"EU Agrees New Cybersecurity Legislation for Critical Services Organizations"

The European Union (EU) has recently reached a political agreement on new legislation that will impose common cybersecurity standards on critical industry organizations.  The new directive will replace the EU’s existing rules on the security of network and information systems (NIS Directive), which requires updating.  The NIS 2 Directive will cover medium and large organizations operating in critical sectors.  Critical sectors include providers of public electronic communications services, digital services, wastewater and waste management, manufacturing of critical products, postal and courier services, healthcare, and public administration.  Organizations will need to report cybersecurity incidents to authorities within 24 hours and have to do a better job of patching software vulnerabilities.  Organizations will also be required to prepare risk management measures.  The new directive also aims to create stricter enforcement requirements and harmonize sanctions regimes across member states.  Operators of essential services would face fines of up to 2% of annual turnover for failing to comply, while for important service providers, the maximum fine would be 1.4%.  The political agreement will need to be formally approved by EU member countries and the European Parliament.  Once passed, member states will need to transpose the new requirements into national law within 21 months.

Infosecurity reports: "EU Agrees New Cybersecurity Legislation for Critical Services Organizations"