On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy as a key component of Shaping Europe's Digital Future, the "Recovery Plan for Europe and the EU Security Union Strategy". The strategy marks a major step towards bolstering Europe's collective resilience against the growing threat surface and increasingly sophisticated cyber-attacks, coming from both inside and outside Europe.
The strategy targets essential services and critical infrastructures, such as hospitals, energy grids, banks, public administration and transportation, as well as the growing number of connected devices in homes and businesses.
The new Cybersecurity Strategy also allows the EU to step up leadership on international norms and standards in cyberspace, and to strengthen cooperation with partners around the world to promote a global, open, stable and secure cyberspace, grounded in the rule of law, human rights, fundamental freedoms and democratic values.
Alongside these new measures, the EC is making proposals for the increased resilience of ciritical entities and networks, covering a range of sectors aimed at tackling online and offline risks, from cyber-attacks to natural disasters in a coherent and complementary way:
The measures translate into concrete proposals for regulatory, investment and policy initiatives, in three areas of EU action:
1. Resilience, technological sovereignty and leadership:
Reforming the rules on the security of network and information systems - ensuring critical infrastructures and essential services are resilient to an increasingly fast-moving and complex environment. The revised NIS Directive will bring new measures for high common levels of cyber security across the EU, thereby increasing the level of cyber resilience of critical public and private sectors: hospitals, energy grids, railways, data centres, public administations, research labs, the manufacturing of critical medical devices and medicines, and other critical infrastructures.
A network of Security Operations Centres will be launched across the EU powered by artificial intelligence (AI) acting as a 'cyber security shield', detecting signs of a cyber-attack to enable proactive steps against potential damage.
Additional measures will include dedicated support to small and medium-sized businesses (SMEs), under the Digital Innovation Hubs, as well as increased efforts to upskill the workforce, attract and retain the best cyber security talent and invest in research and innovation that is open, competitive and based on excellence.
2. Building operational capacity to prevent, deter and respond
Preparations are under way for a new Joint Cyber Unit aimed at strengthening cooperation between EU bodies and Member State authorities responsible for preventing, deterring and responding to cyber-attacks, including civilian, law enforcement, diplomatic and cyber defence communities. Measures include steps to strengthen the EU Cyber Diplomacy Toolbox to prevent and respond to malicious cyber activities targeting EU ciritical infrastructures, supply chains, democratic institutions and processes.
Measures will also aim to further enhance defence cooperation and develop state-of-the art cyber defence capabilities, encouraging Member States to make full use of the Permanent Structured Cooperation and the European Defence Fund.
3. Advancing a global and open cyberspace through increased cooperation
International cooperation will focus on a rules-based global order, promoting internationa security and stability in cyberspace, protecting human rights and fundamental freedoms online. The aim is to also advance international norms and standards that reflect EU core values by working with international partners in the United Nations and other relevant forums.
The EU will further strengthen its EU Cyber Diplomacy Toolbox, and increase cyber capacity-building efforts to third countries by developing an EU External Cyber Capacity Building Agenda. Cyber dialogues with third countries, regional and international organisations as well as the multi-stakeholder community will be intensified. The EU will also form an EU Cyber Diplomacy Network around the world to promote its vision of cyberspace.
EU Industrial and technological Capacities
The EC is also supporting industrial and technological capacities in cybersecurity, including through projects supported jointly by EU and national budgets, by pooling its assets to enhance its strategic autonomy and propel its leadership in cyber security across the digital supply chain, including data and cloud, next generation processor technologies, ultra-secure connectivity and 6G networks, in line with its values and priorities.
Cyber and physical resilience of network, information systems and critical entities: NIS 2 and CER Directives
Revisions to 2008 EU rules on critical infrastructure, which currently only cover energy and transport sectors, are aimed at overcoming the silo approach to cyber and physical risks in the face of growing digitisation, interconnectedness and the increasing complexity of physical risks.
NIS 2 Directive: The revised NIS Directive (NIS 2) will cover medium and large entities from sectors based on their criticality for the economy and society. The overarching goal of the new NIS 2 proposal is to help increase information sharing and cooperation on cyber crisis management at national and EU level. Core elements of NIS 2 are:
- Strengthening security requirements imposed on companies.
- Addressing the security of supply chains and supplier relationships.
- Streamlining reporting obligations.
- Introducing more stringent supervisory measures for national authorities and stricter enforcement requirements.
- Harmonising sanction regimes across Member States.
CER Directive (Critical Entities Resilience): Expanding both the scope and depth of the 2008 European Critical Infrastructure directive by covering ten sectors, namely energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Under the proposed directive, each Member State would adopt a national strategy for ensuring the resilience of critical entities and carry out regular risk assessments, helping identity a subset of critical entities that would be subject to obligations aimed at enhancing their resilience in the face of non-cyber risks. Such assessments would include entity-level risk assessments, taking technical and organisational measures, and incident notification.
On the EC side, complementary support to Member States and critical entities would be provided, for example, by developing a Union-level overview of cross-border and cross-sectoral risks, best practice, methodologies, cross-border training activities and exercises to test the resilience of critical entities.
Securing the next generation of networks: 5G and beyond
Under the new Cyber Security Strategy, Member States are encouraged to complete the implementation of the EU 5G Toolbox, a comprehensive and objective risk-based approach for the security of 5G and future generations of networks.
With most Member States well on track to implementing the EU Toolbox of mitigating measures, as reported in December 2020, the next step should be to complete their implementation by quarter 2 of 2021 and ensure a coordinated approach to mitigating identified risks with a view to minimising exposure to high-risk suppliers and avoiding dependence on these suppliers. The new measures sets out the main objectives and actions aimed at continuing work at EU-level.
Lookout Watch Entry Date: 23 December 2020