EU Council and MEPs Agree on New Cybersecurity Rules
For the first time, the EU Council of Ministers and internal market MEPs (mechanical, electrical, and plumbing systems in building and industrial projects) have agreed on EU-wide cyber security rules to make essential services such as traffic control, electricity grid management, search engines and cloud services cyberattack-proof.
The closed deal between the EU Council and MEPs would require tech giants such as eBay, Amazon and possibly established blockchain startups such as BitPay and Coinbase to implement additional security measures to ensure that their infrastructure is secure.
“Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the Parliament has advocated for years”, said Parliament’s rapporteur Andreas Schwab (EPP, DE), after the deal was clinched.
“Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity – which is even more important in light of the current security situation in Europe.”
Over the past few years, information systems, essential networks and systems such as online banking, airport control and financial services have been affected by malicious attacks, technical failures and data breaches. According to the EU agency for Network and Information Security, such incidents result in around US$285 to US$370 million in annual losses.
With the new rules, the EU Council, MEPs and global industry leaders hope to encourage key cross-industry players to handle such incidents and improve collaboration among member states.
The EU will set up a strategic cooperation group to exchange information and develop guidelines for other member states to handle cybersecurity protocols and assist companies. Furthermore, each member state plans to form a network of Computer Security Incidents Response Teams that will be established to identify and coordinate responses on security incidents and cyber security practices.
“Member states will have to identify concrete ‘operators of essential services’ from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety,” announced the European Parliament.
The EU and its member states will also require internet services providers and online marketplaces such as Amazon and Google to report on major incidents and collaborate with other members of the network of Computer Security Incidents Response Teams to search for potential solutions.
Currently, the provisionally agreed-upon text is being reviewed by the European Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives.