The Covid-19 pandemic has made the need for an adequate cyber defense urgent to face the increasing global threats. The fast-growing use of smart working and distance learning and the greater use of digital services, has heightened exposure to possible attacks, underlining the importance of strengthening the existing set of rules able to guarantee a secure digital ecosystem.
As a part of the Recovery Plan Communication “Europe’s moment: Repair and Prepare for the Next Generation”, the Commission published a new Cybersecurity Strategy. Starting from the consideration that transport, energy, health, telecommunications, finance, security, democratic processes, space and defence are heavily reliant on the network, and information systems are becoming increasingly interconnected and these cross-sector interdependences increase vulnerabilities to cyberattacks, the Commission has launched a strategy focused on three pillars and related initiatives:
1) resilience, technological sovereignty and leadership, and to achieve these the Commission proposes: a) the reform of EU rules on the security of Network and Information Systems (launched on the same date as the new Cybersecurity Strategy); b) the setting up of a network of Security Operations Centres across the EU and the support for improving existing centres and establishing new ones to create a collective knowledge and share best practices, also supporting the training and skill development of centres’ staff; c) the deployment – in 2021-2027 – of a secure quantum communication infrastructure (QCI) for Europe able to offer public authorities a brand new way to transmit confidential information using an ultra-secure form of encryption to shield against cyberattacks, built with European technology; d) the adoption, under the Cybersecurity Act, of the first Union Rolling Work Programme in the first quarter of 2021 (to be updated at least once every three years) to provide incentives for safe products and services without compromising on performance and allow industry, national authorities and standardisation bodies to prepare in advance for future European cybersecurity certification schemes. The Commission also announced its willingness to consider a comprehensive approach, including possible new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the Internal Market; e) the development of a contingency plan, supported by EU funding, for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system; f) the support for the adoption of a DNS resolution diversification strategy, the development of a public European DNS resolver service and the uptake of key internet standards including IPv664 and well-established internet security standards and good practices for DNS, routing, and email security; g) the development of a dedicated cybersecurity Masters Programme, and the definition of a common European Cybersecurity Research and Innovation Roadmap beyond 2020; h) the upskilling of the workforce, the development, attraction and retention of the best cybersecurity talent and investments in world class research and innovation;
2) building operational capacity to prevent, deter and respond, and several strategic initiatives to be implemented have been identified, specifically: a) complete the European cybersecurity crisis management framework and determine the process, milestones and timeline for establishing the Joint Cyber Unit; b) continue implementation of the cybercrime agenda under the Security Union Strategy; c) encourage and facilitate the establishment of a MS cyber intelligence working group residing within the EU INTCEN; d) advance the EU’s cyber deterrence posture to prevent, discourage, deter and respond to malicious cyber activities; e) review the Cyber Defence Policy Framework; f) facilitate the development of an EU “Military Vision and Strategy on Cyberspace as a Domain of Operations” for CSDP military missions and operations; g) support synergies between civil, defence and space industries; h) reinforce cybersecurity of critical space infrastructures under the Space Programme;
3) advancing a global and open cyberspace where the Commission underlines that the EU should: a) define a set of objectives in international standardisation processes, and promote these at international level; b) advance international security and stability in cyberspace, notably through the proposal by the EU and its MSs for a Programme of Action to Advance Responsible State Behaviour in Cyberspace (PoA) in the United Nations; c) offer practical guidance on the application of human rights and fundamental freedoms in cyberspace; d) better protect children against child sexual abuse and exploitation, as well as a Strategy on the Rights of the Child; d) strengthen and promote the Budapest Convention on Cybercrime, including through the work on the Second Additional Protocol to the Budapest Convention; e) expand EU cyber dialogue with third countries, regional and international organisations, including through an informal EU Cyber Diplomacy Network; f) reinforce the exchanges with the multi-stakeholder community, notably by regular and structured exchanges with the private sector, academia and civil society; g) propose an EU External Cyber Capacity Building Agenda and an EU Cyber Capacity Building Board.
The strategy also underlines the importance to improve the overall level of cybersecurity through consistent and homogeneous rules, with common binding rules on information security and on cybersecurity for all EU institutions, bodies and agencies in 2021, based on ongoing EU inter-institutional discussions on cybersecurity.
The Commission also presented a legislative proposal to update the NIS Directive (which could be identified as “NIS 2”) to achieve a higher common level of cybersecurity across the Union and a new Critical Entity Resilience Directive covering a wide range of sectors. Both new directives aim to address current and future risks both online and offline – from cyberattacks to crime or natural disasters – in a consistent and complementary manner.
The proposed reform of the rules on the security of network and information systems, pursues the objective of overcoming the existing regulatory fragmentation (in relation, for example, to the identification of the operators of essential services), extending the scope of application to include parties operating in sectors that are not currently covered by current regulations (such as aerospace, waste management, and food manufacturing) and increasing the level of cyber resilience of critical public and private sectors. These include hospitals, energy networks, railways, and also data centres, public administrations, research laboratories and the production of medical devices and critical medicines, as well as other critical infrastructures and services with the aim of increasing their security in an increasingly rapid and complex threat environment.
The new European Cyber Security Strategy and the proposals described are an extremely important development as it aims to strengthen Europe’s collective resilience against cyber threats and will help strengthen the regulatory ecosystem in which all citizens and businesses can fully benefit from secure digital services and tools.
The initiatives to implement the new EU Cybersecurity Strategy will be continuously detailed over the coming months by the European Commission and the High Representative, so that the European Parliament, the Council and stakeholders are kept up to date on progress while the proposed NIS reform and Critical Entity Resilience Directive continue their procedure of adoption by Parliament and the Council.