(Reuters) – Large energy, transport and finance companies as well as digital suppliers and manufacturers of medical devices and computer devices can be fined up to 2% of their global turnover for breaches of EU cyber security rules under a European Commission proposal.  Concerns about cyber security of key assets has increased in recent months, particularly over cyberattacks by government actors and other malicious players.
US federal agencies and thousands of companies are now investigating an extensive hacking campaign that officials suspect was led by the Russian government. The European Medicines Agency was also targeted earlier this month.
With two out of five EU employees working from home due to the COVID-1
The proposal includes a strengthening of the EU Cyber Security Act 2016 with sanctions and an extension of its scope to include all medium and large companies in ten key sectors – energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure , public administration and space.
Also all medium and large companies in postal and courier services, waste management, chemicals, food industry, medical equipment, are considered important units and fall under the proposed rules. , computers and electronics, machinery, motor vehicles and digital suppliers such as online markets, online search engines and so on
Companies face a number of non-compliance sanctions, which would also target management, said EU Internal Market Commissioner Thierry Breton.
"Fines for these entities, which are important and important entities, if these are … repeated actions (i) that do not meet the requirements, (varies) from EUR 10 million (USD 12.2 million) to 2% global revenues, "Breton said at a news conference.
" In a case where a company continues to fail to meet its obligations, in this category we can go up to revoke the authorization. It's the last resort. We can also have temporary bans on all people responsible for the management, he says.
Companies would be subject to strict cyber security requirements covering supply chains and supplier relationships, as well as a strict regulatory system.
The Commission proposal includes setting up an EU-wide network of security operations centers to detect early signals of imminent cyberattacks, and to create a single cyber unit to increase cooperation between EU agencies and national authorities.
The proposal must be approved by EU Member States and the European Parliament before it can enter into force, a process that could take several years.