Obligation to report cyber incidents will probably be extended to more sectors

EU ministers have reached an agreement on expanding the number of sectors required to report cyber incidents. These sectors will also have to deal with more digital security requirements. The European Parliament and the EC still have to approve NIB2.

Examples of the new sectors are food production and distribution, manufacturing, postal and courier services and the production of medical equipment, chemicals and pharmaceuticals. Outgoing minister Stef Blok says that it is necessary to make it mandatory to report cyber incidents, because such incidents ‘increasingly’ have consequences for society and the economy. That is why arranging digital security for these companies can no longer be placed under ‘own responsibility’.

The EC says that the supervision of these new services will take place afterwards, especially as a result of an incident. The providers are also obliged to comply with a number of security measures. For example, they must have the security of the supply chain and the handling of incidents in order.

Currently, only digital service providers and the so-called essential services have a reporting obligation. The latter includes banks and the drinking water and energy sectors. So-called ‘important services’ are now added to this. The difference is that supervision for essential services is proactive, rather than after the fact as it is for the important services.

The proposal to revise this so-called Network and Information Security Directive, or NIS, came from the European Commission. The responsible EU ministers have agreed to the said directive amendment ‘NIB2’, but before it becomes official, the European Parliament and the European Commission still have to approve the extension. The final agreement should be available in 2022.