Cyberattacks can prove very costly. According to the European Commission, the annual cost of cybercrime to the global economy is estimated to have reached €5.5 trillion by the end of 2020.
In November 2022, the European Parliament updated EU law to bolster investment in strong cybersecurity for essential services and critical infrastructure and strengthen EU-wide rules.
Tightening cybersecurity obligations - the NIS2 directive
The Network and Information Security directive (NIS2) introduces new rules to advance a high common level of cybersecurity across the EU – both for companies and countries. It also strengthens cybersecurity requirements for medium-sized and large entities that operate and provide services in key sectors.
An update of the 2016 NIS directive, it aims to improve clarity and implementation, as well as address fast-paced developments in this area. It covers more sectors and activities than before, streamlines reporting obligations and addresses supply chain security.
After approval by Parliament on 10 November, it will also need to be approved by EU countries in the Council, after which member states will have 21 months to implement it.
More sectors included
The new law expands the scope of sectors and activities that are critical for the economy and society, including energy, transport, banking, health, digital infrastructure, public administration and space. However, it does not cover national and public security, law enforcement or the judiciary. The law applies to public administration at central and regional level, but not parliaments and central banks.
It requires more entities and sectors to take cybersecurity risk management measures, including providers of public electronic communications services, social media operators, manufacturers of critical products (including medical devices), and postal and courier services.
Stricter obligations for countries
The law sets stricter cybersecurity obligations for EU countries when it comes to supervision. It improves the enforcement of those obligations, including by harmonising sanctions across member states. It also aims to improve cooperation between EU countries, including on large-scale incidents, under the umbrella of the EU Agency for Cybersecurity (Enisa).
Protecting the EU’s financial system - Dora
Because the financial sector is more and more dependent on software and digital processes, it also needs increased protection. The digital operational resilience act (Dora) will ensure that the EU's financial sector is more resilient to severe operational disruptions and cyber-attacks. Parliament gave final approval to the legislation, previously agreed with the Council, on 10 November 2022.
The law introduces and harmonises digital operational resilience requirements for the EU’s financial services sector, obliging companies to make sure that they can withstand, respond to and recover from all types of information and communication technology (ICT) related disruptions and threats.
The new rules apply to all companies providing financial services - such as banks, payment providers, electronic money providers, investment firms, crypto-asset service providers as well as to critical ICT third-party service providers.
National authorities will supervise and enforce implementation.
Ref.: 20221103STO48002
www.europarl.europa.eu