Critical sectors such as transport, energy, health or finance are increasingly dependent on digital technologies. The EU aims to achieve a high level of cybersecurity through innovation, cooperation and support to public and private actors.
At the end of the European Council meeting on 16 December 2021, Heads of State and Government invited the Council to take forward work on the Strategic Compass defining a common strategic vision for the next decade and making the best use of the EU’s civilian and military toolbox[1]. This issue, which includes cyber defence and cyberspace, was already mentioned by Commission President von der Leyen in her State of the Union address, where she stressed the need for a European cyber defence policy, including a new European law on cyber resilience[2].
In recent years, the issue of cyber defence has become increasingly prominent at national and international level, given the constant increase in the number and sophistication of cyber-attacks. The proliferation of attempts to steal data, interrupt services, and compromise technological infrastructures is even more worrying if we consider that the attacks are carried out by an increasingly numerous variety of actors, including both state and non-state actors. Furthermore, the pandemic has accelerated the digitalisation of our society, making all the risks associated with cybersecurity even clearer.
Currently, the primary objectives of cyber security – at national, European and international level – are the containment of cybercrime, the protection of critical information infrastructures and the protection of personal data in digital form. The achievement of these goals relies on the government action of individual states, as the main actors responsible for national security and economic growth, but also crucially depends on the implementation of European and international cooperation and the necessary institutionalisation of public-private partnerships.
The European legislative and institutional framework
The EU started working on cyber security in the early 2000s. The first documents attempt to identify priority areas for network security and remain significant precisely because of the insight they give into the original approach and priorities of the Union. It is noteworthy that the specific term ‘cybersecurity’ does not appear in these early documents and will not emerge until the 2008 report on the implementation of the 2003 European Security Strategy. Until then, the terms ‘cybercrime’ and ‘protection of personal data and critical infrastructures’ will be used, without explicit reference to the broader concept of cybersecurity.
A momentous year for the advancement of cybersecurity in Europe was 2004, as the Union adopted Regulation (EC) 460/2004 establishing the European Network and Information Security Agency – better known by its acronym ENISA – “[t]o ensure a high and effective level of network and information security within the Community and to develop a culture of network and information security”[3]. The mission of the Agency is to assist the Commission and the Member States by enhancing their capability to prevent, address and respond to network and information security problems, by providing them with assistance and expertise and by contributing to the general development of a high level of competence. Finally, the agency contributes to the promotion and dissemination of a new security culture, so that the issue of cybersecurity is properly addressed at European and especially national level, through the provision of appropriate legal means. ENISA’s main activity is to coordinate the work of the Member States and to foster intra-European dialogue through the development of guidelines and the identification of best practices. ENISA’s task is to promote a real change of mindset, fostering a new culture of network and information security, based on trust, transparency and information sharing. ENISA’s goal is also to increase technological expertise by organising exercises that bring together the know-how of leading experts in Europe and beyond to increase the chances of adequately addressing risks in cyberspace.
In 2013, the first European Union Cyber Security Strategy[4] was approved. The document is the result of joint work by the Commission and the High Representative and sets out the EU’s vision of cybersecurity and the necessary actions to be taken to ensure the security of all citizens and states. At the outset, the strategy seeks to highlight the importance of ICT in the modern age, which has become a fundamental aspect of social life and economic growth in European countries, as well as a critical resource on which much of industry relies. The dependence of the industrial sector and much of the national critical infrastructures on digitised systems and the internet as a whole is growing, and so are the risks. It is therefore a declared objective for Europe to equip itself with the necessary tools to be able to prevent and possibly react to possible cyber-attacks, which can cause considerable damage and affect the security of countries. The main aim of the strategy, as is also stated in the title, is to ensure an ‘open and secure’ cyberspace, which is accessible to all and, at the same time, equipped to ensure the confidentiality of the data and information it contains. The Union’s task is to promote the application of principles, rules and values that are already valid in the physical dimension, also in the digital dimension. Fundamental rights, democracy and the rule of law should also be protected in cyberspace. The document outlines five key priorities to be able to deal with threats emanating from cyberspace: achieving cyber resilience; drastically reducing cybercrime; developing a cyber defence policy and capabilities linked to the Common Security and Defence Policy (CSDP); developing industrial and technological resources for cyber security; creating a coherent international EU policy on cyberspace; and promoting the EU’s founding values.
In terms of key values, the strategy states the importance of always acting in a spirit of shared responsibility, which allows cybersecurity to be treated as a global issue. The adoption of a cross-national and cross-European perspective is essential if international cooperation is to be effective, given the borderless nature of cyber issues. The actual concept of cooperation underlies the entire document. This cooperation is understood both at the national level, concerning the creation of public-private partnerships; at the European level, about the importance for states and relevant EU institutions and agencies to communicate and act together within the EU; and finally, at the international level, with other state and non-state actors. This priority is the landmark of the EU cyber strategy.
New institutional initiatives in cybersecurity management
Regarding the latest developments at European level, crucial is the so-called ‘NIS Directive’[5], adopted by the European Parliament in July 2016, on measures for a common high level of security of networks and information systems in the European Union. It was created with the aim of defining minimum provisions on planning, information exchange, cooperation and security obligations common to all EU Member States, in particular to operators of essential services and digital service providers operating there. The directive came into force in August 2016 and sets a period of two years within which states will have to transpose its content into their national law. As regards the content of the directive, it provides for a series of actions aimed at increasing the level of security of networks and information systems throughout the European Union.
On 27 June 2019, Regulation (EU) 2019/881[6], also known as the Cybersecurity Act or CyberAct, entered into force, strengthening the role of ENISA and establishing an EU framework for the introduction of European systems for certifying the cybersecurity of products, services and processes. The Regulation aims to secure the digital single market, to promote a high level of cybersecurity, cyber resilience and trust within the Union. Regarding the role entrusted to ENISA, however, the CyberAct has provided for new competencies, including that related to the achievement of a high common level of cybersecurity in the Union, also by actively supporting Member States, institutions, bodies and organs of the Union in the actions to improve best practices.
As cyber-threats and cyber-crimes are rising in quantity and complexity, the EU is working to improve its response capabilities and safeguard the integrity, security and resilience of digital infrastructure as well as communication networks and services. A stronger cybersecurity response can ensure greater confidence in digital technology and protect open and secure cyberspace. At the extraordinary European Council in October 2020, EU leaders called for strengthening the EU’s capacity to protect itself against cyber threats, to provide a secure communication environment, notably through quantum cryptography, and to ensure access to data for law enforcement and judicial purposes.
In March 2021, the Council adopted conclusions on the EU Cyber Security Strategy[7], which was presented by the European Commission and the High Representative in December 2020. The strategy sets out the framework for EU action to protect EU citizens and businesses from cyber threats; promote secure information systems; and protect a global, open, free and secure cyberspace. The conclusions, which note that cybersecurity is essential for building a resilient, green and digital Europe, set the fundamental goal of achieving strategic autonomy while maintaining an open economy. This also implies strengthening the capacity to make autonomous choices in cybersecurity to enhance the EU’s technological leadership and strategic capabilities[8]. The new cyber-security strategy aims to safeguard a global and open internet, while at the same time offering guarantees, not only to ensure security but also to protect European values and the fundamental rights of all. In addition, the Commission is making proposals to address both cyber and physical resilience of critical entities and networks: a revision of the NIS Directive and a new Critical Entities Resilience Directive[9]. New policy initiatives include: a European cyber shield made up of security operations centres; a joint cyberspace unit bringing together all communities working in cyberspace; European solutions to strengthen global internet security; a regulation to ensure a secure internet of things; a toolkit for cyber diplomacy; enhanced cooperation in cyber defence; a UN Programme of Action on international security in cyberspace; cyber dialogues with third countries and NATO; and an EU agenda for external cyber capacity building.
The European recovery plan, with the EUR 1.840 billion of the Next Generation EU and the new multiannual financial framework, must focus on a digital transition accompanied by a cybersecurity strategy that also aims at European autonomy in a particularly strategic sector. The European Parliament has approved specific programmes, such as Digital Europe, which has earmarked EUR 1.7 billion for this sector, including the creation of a centre of competence in Bucharest. The eight billion European Defence Fund can also be used to build physical infrastructure for cybersecurity and support technological development and innovation.
Coordination efforts between Member States, competent national authorities and private companies will be needed to create a climate of mutual trust to share information and thus strengthen European digital leadership. Digital transformation can thus become a European project, providing citizens with a digital society based on European rules and values, which can serve as a model for the rest of the world.
Note
[1] Consiglio europeo, EUCO 22/21, 16 dicembre 2021, Conclusioni.
[2] Commissione europea, Discorso sullo stato dell’Unione 2021 della Presidente von der Leyen, Strasburgo, 15 settembre 2021.
[3] Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency, art. 1.1.
[4] European Commission, JOIN(2013) 1, 7 February 2013, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace.
[5] DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
[6] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
[7] European Commission, JOIN(2020) 18 final, 16 December 2020, The EU’s Cybersecurity Strategy for the Digital Decade.
[8] Council of the EU, Comunicato Stampa 219/21, 22 March 2021, Cibersicurezza: il Consiglio adotta conclusioni sulla strategia dell’UE in materia di cibersicurezza.
[9] European Commission, Press Release, 16 December 2020, New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient.