Large energy, transport and financial companies as well as digital providers and makers of medical and computer devices could be fined up to 2% of their global turnover for breaching EU cybersecurity rules under a European Commission proposal.
Concerns about the cybersecurity of key assets have mounted in recent months, especially over cyber attacks by state actors and other malicious players.
U.S. federal agencies and thousands of companies are now investigating a sweeping hacking campaign that officials suspect was directed by the Russian government. The European Medical Agency was also targeted earlier this month.
With two in five EU employees working from home due to the COVID-19 pandemic and one in eight businesses hit by cyber attacks, the EU executive says its proposal is meant to bolster Europe’s collective resilience against cyber threats.
The proposal includes beefing up the 2016 EU cybersecurity law (NIS) with sanctions and expanding its scope to cover all medium and large companies in 10 essential sectors – energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space.
Also deemed important entities and falling under the proposed rules would be all medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online market places, online search engines, and social networking service platforms.
Companies face a range of sanctions for non-compliance, which would also target management, EU Internal Market Commissioner Thierry Breton said.
“Fines for these entities, which are essential and important entities, if these are…repeated actions (in) not fulfilling requirements, (range) from 10 million euros ($12.2 million) to 2% of global revenue,” Breton told a news conference.
“In a case where a company continues not to fulfil its obligations, in this category, we can go up to suspension of authorisation. That is the last resort. We may also have temporary bans against any persons discharging managerial responsibility,” he said.
Companies would be subject to strict cybersecurity requirements covering supply chains and supplier relationships, and also a stringent supervisory regime.
The Commission proposal includes setting up an EU-wide network of security operations centres to detect early signals of imminent cyberattack, and creating a joint cyber unit to boost cooperation between EU bodies and national authorities.
The proposal will have to be approved by EU member states and the European Parliament before it can go into effect, a process which could take several years.