Russia. That is also why the proposal maintains that non-technical factors should be considered when assessing the risk of an organisation.

For David Harmon, EU cybersecurity and privacy director at Huawei, these non-technical considerations should not repeat the same fragmentation of the 5G toolbox, as a coordinated approach at the EU level would ensure legal certainty.

As the committee text was approved with a very large majority, no plenary vote is expected.

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters