EU Unveils Revamp of Cybersecurity Rules Days After Hack

The European Union unveiled Wednesday plans to revamp the 27-nation bloc’s dated cybersecurity rules, just days after data on a new coronavirus vaccine was unlawfully accessed in a hack attack on the European Medicines Agency.

The EU last year recorded around 450 cyber incidents involving European infrastructure, notably in the financial and energy sectors, and the pandemic has highlighted Europe’s deep dependence on the internet and exposed security weaknesses.

The EU’s current Network Information System regulations date from 2008, and the European Commission’s new proposals aim to bring them up to date and allow the EU to impose hefty fines on operators who break the rules.

“The time of innocence is over. We know that we are a target,” Commission Vice-President Margaritis Schinas told reporters. “We need to modernize, reinforce, and adapt.”

The plans include an “EU-wide Cyber Shield” linking national security authorities that would use artificial intelligence and machine learning to detect early signs of attacks, a cyber unit to respond to incidents and threats, and beefing up cooperation between countries and with organizations like NATO.

The new cyber-strategy would focus on protecting essential infrastructure like electricity grids, heating systems, gas and hydrogen plants as well as air, rail, water and road links. Financial market and health infrastructure would also be among the priorities.

The EU also wants to bolster its sanctions system related to cyber incidents, with a proposal for countries to agree on sanctions by qualified majority voting rather than unanimity. The Europeans imposed sanctions on people and organizations linked to Russia, China and North Korea this year.

The new plans must now be debated by EU countries and the European Parliament and are likely to change substantially. Once agreed upon, the 27 nations would have 18 months to adopt and start applying the rules nationally.