[ad_1]
The European Commission proposed an overhaul of its network security law on Wednesday as well as a new strategy geared at bolstering the EU’s defenses against an onslaught of breaches and state-backed hacking operations.
The plans come as the European Union faces a slew of cyberattacks on institutions, agencies and key industries across the bloc, including a recent hack of the European Medicines Agency, which is in charge of approving coronavirus vaccines.
The rise in attacks during the coronavirus pandemic added a sense of urgency to the plans, said Margaritis Schinas, the Commission’s vice president, who is in charge of security.
“All this points to something that is pretty evident: That Europe is a prime target,” Schinas told reporters.
Two new proposed laws aim to strengthen cybersecurity for companies providing critical infrastructure and crucial sectors including energy, transport, financial services, cloud, telecoms, aerospace, health care, manufacturing and central government IT services. Cloud providers, vaccine makers and videoconferencing services like Zoom have also been added to the scope of the law.
The first, an upgrade of the bloc’s Network and Information Security Directive (NIS Directive, now NIS2) will impose new requirements on “essential” and “important” service providers in critical sectors, including reporting cyberattacks, implementing security policies, scrutinizing the security of suppliers and the use of encryption technology.
The upgrade will also grant national authorities more power to enforce the law. Countries are asked to set potential fines of up to 2 percent or €10 million, but they can be higher too. Authorities would also be able to temporarily halt a non-compliant firm’s activities and even force a CEO to temporarily step down from his or her duties.
“What’s important is that the directive has teeth,” Schinas said.
Essential companies will also face new security requirements to protect their physical infrastructure under a revamp of the EU’s critical infrastructure law, the Critical Entities Resilience Directive.
The two new directives need approval by national governments in the Council of the EU and by the European Parliament.
The proposals are likely to trigger fierce lobbying over enforcement powers as well as pushback from capitals that fear it could erode their competence over security issues. The previous version of the EU’s NIS Directive took three years to negotiate.
National authorities “must be strengthened and given the proper funding and staffing in order to carry out their vital tasks. It is naive to invest billions into our essential businesses and infrastructure and then fail to protect those investments from attack,” said Dita Charanzová, the European Parliament’s vice president, who is charge of cybersecurity.
‘Cyber shield’ to fend off attacks
The Commission and its diplomatic service also released a new Cybersecurity Strategy, which lays out new mechanisms for industry players, and public and security authorities to exchange threat intelligence and incident response information.
This so-called “Cyber Shield” is meant to spot attacks more quickly and help European organizations react and share intelligence across sectors.
To have an impact, the EU “needs to define when to share the right information, in time to make a difference,” said Julia Schuetze, researcher at the Stiftung Neue Verantwortung in Berlin.
The EU will propose new rules for its institutions and agencies next year as well, it said, in order to securely exchange sensitive documents and beef up cybersecurity policies among staff.
The strategy also lays out a plan to push back against “authoritarian regimes’ restrictions on the internet” by making it easier to impose sanctions on state-backed hacking groups and develop stronger international rules within the United Nations and other international fora. That includes setting up an “EU cyber intelligence working group” within the EU’s own foreign intelligence service INTCEN that would speed up diplomatic responses to attacks.
But some experts say the rules may not be enough. “We still do not know whether deterrence is actually a workable strategy in cyberspace, nor whether it can be achieved with the measures and tools the EU has at its disposal,” said Stefan Soesanto, senior cybersecurity researcher at the ETH Zurich university.
The bloc last summer imposed its first-ever round of sanctions on Russian, Chinese and North Korean hacking groups over major cybersecurity incidents. In October, it added sanctions on two Russian individuals and an intelligence unit for their role in hacking the German parliament in 2015.
The EU’s diplomatic service now wants national governments to consider allowing sanctions on foreign hackers to be imposed by qualified majority vote instead of by unanimous decision, which would significantly increase the bloc’s ability to use this tool for deterrence.
“It is tricky to find unanimity in a sensitive matter like that. Majority voting will make the EU cyber sanction framework more agile,” said Lukasz Olejnik, a cybersecurity researcher.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.
[ad_2]
Source link
