On October 28, the European Parliament adopted a a cybersecurity legislative text seetting tighter requirements for businesses, administrations and states.
According to the legislative text adopted by the Industry Committee, EU countries would have to meet stricter supervisory and enforcement measures, and harmonise their sanctions regimes.
Compared to the existing legislation, the new directive would oblige more entities and sectors to take measures. “Essential sectors” such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors would be covered by the new security provisions. In addition, the new rules would also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would be covered by the legislation.
Concretely, the requirements include incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. Member states would be able to identify smaller entities with a high security risk profile, while cybersecurity would become the responsibility of the highest managerial level.
The directive also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.
The original cybersecurity directive was set up in 2017. However, EU countries implemented it in different ways, thereby fragmenting the single market, which led to insufficient levels of cybersecurity. Given the current high level of cybersecurity threats, this updated legislation is much needed, say MEPs.
The draft negotiating mandate - the report - was adopted with 70 votes to 3, with 1 abstention. MEPs also voted to open negotiations with Council with 71 votes to 2, with 1 abstention.
The mandate will be announced in plenary session on 10 November.