BusinessInsurance.com reported that "European Union countries and lawmakers agreed on Friday to tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyberattacks by state actors and other malicious players." The May 13, 2022 article entitled "EU toughens cybersecurity rules for key sectors" included these comments:
The European Commission two years ago proposed rules on the cybersecurity of network and information systems called NIS 2 Directive, in effect expanding the scope of the current rule known as NIS Directive.
The new rules cover all medium and large companies in essential sectors – energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, wastewater, digital infrastructure, public administration and space.
All medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online marketplaces, online search engines, and social networking service platforms will also fall under the rules.
The companies are required to assess their cybersecurity risk, notify authorities and take technical and organizational measures to counter the risks, with fines up to 2% of global turnover for non-compliance.
EU countries and EU cybersecurity agency ENISA could also assess the risks of critical supply chains under the rules.
Time will tell how these will work out.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.