Securing network and information systems in the European Union is essential. It safeguards our communication and data and keeps the online society and economy running. The European Union works on various fronts to promote cyber resilience.
As a key component of Shaping Europe's Digital Future, the Recovery Plan for Europe and the EU Security Union Strategy, the EU Cybersecurity Strategy will bolster Europe's collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. Whether it is the connected devices, the electricity grid, or the banks, planes, public administrations and hospitals Europeans use or frequent, they deserve to do so with the assurance that they will be shielded from cyber threats.
The new strategy aims to ensure a global and open Internet with strong safeguards where there are risks to security and the fundamental rights of people in Europe. Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments. These three instruments are regulatory, investment and policy initiatives. They will address three areas of EU action:
EU rules on the security of Network and Information Systems (NIS) are at the core of the Single Market for cybersecurity. The Commission proposes to reform these rules under a revised NIS Directive to increase the level of cyber resilience of all relevant sectors, public and private, that perform an important function for the economy and society34 . The review is necessary to reduce inconsistencies across the internal market by aligning scope, security and incident reporting requirements, national supervision and enforcement and the capabilities of competent authorities.
With the spread of connectivity and the growing sophistication of cyberattacks, Information Sharing and Analysis Centres, or ISACs, perform a valuable function, including at the sectoral level, in allowing information exchange between multiple stakeholders on cyber threats40. In addition to this, networks and computer systems require constant monitoring and analysis to detect intrusions and anomalies in real time. Many private companies, public organisations and national authorities have therefore set up Computer Security Incident Response Teams (CSIRTs) and Security Operations Centres, or ‘SOCs’. The Commission proposes to build a network of Security Operations Centres across the EU, and to support the improvement of existing centres and the establishment of new ones. It will also support the training and skill development of staff operating these centres. It could commit, on the basis of a needs analysis conducted with relevant stakeholders and supported by the EU Agency for Cybersecurity (ENISA), over EUR 300 million to support public-private and cross-border cooperation in creating national and sectoral networks, involving also SMEs, based on appropriate governance, data sharing and security provisions. The centres would then be able to more efficiently share and correlate the signals detected and create high-quality threat intelligence to be shared with ISACs and national authorities, and thus enabling a fuller situational awareness.
The European Union Governmental Satellite Communications, a component of the Space Programme, will provide secure and cost-efficient space- based communication capabilities to ensure the security- and safety- critical missions and operations managed by the EU and its Member States, including national security actors and EU institutions bodies and agencies. Member States have committed to working together with the Commission towards the deployment of a secure quantum communication infrastructure (QCI) for Europe. The QCI will offer public authorities a brand new way to transmit confidential information using an ultra-secure form of encryption to shield against cyberattacks, built with European technology. It will have two main components: existing terrestrial fibre communication networks linking strategic sites at national and cross-border levels; and linked space satellites covering the whole EU, including its overseas territories
EU citizens and companies using advanced and innovative applications enabled by 5G and future generations of networks should benefit from the highest security standard. Member States, together with the Commission and with the support of ENISA, have established with the EU 5G Toolbox of January 2020 a comprehensive and objective risk-based approach to 5G cybersecurity that is based on an assessment of possible mitigation plans and identification of the most effective measures. Moreover, the EU is consolidating its capabilities in 5G and beyond to avoid dependencies and to foster a sustainable and diverse supply chain. In December 2020, the Commission published a report on the impacts of the Recommendation of 26 March 2019 on the Cybersecurity of 5G networks. It showed that considerable progress has been made since the Toolbox was agreed, and that most Member States are on track to complete a significant part of the Toolbox implementation in the near future, albeit with some variations and remaining gaps as already identified in the Progress report published in July 2020. Based on the report of the impacts of the 2019 Recommendation, the Commission encourages Member States to accelerate the work towards completing the implementation of the main Toolbox measures by the second quarter of 2021. It also calls on Member States to continue monitoring together progress made and ensuring further alignment of approaches. At EU level, three main objectives will be pursued in order to support this process:
Every connected thing contains vulnerabilities that can be exploited with potentially widespread ramifications. Internal Market rules include safeguards against insecure products and services. The Commission is already working to ensure transparent security solutions and certification under the Cybersecurity Act and to incentivise safe products and services without compromising on performance52. It will adopt its first Union Rolling Work Programme in the first quarter of 2021 (to be updated at least once every three years) to allow industry, national authorities and standardisation bodies to prepare in advance for future European cybersecurity certification schemes. As the Internet of Things proliferates, enforceable rules require strengthening, both to ensure overall resilience and boost to cybersecurity. The Commission will consider a comprehensive approach, including possible new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the Internal Market. Such rules could include a new duty of care for connected device manufacturers to address software vulnerabilities including the continuation of software and security updates as well as ensuring, at the end of life, deletion of personal and other sensitive data. These rules would bolster ‘the right-to-repair obsolete software” initiative presented in the Circular Economy Action Plan and complement ongoing measures which address specific types of products, such as mandatory requirements to be proposed for market access of certain wireless products
The EU should ensure:
A Joint Cyber Unit would serve as a virtual and physical platform for cooperation for the different cybersecurity communities in the EU, with a focus on operational and technical coordination against major cross border cyber incidents and threats. This is a step closer to achieving the European cybersecurity crisis management framework. There are four main steps to delivery the Joint Cyber Unit.
Building on the outcome of the consultation with Member States, EU institutions, bodies and agencies, the Commission, with the involvement of the High Representative, in line with his competences, will by February 2021 present the process, milestones and timeline for defining, preparing, deploying and expanding the Joint Cyber Unit
Our dependence on online tools has exponentially increased the attack surface for cyber criminals, and led to a situation where the investigation of nearly all types of crime has a digital component. Furthermore, core parts of our society are threatened by cyber actors and by those using cyber tools to plan and execute their illegal actions. Tackling cybercrime effectively is a key factor in ensuring cybersecurity: deterrence cannot be achieved through resilience alone but also requires identification and prosecution of offenders. It is therefore essential to foster the cooperation and exchange between cybersecurity actors and law enforcement. At EU level, therefore, Europol and ENISA have already built strong cooperation where they have organised joint conferences and workshops and provided joint reports to the Commission, Member States and other stakeholders on cybersecurity threats and technological challenges.
Cybercrime
Ordinary criminals also make use of cyberattacks that threaten Europeans. That is why the Migration and Home Affairs department of the Commission monitors and updates EU law on cybercrime and supports law enforcement capacity, as further described on its webpage. The Commission also works together with the European Cybercrime Centre in Europol.
Cyber diplomacy
The EU is making efforts to protect itself against cyber threats from outside. As a part of this, the Commission works together with the European External Action Service and Member States on the implementation of a joint diplomatic response to malicious cyber activities (the ‘cyber diplomacy toolbox’). This response includes diplomatic cooperation and dialogue, preventative measures against cyberattacks, and sanctions against those involved in cyberattacks threatening the EU.
The Commission assists in decision-making on responding to external cyber threats wherever needed. It also directly funds the ongoing EU Cyber Diplomacy Support Initiative.
Defence
The EU cooperates on defence in cyberspace through the activities of the European Defence Agency, as well as ENISA, Europol and the Directorate-General in the Commission responsible for Defence Industry.
Cyber capacity building in third countries
The EU cooperates with other countries to help build up their capacity to defend against cybersecurity threats. The Commission supports various cybersecurity programmes in the Western Balkans and the six Eastern Partnership countries in the EU’s immediate neighbourhood, as well as in other countries worldwide through its International Cooperation and Development department.