EU mandates cyber security investment to protect critical infrastructure

On Friday, European Union lawmakers agreed to tougher cyber security rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious actors.

Two years ago, the European Commission proposed rules on the cyber security of network and information systems called the NIS 2 Directive, in effect expanding the scope of the current rule known as NIS Directive.

According to a Reuters report, the new rules cover all medium and large companies in essential sectors – energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, waste water, digital infrastructure, public administration and space.

All medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online marketplaces, online search engines, and social networking service platforms will also fall under the rules.

The companies are required to assess their cyber security risk, notify authorities and take technical and organisational measures to counter the risks, with fines up to 2 percent of global turnover for non-compliance.

EU countries and EU cyber security agency ENISA could also assess the risks of critical supply chains under the rules.

Commenting on the tougher cyber security rules for key sectors, EU industry chief Thierry Breton referred to the “new reality” that has put critical infrastructure under a spotlight.

“Cyber threats have become bolder and more complex.

“It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected,” Breton said in a statement.