Network and Information Security (cepPolicyBrief COM2020_823)


Cyber attacks increasingly threaten the security of companies in the European Union, in particular, energy suppliers, oil pipelines and hospitals. The EU Commission therefore wants to improve the level of cyber security, especially for critical infrastructures, and tighten reporting requirements.


"The economic and societal damage caused by cyber attacks on critical infrastructure facilities is immense. Against this background, the new obligations for companies to also minimise risks in supply chains are appropriate and necessary. However, the measures should be limited to suppliers of IT products and services that are crucial for the continuation of these companies' business activities," says cep cyber expert Philipp Eckhardt, who wrote the cepPolicyBrief.

According to Eckhardt, the new reporting procedures increase legal clarity. In addition, the single-entry point for notifications reduces the administrative burden for notifying entities. "However, the obligation to report incidents within 24 hours could prove too demanding," Eckhardt emphasises.