In December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented the new EU Cybersecurity Strategy. Among its most notable of measures include plans to establish a new Joint Cyber Unit to combat cyberattacks across the EU.
The 2020s has been dubbed the Digital Decade by the European Union, and the publication of the EU Cybersecurity Strategy will play a key part in the Shaping Europe’s Digital Future strategy, the Recovery Plan for Europe, and the EU Security Union Strategy. The Strategy aims to “bolster Europe’s collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools”.
Speaking upon the presentation of the strategy, Margrethe Vestager, Executive Vice-President for A Europe Fit for the Digital Age, said: “Europe is committed to the digital transformation of our society and economy. So, we need to support it with unprecedented levels of investment. The digital transformation is accelerating but can only succeed if people and businesses can trust that the connected products and services on which they rely are secure.”
The strategy proposes action in three separate areas to put “trust and security at the heart of the EU Digital Decade”. The second of these, “building operational capacity to prevent, deter and respond”, contains within it plans for the creation of the Joint Cyber Unit. The Joint Cyber Unit is being designed “to strengthen cooperation between EU bodies and member state authorities responsible for preventing, deterring, and responding to cyber-attacks, including civilian, law enforcement, diplomatic and cyber defence communities”.
The High Representative has also put forward proposals to strengthen the EU Cyber Diplomacy Toolbox to “prevent, discourage, deter and respond effectively against malicious cyber activities, notably those affecting our critical infrastructure, supply chains, democratic institutions and processes”. The EU has stated its aim to further enhance cyber defence cooperation and develop state-of-the-art cyber defence capabilities, aiming to build on the work of the European Defence Agency and encourage member states to make full use of the Permanent Structured Cooperation and the European Defence Fund.
In the first of the three areas, “resilience, technological sovereignty and leadership”, the Commission proposes the reform of rules on the security of network and information systems, under a Directive aimed at establishing a high common standard of cybersecurity across the EU (NIS 2), in order to “increase the level of cyber resilience of critical public and private sectors: hospitals, energy grids, railways, but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines, as well as other critical infrastructure and services”. These infrastructure, equipment and services, the Commission says, “must remain impermeable, in an increasingly fast-moving and complex threat environment”.
“The Commission has also proposed the launch of a network of security operations centres across the EU. These centres would be powered by artificial intelligence (AI), and will constitute ‘a real cybersecurity shield for the EU’. These shields will then be able to detect signs of a cyberattack early enough to enact preventative actions before damage occurs.”
NIS 2 “will cover medium and large entities from more sectors based on their criticality for the economy and society”. It will strengthen security requirements imposed on the companies, addresses security of supply chains and supplier relationships, streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across member states.
The Commission has also proposed the launch of a network of security operations centres across the EU. These centres would be powered by artificial intelligence (AI), and will constitute “a real ‘cybersecurity shield’ for the EU”. These shields will then be able to detect signs of a cyberattack early enough to enact preventative actions before damage occurs. Additional measures will include dedicated support to small and medium-sized businesses (SMEs), under the Digital Innovation Hubs, as well as “increased efforts to upskill the workforce, attract and retain the best cybersecurity talent and invest in research and innovation that is open, competitive, and based on excellence”.
The third area in which the Commission is focusing its efforts is “advancing a global and open cyberspace through increased cooperation”, where the EU pledges to increase its level of work with international partners “to strengthen the rules-based global order, promote international security and stability in cyberspace, and protect human rights and fundamental freedoms online”. These measures will “advance international norms and standards that reflect these EU core values, by working with its international partners in the United Nations and other relevant fora”.
Part of these measures will be the EU’s strengthening of its EU Cyber Diplomacy Toolbox and increasing its cyber capacity-building efforts to third countries by developing an EU External Cyber Capacity Building Agenda. Cyber dialogues with third countries, regional and international organisations as well as the multi-stakeholder community will be “intensified”, the Commission says. An EU Cyber Diplomacy Network will also be formed around the world in order to promote the union’s vision of cyberspace.
The EU plans to support the new strategy with “an unprecedented level of investment in the EU’s digital transition over the next seven years”. This funding will be arrived at through the next long-term EU budget, the Digital Europe Programme and Horizon Europe, as well as the Recovery Plan for Europe. Member states have also been encouraged to use their Recovery and Resilience Facility funding to boost their cybersecurity measures and match EU levels of funding. The stated objective is “to reach up to €4.5 billion of combined investment from the EU, the member states and the industry, notably under the Cybersecurity Competence Centre and Network of Coordination Centres, and to ensure that a major portion gets to SMEs”.
The proposed Critical Entities Resilience (CER) Directive will expand both the scope and depth of the 2008 European Critical Infrastructure directive. Ten sectors are now covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. Under the proposed directive, member states will each adopt their own national strategies and carry out regular risk assessments.
It now falls to the European Parliament and the Council to examine and adopt the proposed NIS 2 Directive and the Critical Entities Resilience Directive, processes which have progressed in 2021 since the December 2020 presentation date of the strategy. Once the proposals are agreed and consequently adopted, member states will be required to transpose them into law within 18 months of their entry into force. The Commission will periodically review NIS 2 and report for the first time on the review 54 months after its entry into force.