Content Assessment: Stricter Supervisory and Enforcement Measures? European Parliament Adopts New Cybersecurity Law
Information - 92%
Insight - 91%
Relevance - 90%
Objectivity - 90%
Authority - 95%
A short percentage-based assessment of the qualitative benefit of post highlighting the European Parliament's adoption of a new cybersecurity law to strengthen EU-wide resilience.
Editor’s Note: The Network and Information Security (NIS) Directive is the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high common level of cybersecurity across the Member States. While it increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalization and the surge in cyber-attacks, the Commission submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU. Co-legislators reached a provisional agreement on the text of the Network and Information Security 2 proposal on 13 May 2022, and the proposed legislation was adopted by the EU Parliament on 10 November 2022. The adoption announcement and a copy of the Network and Information Security 2 Directive may benefit cybersecurity, information governance, and legal discovery professionals operating in the eDiscovery ecosystem as they consider cybersecurity requirements in the European Union.
Cybersecurity: Parliament Adopts New Law to Strengthen EU-Wide Resilience
Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonize their sanctions were approved by MEPs on Thursday.
- New legislation sets tighter requirements for businesses, administrations, infrastructure
- Differing national cybersecurity measures make the EU more vulnerable
- New “essential sectors” covered such as energy, transport, banking, health
The legislation, already agreed between MEPs and the Council in May, will set tighter cybersecurity obligations for risk management, reporting obligations, and information sharing. The requirements cover incident response, supply chain security, encryption, and vulnerability disclosure, among other provisions.
More entities and sectors will have to take measures to protect themselves. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors will be covered by the new security provisions.
During negotiations, MEPs insisted on the need for clear and precise rules for companies, and pushed for the inclusion of as many governmental and public bodies as possible within the scope of the directive.
The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles, and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation.
It also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.
“Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments and society more resilient to hostile cyber operations” said lead MEP Bart Groothuis (Renew, NL).
“This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale,” he said.
“This is the best cyber security legislation this continent has yet seen, because it will transform Europe to handling cyber incidents pro-actively and service orientated,” he added.
MEPs adopted the text with 577 votes to 6, with 31 abstentions. After Parliament’s approval, Council also has to formally adopt the law before it will be published in the EU’s Official Journal.
The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high common level of cybersecurity across the Member States. While it increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market.
To respond to the growing threats posed by digitalization and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.
EPRS - BRI 2021 689333 - EN
*Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.
- International Cyber Law in Practice: Interactive Toolkit
- Defining Cyber Discovery? A Definition and Framework
Have a Request?
If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.
ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.
ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.