The new EU Commission made cybersecurity a priority and shared its first roadmap for the future of cybersecurity within the EU. The years ahead promise further initiatives, which will focus on the newly emerging 5G mobile network and improving information sharing on cyber risks as well as developing further on existing mitigation strategies in order to protect European critical infrastructures.
A Comment by Esther Kern and Susanne Zels
The NIS Directive: Establishing a cybersecurity baseline
Due to the digitisation of services and infrastructures critical to European industrialised society, cybersecurity has become a vital security issue for its undisturbed functioning.
Though digitisation has been transforming our industries for some time now, the European Union has only recently launched legislative efforts to increase cyber resilience in Europe.
A key policy initiative was the adoption of the Directive on security of network and information systems (NIS Directive) in 2016. It installed a first European wide cybersecurity baseline by obliging EU member states to install a national regulatory authority for cybersecurity, develop cyber defense capacities (a Computer Security Incident Response Team (CSIRT)), install the European Union Agency for Network and Information and Security (ENISA) and identify so called operators of essential services (OES), e.g. electricity grid operators.
In addition, the NIS Directive aimed at strengthening European cooperation and exchange on information on cybersecurity risks by installing a cooperation group at the European level. Member states had to implement these measures into national law by May and November 2018.
While some member states (e.g. Sweden, UK, Germany) were ahead of the NIS directive in their cybersecurity regulation, many member states lacked a comprehensive national cybersecurity strategy prior to this European measure.
But since 2017, all EU member states have to have at least a national cybersecurity strategy (NCSS) with however varying objectives and strategies. ENISA provides an overview of the strategic objectives and good examples of all NCSSs’.
Not all member states have completed transposition of the NIS Directive as of now (e.g. Belgium, Bulgaria and Hungary), and the implementation in national law varies substantially on matters such regulatory oversight of OES. Since most critical infrastructures are operated by private entities in Europe, the EU has set out on a path of public-private-partnerships seeking out cooperation and information-sharing with the operators.
European Cybersecurity Act: Securing the internet-of-things
The European Cybersecurity Act came into force in June this year and provides the EU agency ENISA with extended competences, new tasks and a permanent mandate further pushing for more European cooperation and establishes an EU framework for cybersecurity certification. The certification scheme aims to set a common baseline of cybersecurity for digital products, processes and services by providing common cybersecurity requirements and evaluation criteria across national markets and sectors.
This is particularly relevant due to the growing number of devices, which are going online (internet-of-things) and the thereby increasing risk landscape. The certification scheme obliges soft- and hardware producers, which want to certify their products or services, to build in security in the products from the start (security-by-design). However, as of now the certification is voluntary.
A review of the scheme in 2023 will access whether the certification scheme will be made compulsory, which is expected to be the result of the assessment. Through the Cybersecurity Act the EU hopes to establish a international standard in cybersecurity similarly to General Data Protection Regulation (GDPR) and further strengthens consumer protection.
EU Cybersecurity policy: The road ahead
In 2020, two years after the transposition of the NIS Directive, the European Commission will review the member states implementation into national law. It is expected that the Commission will raise the cybersecurity baseline in order to improve the overall security standard throughout the EU as well as build upon best practices established in national law.
Due to the very heterogeneous implementation to date, the EU might also offer further specifications on the definition of OES and the regulatory oversight. This is particularly relevant since cyber attacks such as WannaCry, which led to disruption of the electrical grid in Ukraine in 2017, also affected businesses EU-wide and illustrate the cross border relevance of cybersecurity.
It is therefore necessary to establish effective cybersecurity mechanisms in all EU member states in order to raise Europe’s resilience. In addition, future cybersecurity policy will in particular have to focus on strengthening cooperation and information sharing on cyber incidents at EU level.
Another major cybersecurity policy issue the EU has already started getting engaged in is the currently developing 5G mobile network. According to the Commission, “security of 5G networks is and will be a top priority in the years to come as they will form the future backbone of our societies and economies, connecting billions of objects and systems, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.”
Accordingly, a first set of operational measures were recommended in order to establish a concerted approach to 5G cybersecurity in March this year.
Having provided a risk assessment the Commission and ENISA are due to submit a 5G Cybersecurity toolbox by the end of the year to provide member states with more extensive policy advice on 5G risk mitigation. Due to the complexity of 5G-technology, cybersecurity risks are expected to be equally complex and challenging.
While political debates about the 5G-rollout focus on the geopolitical aspect of installing components from the Chinese hardware producer Huawei, the technical risks of 5G networks are less so scrutinised.
The French President, Emmanuel Macron, proposed creating a European Agency for the Protection of Democracies in March this year, which should “provide each Member State with European experts to protect their election process against cyber attacks and manipulation”. This was also supported by the Chairwoman of the Christian Democratic Party in Germany, Annegret Kramp-Karrenbauer, and suggests that Europe might invest in strengthening its hybrid-cyberdefense capacities, since this is currently the key method adopted by states such as Russia in order to attack democratic election processes through cyberspace.
Who shapes cybersecurity in the new Commission and what’s the agenda?
A “Europe fit for the digital age” – one of the new EU Commission’s portfolios in dealing with digital readiness and cybersecurity capabilities of the EU.
In her political guidelines for the next five years, Ursula von der Leyen made clear that digitisation (including cybersecurity as a main and important challenge) will be one of her top priorities. Grasping the opportunities of digitisation, while advocating safety and ethical issues, is the leading principle of the new Head of the EU Commission for digitisation.
The President of the European Commission wants to achieve two things: the completion of the Digital Single Market and a “real” single market for cybersecurity. Here, she once again puts the focus on the policy tool of certification as well as updated rules of security and rapid emergency response strategies.
In order to achieve these goals, the new Commission announced several concrete legislations. 1. A coordinated European approach on the human and ethical implications of Artificial Intelligence within the 100 days of her presidency. 2. A new Digital Services Act, which affects upgraded liability and safety rules for digital platforms, services and products and is supposed to complete the Digital Single Market. And most importantly 3. A joint Cyber Unit for speedier information sharing within the EU as well as a better protection mechanism.
Additionally, a main focus to address cybersecurity will be on the definition of joint European standards as in the area of 5G networks and new hyperscale technologies (i.e. blockchain, quantum computing). The President-elect made several organisational changes of the EU commission in order to deliver in this area, and now three portfolios will be essential to the future of European cybersecurity policy.
“Europe fit for the digital age” with oversight of the DG Competition lead by Margrethe Vestager, “Innovation and Youth” with oversight of the DG for Research and Innovation lead by Mariya Gabriel as well as the “Internal Market”, which includes oversight of the DG Communications Networks, Content and Technology (DG CNECT), DG Internal Market, Industry, Entrepreneurship and SMEs (DG GROW) and the new DG for Defense Industry and Space.
The latter one includes oversight of ENISA, the establishing of the joint Cyber Unit, the lead on the Digital Service Act as well as investments in new technologies in order to enhance Europe’s technological sovereignty. Therefore, it can be said that for the portfolio “Internal Market” will have the most impact on the future of the cybersecurity agenda.
This “super” portfolio was supposed to be led by Sylvie Goulard. But due to allegations to have used an European parliament assistant for domestic political work and her high remuneration for her work for an U.S. think tank, she was rejected by the EU parliament.
Macron proposed on 24th October Thierry Breton as substitute, the former French Minister of Finance and current chairman and CEO of ATOS SE, an international IT services company. Breton is an advocate to develop capabilities in the area of super- & quantum-computing and to make cybersecurity a priority for companies. ATOS is one of 16 companies that joined the Charter of Thrust initiated by Siemens.
The aim of this charter is to improve trust in cybersecurity infrastructure by having among other things a security by default principle, responsibility throughout the digital supply chain and independent mandatory security certificates. It remains to be seen what concrete initiatives Breton will propose, if he will be indeed confirmed as EU commissioner.
Vestager will be mainly responsible for the ethical guideline of AI, coordinate work on the Digital Service Act and is in theory digital chief of the EU commission, while Gabriel is responsible for the implementation of the Horizon Europe programme and secure sufficient investment in the area of disruptive research.
Furthermore, it also needs to be seen how ENISA will fulfill its new role as a now permanent institution with extended competencies, an increased budget and a key role in the implementation of the Cyber Security Act (which includes the drafting of initiatives concerning the EU cybersecurity certification schemes) with its new chief.
Juhan Lepassaa took over in mid-October after a ten-year tenure of Dr. Udo Helmbrecht. Lepassaa comes into office with a different profile than Helmbrecht. While Helmbrecht was the chief of the German Federal Office for Information Security prior to this task at ENISA and was acknowledged widely for his technical expertise, Lepassaa has a track record in managing different key political files within the EU and was responsible among other issues for drafting the Cybersecurity Act as is Head of Cabinet for Vice-President Andrus Ansip, Commissioner of the Digital Single Market.
Cybersecurity seems to have reached a priority status within the European Commission. However, it has to be seen where this path will lead the EU and what concrete actions and legislatives the now announced intents will mean, and if this pledge of priority will be backed-up by financial as well as other resources.
Esther Kern is research fellow at the Brandenburg Institute for Society and Security working on issues related to civic security, in particular cybersecurity. She has a bachelor’s degree in political science and a master’s degree in North American Studies. At Polis180, she is head of the program area The America(n)s.
Susanne Zels is project manager at the German Federal Association of Energy and Water Industries working on issues related to critical infrastructures and civil security research. She has a bachelor‘s degree in history and politics, two master’s degrees in international relations and social sciences and is currently doing a PhD on the European strategy for critical infrastructure protection at the Free University Berlin. At Polis180 she has previously led the program area European Identity and been member of the board as well as co-president.
About European Cyber Security Month: ECSM is an EU awareness campaign that promotes cyber security among citizens and organizations about the importance of information security and highlighting the simple steps that can be taken to protect their data, whether personal, financial and/or professional. The main goal being to raise awareness, change behaviour and provide resources to all about how to protect themselves online. The European Union Agency for Network and Information Security (ENISA), the European Commission DG CONNECT and Partners are deploying the ECSM every October.
The Polis Blog serves as a platform at the disposal of Polis180’s members. Published comments express solely the authors’ opinions and shall not be confounded with the opinions of the editors or of Polis180.
Image via unsplash