On 22 November 2021, the European Parliament (EP) backed a draft law that would set tighter cybersecurity obligations in terms of risk management, reporting obligations, and information sharing for businesses, administrations, and states. The EP sees a need for this law because of the increase in cybersecurity attacks throughout 2020 and 2021. The EP can now start trilogue negotiations with the Council and the Commission on the planned new legislation. The Commission tabled the proposal for a Directive “on measures for a high common level of cybersecurity across the Union” in December 2020 (→ eucrim 4/2020, 282-283). It will repeal Directive 2016/1148 on security of network and information systems (NIS Directive).

The new Directive will include an incident response, supply chain security, encryption, and vulnerability disclosure. Member States will be able to identify smaller entities with a high security risk profile, and the highest managerial level would become responsible for cybersecurity.

The new directive will oblige more entities and sectors to take measures covering “essential sectors” (e.g. energy, transport, banking, public health, digital infrastructure and public administration). In addition, the new rules will also protect so-called “important sectors” (e.g. postal services, waste management, digital service providers, and the manufacturing of chemicals, food, medical devices, electronics, machinery, and motor vehicles). All medium-sized and large companies in selected sectors will also be covered by the legislation. The directive aims at establishing a European vulnerability database and a framework for better cooperation and information sharing between various authorities and EU Member States.