TAP, armed forces hacks incidents to be covered by new EU cyber resilience law

The European Commission said on Thursday it was “fully aware” of recent cyberattacks in Portugal, against TAP and the General Staff of the Armed Forces, regarding NATO documents, assuring that these incidents will be covered by the new European requirements.

“We are fully aware of these cyberattacks and, by the way, we can also refer to another recent one in Portugal against a major telecoms operator, so we are fully aware of what is happening” in the country, said EU Internal Market Commissioner Thierry Breton in Brussels.

Answering a question from the Lusa news agency at the press conference to present the proposal for a new law on cyber-resilience, Thierry Breton pointed out that “this type of attack will be covered by the new legislation”, as they are carried out using “specific software”.

In question is the computer attack on TAP that occurred in August which led to the online publication of files with personal data of the airline’s customers, as well as the cyberattack against the General Staff of the Armed Forces, in which classified NATO documents were extracted and placed for sale on the dark web.

Also present today at the occasion and responding to a question from Lusa, the Vice-President of the European Commission to promote the European way of life, Margaritis Schinas, pointed out that the institution is, “in general terms, aware that there is a wave of cyberattacks that is intensifying”.

The official noted that this was also the trend “that has been seen in the case of Portugal, in air transport and in the armed forces”.

“Europe is being targeted [by such incidents], namely our member states, our industry, citizens and of course the pandemic has acted as a massive accelerator,” Margaritis Schinas listed.

In addition, “we have also seen many cases that targeted financial services and more importantly health systems because in both areas there is a huge amount of data available and so yes, we are aware of this wave of attacks, that is precisely why we are building this cyber resilience law,” he concluded.

Today, the European Commission proposed a new cyber-resilience law introducing mandatory cybersecurity requirements for digital products in the European Union (EU), proposing fines of up to 2.5% of turnover or up to €15 million.

The proposed regulation applies to all products that are connected directly or indirectly to another device or network, although some exceptions are foreseen for products for which cybersecurity requirements are already set out in existing EU rules, for example for medical devices, aviation or cars.

It will now be up to the European Parliament and the Council to deliberate on the proposed Cyber Resilience Law, with Brussels highlighting “the goodwill” of the co-legislators and hoping that this initiative will move forward quickly.