The European Union (EU) parliament on July 6 approved the first community-wide rules designed to bolster cybersecurity throughout the EU.

According to the official statement, the new law “lays down security and reporting obligations for ‘operators of essential services’ in sectors such as energy, transport, health, banking and drinking water supply. EU member states will have to identify entities in these fields using specific criteria, e.g. whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.”

In addition, some “digital service providers” such as search engines and online marketplaces will be required to take measures to secure their infrastructure and report significant cybersecurity incidents to national authorities.

Community-Wide Cybersecurity Action Necessary, EU Notes

“Cybersecurity incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cybersecurity protection makes us all vulnerable and poses a big security risk for Europe as a whole. This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures in the future,” said EU spokesman Andreas Schwab.

The EU has lagged several years behind the U.S. in cybersecurity regulation. The White House earlier this year released a Cybersecurity National Action Plan intended to provide a road map for public and private entities to enhance cybersecurity in the U.S. Meanwhile, the North American Electric Reliability Corp. is now developing the sixth iteration of its Critical Infrastructure Protection standards, the fifth version of which went into effect this year. The new EU law, however, goes well beyond the power sector.

A potentially covered entity qualifies as an “operator of essential services” if it is essential for the maintenance of critical social and economic activities, is dependent on network and information systems, and could have its ability to provide services significantly disrupted by a cyberattack. This is intended to cover a wide variety of operations such as a banking, health care, transportation, and logistics, as well as utility services such as power and water.

Moving Beyond Reporting

Ray Rothrock, CEO of cybersecurity firm RedSeal, noted that the rules are significant in that they require enhanced resilience and risk management rather than simply policies and procedures for dealing with attacks.

“Fundamentally, they recognize that perimeter defenses, while necessary, are not sufficient to stop and, more importantly, recover from a successful cyberattack or disruption. Networks supporting critical services—such as banking, power distribution, drinking water, and healthcare—must be resilient. The potential results of an attack—shutting down a grid, hospital or a bank—are simply not an option. Operators must identify vulnerabilities, defend high value assets, and be able to restore operations quickly during a cyberattack,” he said. “A new focus on resilience will help enterprises manage what goes on inside the firewalls on their networks and continue to deliver services critical in a civil society.”

The directive will take effect 20 days after publication in the EU Official Journal, which is expected shortly, after which member states will have 21 months to pass enabling legislation and another six months to identify affected operators of essential services.

—Thomas W. Overton, JD is a POWER associate editor (@thomas_overton, @POWERmagazine).