The EU is taking actions to prevent, detect, respond to and deter cybersecurity incidents.
Today much of our life happens online. To make sure that we are secure there, we need to invest in our cybersecurity: in our skills, in experts, in secure hardware, software and in the security of critical services (such as transport, energy, or finances). We need to ensure quick information sharing between authorities and agencies tackling cyber incidents and we need to boost our cyber resilience.
Everyone should be able to live their digital lives securely. The European Commission is helping to ensure this by:
1. Boosting the security of entities in a number of critical sectors and hardware and software products, such as connected things
2. Strengthening collective capabilities to respond to major cyberattacks
3. Working with partners around the world to ensure international security and stability in cyberspace
The Commission’s approach to cybersecurity is shaped by 4 principles:
1. Prevent
2. Detect
3. Respond
4. Deter
1. Prevent
NIS2 Directive
The NIS 2 Directive helps to boost the overall level of cybersecurity in the EU.
It extends the scope of the first NIS Directive to a wider range of operators, improving resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole.
It aims to build:
A culture of security
Member States’ preparedness
Better cooperation among Member States
Member States have to transpose the Directive by 17 October 2024.
Cybersecurity Act (Certification)
Creates a European cybersecurity certification framework
Reinforces ENISA, the EU agency for cybersecurity
Complements the Directive on Security of Network & Information Systems (NIS Directive)
Without a common framework for EU-wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers between Member States.
The certification framework will provide EU-wide certification schemes.
Citizens gain transparency on the security characteristics of products and services
Vendors and providers enjoy a competitive advantage to satisfy the growing need for more secure digital solutions
Cyber Resilience Act
Every 11 seconds there is a ransomware attack
Ransomware attacks cost the world roughly €20 billion in 2021
10 million DDoS attacks launched in 2021 around the world
The EU addresses this by introducing the first ever EU-wide legislation of its kind, the Cyber Resilience Act.
The Cyber Resilience introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle.
Manufacturers must:
Ensure cybersecurity is taken into account in all phases of their products
Provide clear and understandable instructions for the secure use of products with digital elements
Ensure that vulnerabilities are handled effectively for the duration of the support period, in particular by providing security updates to users
Report actively exploited vulnerabilities and incidents
The Cyber Resilience Act is set to enter into force in the second half of 2024 and manufacturers will have to place compliant products on the Union market by 2027.
Preparedness of Cyber Emergency Mechanism and Cybersecurity Incident Review Mechanism
The Cybersecurity Incident Review Mechanism is part of the Cyber Solidarity Act.
- Review and assess a specific significant cybersecurity incident
- Provide a report with lessons learned and recommendations
This will be carried out by ENISA at the request of Commission or EU-CyCLONe
2. Detect
Cyber Solidarity Act
The EU Cyber Solidarity Act reinforces the EU’s solidarity and coordinated actions to detect, prepare and effectively respond to growing cybersecurity threats and incidents.
How?
European Cybersecurity Alert System
- Network of National and Cross-Border Security Operations Centres
- Detect and analyse data and information on cyber threats and incidents
- Provide timely warnings across borders
3. Respond
Cyber Crisis Management
EU-CyCLONe
The European Cyber Crises Liaison Organisation Network is a cooperation network for Member States’ national authorities in charge of cyber crisis management. It supports collaboration, and helps Member States develop timely information sharing and situation awareness.
CSIRTs Network
The network of Computer Incident Response Teams is made up of Member States’ CSIRTs and CERT-EUs. Established in 2016, it helps to develop confidence and trust and to promote swift and effective cooperation among Member States.
Cyber Emergency Mechanisms
Part of the Cyber Solidarity Act, Cyber Emergency Mechanisms:
- Strengthen preparedness by testing entities operating in critical sectors
- Build an EU Cybersecurity Reserve with incident response services
- Provide financial support for mutual assistance
4. Deter
As well as actions contained in the above legislation, the Commission is working hard to deter cyber crime through its Cyber Defence Policy and Cyber Diplomacy Toolbox.
Cyber Defence Policy
The EU Policy on Cyber Defence is built around four pillars that cover a wide range of initiatives that will help the EU and Member States:
- Act together for a stronger EU cyber defence
- Secure the EU defence ecosystem
- Invest in cyber defence capabilities
- Partner to address common challenges
Cyber Diplomacy Toolbox
The Cyber Diplomacy Toolbox was adopted in 2017. It contains measures within the EU Common Foreign and Security Policy that can be used against malicious cyber operations directed against Member States.
The Toolbox was complemented by the EU's cybersecurity strategy 0f 2020 which seeks, among other things, to strenghten EU leadership in cybersecurity.
In 2023, the Council adopted revised guidelines to the toolbox as a response to the increasing sophistication of cyber attacks.
Support for cybersecurity
Funding
- Horizon Europe
- Digital Europe Programme
- Recovery and Resilience Facility
European Cybersecurity Competence Centre
The European Cybersecurity Competence Centre (ECCC) is helping to create an EU-wide cybersecurity industrial and research ecosystem. It will show the best ways to make use of existing resources and expertise across Europe.
Its 5 main objectives are to:
- Contribute to the deployment of the latest cybersecurity technology
- Provide financial support and technical assistance to cybersecurity start-ups
- Support research and innovation based on a comprehensive agenda
- Drive high cybersecurity standards in technology, systems and skills
- Facilitate the cooperation between civil and defence spheres and enhance synergies in relation to the European Defence Fund
The ECCC will achieve this by:
COORDINATION
working with a Network of National Coordination Centres to build a strong cybersecurity community
INVESTMENT
making strategic investment decisions and pooling resources
IMPLEMENTATION
using financial support from Horizon Europe and the Digital Europe Programme
Cybersecurity Skills Academy
76% of employees in cybersecurity-related roles do not have any formal qualifications or certified trainings
56% of companies do not have any women in cybersecurity roles
45% of companies have trouble finding qualified candidates
The cybersecurity skills academy aims to address the above issues and more by bringing together existing cyber skills initiatives. The EU urgently needs professionals with the skills and competences to prevent, detect, deter, and defend the EU against cyberattacks.
The academy builds on four areas of activities:
- Knowledge generation and trainings
- Funding and projects
- Stakeholder involvement
- Measuring progress
The academy has three main goals:
- Close the cybersecurity talent gap
- Strenghten the EU cyber workforce
- Boost EU competitiveness, growth and resilience
ENISA
ENISA is the European Union Agency for Cybersecurity. It is dedicated to building a high level of common cybersecurity across the EU.
- Cybersecurity capacity building
- Operational cooperation and crisis management
- Coordinated vulnerability disclosure
- Market related tasks
- Cybersecurity standardisation and certification
- Policy development and implementation
Related Content
Cybersecurity
The EU has outlined a cybersecurity strategy to boost Europe’s ability to fight and recover from...