THE EUROPEAN – SECURITY AND DEFENCE UNION
Taking a cyber leap forwards Europe must respond to the evolving cyber threat landscape
by Roberto Viola, Director-General, DG CONNECT, European Commission, Brussels
T
he increased connectedness and the borderless nature of digital communications have put cybersecurity at the forefront of EU policy, leading to the adoption of the first pieces of EU-wide legislation on cybersecurity. Despite this effort, the proliferation of interconnected devices and the rollout of high-capacity communications infrastructure, such as 5G, give rise to a plethora of new vulnerabilities and risks. Moreover, state actors are increasingly employing cyber tools to achieve geopolitical goals. Therefore, the European Union will have to adapt to this evolving threat landscape by developing new responses and by making the most of the legal framework recently adopted.
A robust framework has been put in place Over the last five years, the European Union has developed a set of measures that has strengthened the cyber resilience of organisations, improved the EU’s ability to respond to external threats and laid the ground for enhancing the security of ICT products, services and processes. With the adoption in 2016 of the Directive on security of network and information systems (NIS Directive)1, the European Union has developed its first cybersecurity legislation. The directive requires Member States to ensure that key companies in essential sectors, such as energy or transport, take appropriate security measures and notify national authorities of cyber incidents. It has served as a catalyst for Member States, triggering real change on the ground. However, the NIS Directive is much more than just a set of common rules. It has also established the Cooperation Group, a forum where Member States exchange experiences, align regulatory approaches and build trust. The group serves as a platform for developing com-
22
mon approaches on a wide variety of subjects, such as election security, sector-specific alignment and security of 5G networks. In order to address the external dimension of cybersecurity, the Council, with the support of the European External Action Service, has developed the Cyber Diplomacy Toolbox. The framework consists of a number of measures, including a new sanctions regime adopted in May 2019. The regime enables the EU to put in place targeted restrictive measures to deter and respond to external cyber-attacks. It allows the EU to impose sanctions on individuals and entities, including travel bans and freezing assets. The recently adopted Cybersecurity Act2 illustrates in a powerful manner that cybersecurity has evolved into a priority at EU level: fifteen years after its foundation, ENISA, the European Union Agency for Cybersecurity, has now been given a permanent mandate, more resources and new tasks related to cybersecurity certification and operational support in the case of cyber-attacks. The act also puts in place a legal framework for EU-wide cybersecurity certification schemes to improve the security of ICT products, services and processes. The Commission has already asked ENISA to prepare a first candidate scheme and more will follow. We are also exploring the introduction of mandatory schemes in priority areas.
Cyber resilience remains a priority The Commission will continue to work to increase the Union’s cyber resilience. European Commission President-elect Ursula von der Leyen has proposed to set up a Joint Cyber Unit to prevent, respond to, but also investigate cybersecurity incidents. The purpose is to speed up information sharing and bring cooperation between Member States and EU institutions to a new level. This initiative will build on existing work on rapid emergency response, notably on the Blueprint, a set of commonly agreed procedures ensuring a coherent Union-wide response in the event of a large-scale cyber incident.
