Cybersecurity

As hospitals have been targeted in recent cyberattacks, HOPE is now closely monitoring the EU legislation in this field. A Directive on the security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016 and came into force in August 2016. Member States had 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services. The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

On 13 September 2017 the Commission issued a proposal for a regulation on ENISA, the EU Cybersecurity Agency, and on Information and Communication Technology Cybersecurity Certification (”Cybersecurity Act”).

On 26 March 2018, the Commission published an impact assessment to consult stakeholders on a proposal to create a cybersecurity competence network with a European Cybersecurity Research and Competence Centre. The Council agreed on 8 June 2018 its general approach on the proposal, known as the Cybersecurity Act. The proposal also upgraded the current European Union Agency for Network and Information Security (ENISA) into a permanent EU agency for cybersecurity.

On 10 December 2018, an agreement was reached in a trilogue. The deal was approved in the ITRE meeting on 14 January 2019 and adopted by Parliament during the 12 March 2019 plenary with 586 votes to 44 and 36 abstentions. It was signed by the President of the European Parliament and of the Council on 17 April 2019. The final Cybersecurity Act was published on the official journal of 7 June 2019 and entered into force on 27 June 2019.

In relation to the Medical Devices Directive implementation, HOPE joined the Task-force on cybersecurity created in 2018. HOPE was invited to the working group to outline the structure of future EU guidance on cybersecurity.

The European Commission work programme 2020 mentioned the policy objective “Increasing cybersecurity”: “review of the Directive on security of network and information system (NIS Directive) in Q4 2020”. A consultation process took place ending on 2 October 2020.

On 14 May 2020, the Council adopted a decision extending for one more year, until 18 May 2021, the restrictive measures framework against cyber-attacks which threaten the EU or its member states.

On 19 May 2020, the European Commission announced that the EU invests through the Connecting Europe Facility (CEF) programme €7.6 million in projects which seek to strengthen the European Union’s capacity and deal more efficiently with cyber-threats and incidents.

On 16 December 2020, the Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy. The Commission’s proposals aim to address both cyber and physical resilience of critical entities and networks: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2′), and a new Directive on the resilience of critical entities. They cover a wide range of sectors and aim to address current and future online and offline risks, from cyberattacks to crime or natural disasters, in a coherent and complementary way. A consultation on the NIS2 proposal was launched and open until 11 February 2021. The new Commission proposal aims to address the deficiencies of the previous NIS Directive, to adapt it to the current needs and make it future proof.

On 2 December 2020, the Council approved conclusions that acknowledge the increased use of consumer products and industrial devices connected to the internet and the related new risks for privacy, information security and cybersecurity. The conclusions set out priorities to address this crucial issue, and to boost the global competitiveness of the EU’s IoT industry by ensuring the highest standards of resilience, safety and security. The conclusions underline the importance of assessing the need for horizontal legislation in the long term to address all relevant aspects of the cybersecurity of connected devices, such as availability, integrity and confidentiality. This would include specifying the necessary conditions for placement on the market.