The European Commission (EC) has proposed two new regulations to establish common cybersecurity and information security measures across the bloc, with the aim of bolstering resilience and response capacity against a variety of cyberthreats.
Under the draft cybersecurity regulationpublished on March 22, 2022, all European Union (EU) institutions, bodies, offices and agencies will be required to have cybersecurity frameworks for governance, risk management and control.
They will also be required to perform regular maturity assessments, implement improvement plans, and share any incident-related information with the Computer Emergency Response Team (CERT-EU) “without undue delay.”
The regulation would also establish a new inter-institutional Cybersecurity Board to drive and monitor the implementation of the regulation. The new board will further help lead CERT-EU, whose mandate will also be extended to fulfill the triple role of being an incident response coordination center, a central advisory body and a service provider.
Under separate proposal for an Information Security Regulation Published on the same day, the EC seeks to create a minimum set of security rules to improve and standardize the way public organizations in the EU protect themselves against evolving threats to their information.
These rules will also enable the secure exchange of information across the EU by establishing common practices and measures to protect information flows, including a shared approach to categorizing information based on the level of sensitivity.
“In a connected environment, a single cybersecurity incident can affect an entire organization. This is why it is essential to build a strong shield against cyber threats and incidents that could disrupt our ability to act,” Johannes Hahn, the EU’s administration and budget commissioner, said in a statement. statement.
“The regulations we are proposing today are a milestone in the EU cybersecurity and information security landscape. They are based on enhanced cooperation and mutual support between the EU institutions, bodies, offices and agencies and on coordinated preparedness and response. This is a true collective effort of the EU.”
The EC has further stated that the changes are necessary in the context of the Covid-19 pandemic and growing geopolitical challenges, and that the rules will strengthen inter-institutional cooperation, minimize risk exposure and generally reinforce the safety culture. from the EU.
The proposals, which are now due to be discussed by the European Parliament and the Council, are in line with the EU’s Security Union Strategy, which was published in December 2020 and aimed to strengthen the bloc’s collective resilience against cyber threats.
According to a January 2022 World Economic Forum (WEF) report, cybersecurity threats are among the top risks facing the world, as threats such as ransomware and nation-state-backed attacks proliferate and organizations They become more dependent on technology.
“Now that cyber threats are growing faster than our ability to permanently eradicate them, it is clear that neither resilience nor governance is possible without credible and sophisticated cyber risk management plans,” said Carolina Klint, Risk Management Lead for continental Europe in Insurance Broker and Risk. Marsh specialist.
On March 9, 2022, European governments also drafted a declaration to strengthen the EU’s cybersecurity capabilitieswhich included increasing EU funding to support national efforts and developing a strong cybersecurity ecosystem.
The additional funding is supposed to help EU countries expand their cyber capabilities by helping to create a market for trusted providers, as well as bolster the resilience of selected operators who would be at risk during a conflict.
The statement also called on European authorities to come up with a series of recommendations on how to strengthen the resilience of Europe’s digital infrastructure.
In the UK, the government is also seeking to make a series of updates to the Network and Information Systems (NIS) regulations 2018, which were initially designed to protect the security of critical national infrastructure (CNI) providers, in this case, utility companies. , transport, health and communications, backed by multi-million dollar fines for non-compliance.
These regulations will be expanded in scope to include managed service providers (MSPs) and providers of specialized online and digital services, including managed security services, workplace services, and general IT outsourcing. The UK government launched a consultation for comments on January 19, 2021.