European Commission proposes new cyber security regulations

The European Commission (EC) has proposed two new regulations to establish common cyber and information security measures across the bloc, with the aim of bolstering resilience and response capacity against a range of cyber threats.

Under the proposed cybersecurity regulation, which was published 22 March 2022, all European Union (EU) institutions, bodies, offices, and agencies will be required to have cyber security frameworks in place for governance, risk management, and control.

They will also be required to conduct regular maturity assessments, implement plans for improvement, and share any incident-related information with Computer Emergency Response Team (CERT-EU) “without undue delay.”

The regulation would also establish a new inter-institutional Cybersecurity Board to drive and monitor the implementation of the regulation. The new board will further help to steer CERT-EU, which will also have its mandate extended to fill the triple role of being an incident response coordination hub, a central advisory body, and a service provider.

Under a separate Information Security Regulation proposal published the same day, the EC is seeking to create a minimum set of security rules to both enhance and standardise how EU public organisations protect themselves against evolving threats to their information.

These rules will also provide for the secure exchange of information across the EU by establishing common practices and measures to protect information flows, including a shared approach to information categorisation based on the level of confidentiality.

“In a connected environment, a single cyber security incident can affect an entire organisation. This is why it is critical to build a strong shield against cyber threats and incidents that could disturb our capacity to act,” said Johannes Hahn, the EU’s budget and administration commissioner, in a statement.

“The regulations we are proposing today are a milestone in the EU cyber security and information security landscape. They are based on reinforced cooperation and mutual support among EU institutions, bodies, offices and agencies and on a coordinated preparedness and response. This is a real EU collective endeavour.”

The EC has further claimed the changes are needed in the context of the Covid-19 pandemic and growing geopolitical challenges, and that the rules will strengthen inter-institutional cooperation, minimise risk exposure and generally bolster the EU’s security culture.

The proposals – which must now be discussed by the European Parliament and Council - are in line with the EU’s Security Union Strategy, which was published in December 2020 and intended to bolster the bloc’s collective resilience against cyber threats.

According to a World Economic Forum (WEF) report from January 2022, cyber security threats rank among the top risks facing the world, as threats such as ransomware and nation-state-backed attacks proliferate and organisations become more reliant on technology.

“With cyber threats now growing faster than our ability to eradicate them permanently, it is clear that neither resilience nor governance are possible without credible and sophisticated cyber risk management plans,” said Carolina Klint, risk management leader for continental Europe at insurance broker and risk specialist Marsh.

On 9 March 2022, European governments also drafted a declaration to reinforce the EU’s cyber security capacities, which included increasing EU funding to support national efforts and develop a strong cyber security ecosystem.

The additional funding is supposed  to help EU countries scale up their cyber capabilities by helping to create a market for trusted providers, as well as reinforcing the resilience of select operators that would be at risk during a conflict.

The declaration also urged European authorities to come up with a series of recommendations on how to reinforce the resilience of Europe’s digital infrastructure.

In the UK, the government is also seeking to make a series of updates to the 2018 Network and Information Systems (NIS) regulations, which were initially designed to protect the security of providers of critical national infrastructure (CNI) - in this case, utilities, transport, healthcare and communications – backed by multimillion-pound fines for non-compliance.

These regulations will be expanded in their scope to include managed service providers (MSPs) and providers of specialised online and digital services, including managed security services, workplace services, and general IT outsourcing. The UK government launched a consultation for feedback on 19 January 2021.