What to expect from the EU’s cyber security upgrade

Author: Laurens Cerulus, Senior Policy Reporter, Politico

The European Union will propose overhauling its cyber security rules for critical sectors including energy, transport, financial services, cloud and health care on Wednesday, in an effort to strengthen defenses against major breaches and state-backed attacks plaguing Europe.

The proposals — a revision of the 2016 Networks and Information Security (NIS) Directive — are likely to be a substantial upgrade of current rules and would require companies to do more to protect their systems from getting hacked or spied on. The update comes in the wake of a major breach of the European Medicines Agency, which is currently involved in approving coronavirus vaccines, and a slew of other attacks disrupting Europe’s strategic industries and public institutions in past years.

The new rules, which need the approval of national governments and the European Parliament, would add vaccine makers, videoconferencing services, government bodies and a whole range of new organizations to the law’s scope. These firms would face requirements to report incidents to authorities and clients and take greater care of the security of their software and hardware suppliers. National cyber security authorities would be empowered to suspend operating licenses and impose large fines on companies that fail to properly protect their systems.

POLITICO spoke to five officials who worked on the text. All requested not to be named because of the sensitivity of the discussions. EU officials were working on the details through Tuesday, meaning last-minute changes could still occur.

Here’s what you can expect from the new cyber security directive.

Pharma, cloud providers, space firms face tough rules

The directive mainly targets “operators of essential services,” a definition that will be expanded under the new rules. Hospitals and other health services were already listed as “essential” but the law will now also affect research centers and manufacturers of medicines, including companies developing the coronavirus vaccine.

Aerospace companies, cloud and data providers, telecoms companies and even videoconferencing services like Zoom will be added to the list, which already included energy, transport, banking and certain digital infrastructure.

The Commission will also include “public administration” in the new rules, likely affecting central government IT systems. Officials cited the recent cyberattacks on U.S. government departments and agencies as justification for the provision.

The new proposal will also include a separate group of “important” service providers — internet search, food production and waste management, for example — outside of the list of “essential services.” They would have to comply with lighter requirements, compared to the tougher regime for essential services.

EU countries will still have the power to draft their own lists of which national companies fall within the Commission’s categories.

Regulators become powerful

To enforce the new law, cyber security authorities would gain powers to impose fines that will now have a minimum threshold across the bloc — previous rules allowed national capitals to pick the amount. Cyber security authorities will also be empowered to issue warnings and to embed an officer with companies that have undergone cybersecurity incidents.

For “essential” services, authorities would have the power to suspend licenses and force a temporary halt to services, in what was described as a measure of “last resort.”

The Financial Times reported that fines would go up to 2 percent of annual turnover across the bloc, but that would be a minimum figure: National governments can choose to impose higher fines.

Under the Commission’s proposal, operators of “essential services” will be regulated ex ante while the “important” services will be regulated ex post. That means the former would be subject to ongoing checks and reporting requirements while the latter would only be checked on their compliance in case investigators look into any accidents or breaches after they occur.

Supply chains exempt (for now)

Companies would have to pay closer attention to the cyber security of their software and hardware suppliers. That means supply chain security would be largely dealt with through contractual and industry-wide agreements, not the Commission’s new rules.

Some sectors including the telecoms industry had hoped for tougher rules on suppliers. Exempting them places “the burden of proof … specifically on the service provider” and removes an “explicit imperative” for a supplier, said Jon France, head of industry security at global telecoms association GSMA.

While software and hardware suppliers are not explicitly targeted, the Commission does want the NIS Cooperation Group, which gathers national cybersecurity agencies, to conduct a “coordinated risk assessment” of supply chains for critical and strategic industries. Echoing the EU’s attempts to secure its 5G networks by vetting tech providers, this could lead to a tougher regime for software companies serving critical sectors in coming years.

Share your vulnerabilities

The Commission wants companies and authorities to pool information on vulnerability disclosures into a single database. The proposal is an attempt to stop its cybersecurity community from relying on a U.S. database run by the National Institute of Standards and Technology.

The database would be managed by the EU’s cybersecurity agency ENISA and be open to “all interested parties,” which is a boon to Europe’s academics and cybersecurity researchers.

Implementation will vary

With the 2016 rules in the form of a directive, EU countries had plenty of freedom in interpreting and customizing them, which led to some problems with the rollout. Adoption has been slow across the bloc and three countries — Belgium, Hungary and Romania — are still facing infringement procedures from the Commission for not fully implementing the measures.

To solve that, the Commission initially considered recasting the NIS Directive as a universally applicable law, known as a regulation, allowing for the same rules across the bloc. But 11 countries opposed the idea, warning that a regulation “would be too rigid.” The Commission has duly obliged — the proposal will remain a directive.

Some lawmakers aren’t happy with the arrangement. “Cyber security of infrastructure is too crucial to be left only as a directive. Instead we must call for [a] regulation and robust enforcement,” said Bulgarian MEP Eva Maydell.

What the EU loses in universal application, it gains in ease of passage. The proposed directive is likely to move through the EU lawmaking machinery more smoothly.

But wait, there’s more!

The Commission will also present a revamp of its 2008 directive on the protection of critical infrastructure alongside the revised NIS Directive. The directive previously dealt with physical protection requirements in the energy and transport sectors only, but will now adopt a similarly expansive scope.

Laura Kayali contributed reporting.