EU Agrees New Cybersecurity Legislation for Critical Services Organizations
This month, the European Union (EU) has reached an agreement on new legislation that will enact cybersecurity standards for critical industry organizations in order to protect the infrastructure of the EU from cyberattacks. The new directive falls into the EU’s existing rules on the security of network and information systems (NIS Directive) and will replace much of the current guidance in place right now. The EU stated that the laws require updating due to the increasing level of digitalization and interconnectedness in 2022, as well as the rising number of malicious cyber activity.
The NIS 2 Directive will apply to medium and large organizations that operate in critical sectors, including digital services, waste management, manufacturing, postal services, healthcare, and public administrations. Some of the new requirements include flagging cybersecurity incidents to the authorities within 24 hours, patching software vulnerabilities, and preparing risk management procedures in the event of a cyberattack. In addition to boosting security, the stricter enforcement requirements will harmonize sanctions across member states. The measures were originally proposed by the EU Commission in 2020.