The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy have set forth a new EU Cybersecurity Strategy that aims to safeguard a global and open internet by harnessing and strengthening all tools and resources to ensure security and protect European values.
The European Union’s critical infrastructure and essential services are increasingly interdependent and digitised. All internet-connected things in the EU, whether industrial control systems, automated cars or home appliances, and the whole supply chains which make them available, need to be secure-by-design, resilient to cyber incidents and quickly patched when security vulnerabilities are discovered.
The European Commission is the EU’s politically independent executive arm, which is responsible for drawing up proposals for new European legislation and implements the decisions of the European Parliament and the Council of the EU.
With the industrial landscape in the EU getting increasingly digitised and connected, cyberattacks can have a far greater impact on industries and ecosystems than ever before. The cybersecurity strategy also allows the EU to step up leadership on international norms and standards in cyberspace, and to strengthen cooperation with partners around the world to promote a global, open, stable and secure cyberspace, grounded in the rule of law, human rights, fundamental freedoms and democratic values.
“Europe is committed to the digital transformation of our society and economy. So we need to support it with unprecedented levels of investment,” said Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age. “The digital transformation is accelerating, but can only succeed if people and businesses can trust that the connected products and services – on which they rely – are secure.”
The Commission President Ursula von der Leyen had last year called for a Joint Cyber Unit in her political guidelines. The unit would strengthen cooperation between EU bodies and Member State authorities responsible for preventing, deterring and responding to cyberattacks, including civilian, law enforcement, diplomatic and cyber defense communities.
The Commission proposed to reform the rules on the security of network and information systems, under revised NIS Directive or ‘NIS 2′ directive, on measures for high common level of cybersecurity across the Union. This will help increase the level of cyber resilience of critical public and private sectors such as hospitals, energy grids, railways, apart from data centers, public administrations, research labs and manufacturing of critical medical devices and medicines. It will also have an impact on other critical infrastructure and services.
The revised NIS Directive will cover medium and large entities from more sectors based on their criticality for the economy and society. NIS 2 strengthens security requirements imposed on companies, addresses security of supply chains and supplier relationships, streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, stricter enforcement requirements, and aims at harmonizing sanctions regimes across Member States. The NIS 2 proposal will help increase information sharing and cooperation on cyber crisis management at national and EU level.
The Commission also proposes to launch a network of Security Operations Centres across the EU, which will constitute a real ‘cybersecurity shield’ for the EU, able to detect signs of a cyberattack early enough and to enable proactive action, before damage occurs.
The proposed Critical Entities Resilience (CER) Directive expands both the scope and depth of the 2008 European Critical Infrastructure directive. Ten sectors are now covered including, energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space.
Under the proposed cybersecurity strategy directive, Member States would each adopt a national strategy for ensuring the resilience of critical entities and carry out regular risk assessments. These assessments would also help identify a smaller subset of critical entities that would be subject to obligations intended to enhance their resilience in the face of non-cyber risks, including entity-level risk assessments, taking technical and organizational measures, and incident notification.
The Commission, in turn, would provide complementary support to Member States and critical entities, for instance by developing a Union-level overview of cross-border and cross-sectoral risks, best practice, methodologies, cross-border training activities and exercises to test the resilience of critical entities.
“We appreciate the proposal to further develop Europol’s role as the centre of expertise on cybercrime to support national law enforcement authorities, as well as increased funding and mandate for CERT-EU,” wrote Sebastian Gerlach, a Palo Alto Networks executive, in a blog post. “Both entities play critical roles supporting cybersecurity efforts throughout the EU. The focus on improving cybersecurity of EU institutions, bodies and agencies will be important to shield these organisations from cyberattacks.”
“The draft provides a very constructive approach for supply chain risk management – guiding entities to consider the cybersecurity practices of their suppliers, including secure development practices – and we encourage EU co-legislators to further build on these proposals, such as by promoting transparency in how companies manage risks to their supply chains and how ICT vendors, can demonstrate adherence to best practices,” Gerlach added.
The European Commission and the High Representative are committed to adopting the new Cybersecurity Strategy in the coming months. The two bodies will report on the progress made and keep the European Parliament, the Council of the European Union, and stakeholders fully informed and engaged in all relevant actions.
It is now for the European Parliament and the Council to examine and adopt the proposed NIS 2 Directive and the Critical Entities Resilience Directive. Once the proposals are agreed and consequently adopted, Member States would then have to transpose them within 18 months of their entry into force.