(Reuters) – European Union countries and legislators agreed on Friday on tougher cybersecurity rules for major energy, transport and finance companies, digital suppliers and manufacturers of medical devices, amid concerns over cyberattacks by state and other malicious actors.
Two years ago, the European Commission proposed rules on network security in networks and information systems called the NIS 2 Directive, which in fact extends the scope of the current rule called the NIS Directive.
The new rules cover all medium-sized and large companies in key sectors – energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, wastewater, digital infrastructure, public administration and space.
All medium and large companies in postal and courier services, waste management, chemicals, food manufacturing, medical equipment, computers and electronics, machine equipment, motor vehicles and digital providers such as online marketplaces, online search engines and social networking platforms will also fall under the rules.
Companies are required to assess their cybersecurity risk, notify authorities and take technical and organizational measures to counter the risks, with fines of up to 2% of global turnover for non-compliance.
EU countries and the EU̵7;s cyber security agency ENISA could also assess the risks of critical supply chains according to the rules.
“Cyber threats have become bolder and more complex. It was imperative to adapt our security framework to the new realities and to ensure that our citizens and infrastructures are protected,” said EU Industry Director Thierry Breton in a statement.