The European Parliament’s internal market committee has backed calls to introduce measures ensuring that businesses supplying essential services improve their ability to resist cyberattacks.
The new rules will help protect essential networks and services including online banking, electricity grids and air traffic control systems.
Security incidents caused by human and technical failures or intentional attacks can cost as much as €340bn in losses annually, according to European Network and Information Security Agency (ENISA) estimates.
Currently, EU cybersecurity rules are highly fragmented along national lines. The new directive seeks to end this by defining a high common level of security for network and information systems across all member states.
It will list common sectors where critical service companies need to ensure that they can withstand cyberattacks.
German EPP MEP and rapporteur on the file, Andreas Schwab, said; "Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields… Member states will also have to cooperate more on cybersecurity - which is even more important in light of the current security situation in Europe."
EU countries will have to clearly identify 'operators of essential services' in the relevant fields using set criteria. These include whether the service is critical for society and the economy, whether it depends on network and information systems and whether disruption could significantly affect service provision or present a risk to the public.
For digital services, the directive will mainly affect larger organisations such as companies providing cloud storage, search engine providers and large online marketplaces.
They will have to take measures to protect their infrastructure, and will be obliged to report major incidents or attacks to the relevant national authorities. The scope of the directive does not extend to micro and small digital companies.
The draft rules foresee a strategic 'cooperation group' to exchange best practice, define guidelines and aid with capacity building where necessary. Every member state will also have to set up a network of computer security incident response teams to handle incidents and risks.
The proposals have already been informally agreed by MEPs and Council negotiators, but will need to be formally endorsed by the Council and the European Parliament.