The current cybersecurity policy of the EU
Recognizing the severe consequences of cyberthreats, the EU has been working continuously on its cybersecurity policy since the proposal for the Network and Information Security Directive (NIS), which was issued on 6 July 2016 and had to be transposed by the Member States by 9 May 2018. The Directive was an attempt to codify the non-binding mechanisms across the EU and to address the lack of harmonization of the EU's cyber policy. It provides rules for certain crucial sectors (such as utilities and digital infrastructure) with respect to cybersecurity and non-personal data breach notifications.
Another important building block of the EU's current information security framework is the European Union Agency for Cybersecurity (ENISA), created in 2004. Its aim is to assist national authorities in coordinating their efforts in preventing cybercrimes, sharing expertise and exchanging best practices. ENISA's competences became broader with the adoption of the EU Cybersecurity Act in 2019 that granted it a mandate to set up and maintain the EU cybersecurity certification framework. This lays down the procedure for the creation of EU cybersecurity certification schemes, covering ICT products, services and processes.
The European Cybercrime Centre of Europol is also a key player when it comes to helping Member States in investigating online crimes and combatting criminal networks. Additionally, the EU Computer Emergency Response Team, established in 2012, aims at providing efficient response to cyber security incidents and threats for the EU institutions. One of the main efforts of the EU in harmonizing cybersecurity policy was the adoption in 2018 of the General Data Protection Regulation (GDPR). Although intended to protect only personal data, the GDPR is indeed also a cybersecurity instrument as it aims, inter alia, to protect personal data against unauthorised and unlawful access, insider data abuse, and other external threats. Indirectly, the implementation of and compliance with the GDPR should also lead to a higher cybersecurity level in general.
Although the existing bundle of cybersecurity safeguards is impressive and offers important mechanisms to prevent cyberattacks, the European Commission recognizes the ever expanding and evolving nature of potential threats. The proliferation of connected devices, the instalment of 5G networks and the rise of Covid-19 associated cyberthreats are just a few of the most recent cybersecurity challenges. The objectives of the European Commission's previous Cybersecurity Strategy of 2013 had therefore inevitably become outdated in light of the immense technological progress (both at the side of the potential victims and at the side of the attackers).
Cybersecurity challenges and the need for change
The EU has adopted its new Cybersecurity Strategy in December 2020. The European Commission presented the Strategy as part of its "Shaping Europe's digital future" strategy (a digital transformation strategy of the EU that is aimed at benefiting society and economy), the Recovery Plan for Europe (a plan for recovery from economic and social damage caused by the Covid-19 pandemic) and the EU Security Union Strategy (the EU's strategy in fostering security across Member States in 2020-2025). The Strategy's main focus is to strengthen the EU's resilience to cyberattacks, ensure that citizens and businesses have confidence in digital tools and to promote co-operation between the EU agencies as well as between the Member States. Apart from certain 'soft-law' proposals, there were also two legislative proposals, namely a draft of an updated NIS Directive and a new draft of the Directive to enhance the resilience of critical entities providing essential services in the EU.
In the new Cybersecurity Strategy proposal, which was eventually adopted by the EU's Council in March 2021, the European Commission highlights certain challenges that trigger the need for change. The soon to be omni-present 5G network will greatly benefit the future of digital services. Many essential services and infrastructures will rely on 5G that will make them more accessible and responsive. However, a heavy reliance of many critical services on 5G will increase their vulnerability. Consequently, this creates pressure on the Member States to ensure the highest levels of cybersecurity for 5G networks. Considering the trans-border interconnected nature of 5G, a high level of cybersecurity of such network becomes a task of EU-wide importance. Moreover, the European Commission recognizes the general vulnerability of critical infrastructure due to an increased interconnectivity in the information society. The digitalization of the EU's industrial landscape makes it exposed to cyberthreats.
The Joint Communication of the European Commission on the new Cybersecurity Strategy provides some worrisome statistics concerning the use of online services: 3/5 of EU users feel unable to protect themselves from cyberthreats when using online services, 1/3 of them have received fraudulent emails or calls and 1/8 of businesses have been victims of cyberattacks. The lack of trust in the cybersecurity of online services acts as a major disincentive for users to use such services and the threats of cyberattacks trigger a 'chain reaction' through the economy and society, lowering the trust of the general public.
The European Commission also stresses the importance of amending the NIS Directive in order to ensure that it is 'future-proof'. The proposal for a new Directive aims to modernize the existing legal framework in light of the increased digitalization of the internal market, which was also speed up considerably due to Covid-19.
The proposal for amending the NIS Directive also specifies the scope of the NIS Directive. There will no longer be a distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided respectively in essential and important categories with the consequence of being subjected to different supervisory regimes.
On top of that, the European Commission refers to the lack of cooperation between national authorities when it comes to the communication of cyber incidents. National authorities do not systematically gather and share information, which could help to assess a general cybersecurity landscape of the EU. The European Commission raises a concern that there is no operational mechanism between national authorities and EU institutions in case of cross-border large-scale cyber incident. This would need to change with the updated NIS Directive.
Covid-19 as a challenge to EU cybersecurity
Covid-19 has led to a further increase of cyber threats as the world has turned more digital than ever.
According to a survey conducted by Eurofound, as much as 65% of Belgians have worked from home during April-July of 2020. The numbers of employees who have been teleworking during the pandemic are ranging between 25% and 65% throughout the EU. According to a study created by Europol, this has significantly increased the rates of criminals profiting from such cybercrimes by using ransomware, malware and malicious apps. Cyber criminals take advantage of the fact that many SMEs do not have strong cybersecurity measures in place, since such companies use the "Bring Your Own Device" approach that, in combination with teleworking, makes employees much more vulnerable to cyberattacks. The increased threat of cyberattacks due to telework is also recognized by the European Commission in its Cybersecurity Strategy proposal.
What are the proposals included in the new Cybersecurity Strategy?
a. Security of 5G networks
The Commission acknowledges that 5G networks will become a driving force behind the internal market, but that they will also bring severe security risks because of an increased interconnectivity of the entities operating with it. According to the European Commission, the coordination of 5G networks between the EU Institutions and the Member States is of paramount importance. That is why the Member States are urged to promptly implement the EU 5G Toolbox that includes robust and comprehensive measures for an EU coordinated approach to secure 5G networks. One of the most important measures is the EU-wide certification scheme for 5G networks that should help to address the risks related to technical vulnerabilities of such networks.
b. Security Operations Centres
The creation of an AI-powered network of Security Operations Centres (SOCs) is another novelty that we can find in the European Commission's strategy. The SOCs are supposed to form a type of 'security shield' across the EU. Member States are requested to establish such SOCs that would eventually form a coherent EU-wide network. This network will be able to detect cyberattacks and allow states to act more proactively.
c. Joint Cyber Unit
The proposal for a Joint Cyber Unit has also been set forward in the European Commission's cybersecurity strategy. This Unit will be designed in order to tackle the EU's most severe cyberattacks, with a special focus on cross-border ones. The European Commission is concerned with the fact there is no structured mechanism yet to facilitate cooperation between Member States and the EU cybersecurity institutions, which would be crucial in case of a major cyberattack. It is envisaged that the Unit will involve various types of stakeholders: public agencies, private entities, citizens and law enforcement authorities.
d. Strong encryption
Strong encryption is recognized by the European Commission as a means of protection fundamental rights and the digital security of individuals, governments and industry. Thus, it is essential to support the development, implementation and use of strong encryption. At the same time, the European Commission reminds that law enforcement authorities must be able to access data (online and offline) in order to protect the society and its citizens. Such access, however, should be carried out in full respect of fundamental rights and data protection laws.
An important part of the package of new measures under the New Cybersecurity Strategy is, as already briefly discussed above, the proposal for a Directive on measures for a high common level of cybersecurity across the Union. This Directive, informally called NIS 2.0, is supposed to repeal and build upon the 2016 NIS Directive.
Although generally considered a success, the NIS Directive no longer answers to the needs of the cybersecurity landscape of the EU. In the draft proposal for the new Directive, the European Commission reiterates that the NIS Directive has boosted EU-wide cybersecurity: (i) it required Member States to adopt national cybersecurity strategies and to appoint cybersecurity authorities; (ii) it increased cooperation between Member States;( and (iii) it improved cyber resilience of public and private entities in essential sectors. The proposal, however, points at the increased digitalization of the internal market, which has been amplified even more by the pandemic. This has severely increased the level of cyber threats and, together with other limitations of the NIS Directive, leads to a required change of the original NIS Directive.
Most notably, the ex-post evaluation in the proposal has confirmed that the essential sectors covered by the current NIS Directive no longer represent all digitalized sectors that provide key services, and thus leaves them outside of its scope of application. Moreover, it does not contain precise guidelines on how to identify these essential services, which led to the situation whereby certain entities were not required to implement crucial provisions of the Directive although being quite important to the economy. The margin of appreciation left to the Member States for implementing incident reporting requirements also led to considerable inconsistencies between Member States, putting additional burden on companies.
The revised NIS Directive proposes several improvements in light of this criticism of its original text. Firstly, not only does the NIS 2.0 Directive expand the range of essential entities (now also including waste waters, public administration and space companies). Importantly, it also introduced the notion of 'important' entities, which include postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution, manufacturing and digital providers. The main reason for such division into "essential entities" and "important entities" is to give Member States more flexibility in identifying such entities and consequently subjecting them to different supervisory regimes. The proposal also erases the difference between essential services and providers of digital services.
Secondly, the new text foresees a list of basic cybersecurity risk management measures that all essential and important entities need to implement. The list is non-exhaustive and includes measures ranging from risk analysis to use of cryptography and encryption. Additionally, contrary to the permissive 'may' wording of the old NIS Directive, the NIS 2.0 Directive obliges Member States to ensure that operators of essential and important entities report significant cyber incidents to Computer Security Incident Response Teams.
Thirdly, the NIS 2.0 Directive encourages Member States to require essential and important entities to comply with the European cybersecurity certification schemes and to use European and international standards and specifications in the field of security of network and information systems.
Fourthly, the proposed text gives more power to competent authorities when it comes to the supervision and enforcement of the NIS Directive. For example, it includes a list of measures to which competent authorities can subject essential and important entities. The maximum threshold of administrative fines is also defined in the proposal and amounts to up to 10.000.000 EUR or 2% of the total annual worldwide turnover of the respective essential or important entity.
Finally, the text emphasises the importance of cooperation between the Member States. It proposes to establish the EU Cyber Crisis Liaison Organisation Network (CyCLONe) – an organization designed to support the coordinated management of large-scale cybersecurity incidents and crises at an operational level and to ensure the regular exchange of information among Member States and Union institutions, bodies and agencies. The NIS 2.0 Directive will also task the ENISA to draft biennial reports on the state of cybersecurity in the EU.
The text of the NIS 2.0 Directive will be negotiated between the EU institutions in the coming months. If accepted, it could be seen as an important step in strengthening cybersecurity across the EU.
The New EU Cybersecurity Strategy, together with the proposal for a NIS 2.0 Directive, are an important response to the change of the cybersecurity landscape that we observe in the world. The European Commission fully recognizes the need for amplifying the current status quo of the EU's cybersecurity framework. The various interesting measures that have been proposed will be negotiated in the months to come and, if and when accepted, will bring important novelties to improve cybersecurity in the EU. Companies across the EU should already familiarize themselves with the new proposals to start contemplating about their transposition into daily business. Of course, many proposals could already be applied in practice to boost an organization's security.
The authors would like to thank Mrs. Tatiana Prozorova for her contribution to this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.