The European Union is proposing new rules to establish common cybersecurity and information security measures across EU institutions and to reinforce the EU Agency for Cybersecurity.
While the region has been stepping up their efforts for years to shield their economies and critical sectors from cyberattacks, the recent events in Ukraine have sped up the preparations.
According to the European Commission, for instance, in Europe, a targeted cyberattack was carried out against the ViaSat satellite-based internet access provider, possibly to disrupt communications of the Ukrainian military, and had repercussions on nearly 30,000 satellite terminals across Europe, from internet services in France to the administration of wind turbines in Germany.
In the wake of such incidents, the EU announced new cybersecurity rules last week. The first set of rules are aimed at bolstering the resilience and response capacities against cyber threats and incidents to the EU institutions, offices and agencies.
“In a connected environment, a single cybersecurity incident can affect an entire organization. This is why it is critical to build a strong shield against cyber threats and incidents that could disturb our capacity to act. The regulations we are proposing today are a milestone in the EU cybersecurity and information security landscape,” said Johannes Hahn, the commissioner for budget and administration.
The new regulation will put in place a framework for risk management and control across institutions. It will also extend the mandate of the Computer Emergency Response Team (to be renamed Cybersecurity Center), which will act as a central advisory body.
Some of the key measures in the new cybersecurity regulation includes requiring EU institutions to have a cybersecurity governance framework, to implement basic measures to identify risks, to conduct regular assessments and to communicate any incidents to the new advisory body immediately.
Additionally, a second set of rules have also been proposed to create a minimum set of information security standards for all EU institutions. These rules will allow institutions, offices and agencies to exchange information securely with member states, based on standardized practices.
But the European Union is working on new legislation in this space that may be ready by the end of the year. Last week, the European Commission launched a consultation on its Cyber Resilience Act. The goal of this new regulation is to put in place horizontal cybersecurity requirements and common standards for digital products.
“We will only be able to shield our market and our societies from cyber threats if we ensure security by design in the digital products that companies and consumers increasingly rely on in their daily lives. Those products that are most often the loophole through which malicious actors rush in to breach us,” Hahn said.
This initiative aims to introduce common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services. The consultation will be open until May 25.
The European proposals came a few days after the President Joe Biden signed into law the Cyber Incident Reporting For Critical Infrastructure Act of 2022. This bill will create new rules requiring U.S. critical infrastructure entities — such as financial services, energy and defense industrial bases — as well as federal agencies to report cybersecurity incidents within 72 hours of an incident, and within 24 hours if a ransomware payment was made.
Similarly to the EU’s decision to reinforce the EU Agency for Cybersecurity, the new law also selects an agency, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, as the central information agency related to cyber incidents.