The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy at the end of 2020.
The Strategy covers the security of essential services such as hospitals, energy grids and railways. It also covers the security of the ever-increasing number of connected objects in our homes, offices and factories, building collective capabilities to respond to major cyberattacks and working with partners around the world to ensure international security and stability in cyberspace. The Strategy outlines how a Joint Cyber Unit can ensure the most effective response to cyber threats using the collective resources and expertise available to the EU and Member States.
Legislation and certification
Cybersecurity threats are almost always cross-border, and a cyberattack on the critical facilities of one country can affect the EU as a whole. EU Member States need to have strong government bodies that supervise cybersecurity in their country work together with their counterparts in other Member States by sharing information. This is particularly important for sectors that are critical for our societies.
The NIS Directive (Directive on security of Network and Information Systems), which all countries have now implemented, ensures the creation and cooperation of such government bodies. This Directive was reviewed at the end of 2020.
As a result of the review process, the proposal for a directive on measures for high common level of cybersecurity across the Union (NIS2 Directive) was presented by the Commission on 16 December 2020.
ENISA – the EU cybersecurity agency
ENISA (‘European Union Agency for Network and Information Security’) is the EU’s agency that deals with cybersecurity. It provide support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive.
The Cybersecurity Act strengthens the role of ENISA. The agency now has a permanent mandate, and is empowered to contribute to stepping up both operational cooperation and crisis management across the EU. It also has more financial and human resources than before.
Our digital lives can only work well if there is general public trust in the cybersecurity of IT products and services. It is important that we can see that a product has been checked and certified to conform to high cybersecurity standards. There are currently various security certification schemes for IT products around the EU. Having a single common scheme for certification would be easier and clearer for everyone.
The Commission is therefore working on an EU-wide certification framework, with ENISA at its heart. The Cybersecurity Act outlines the process for achieving this framework.
Cybersecurity is one of the Commission’s priorities in its response to the coronavirus crisis, as there were increased cyberattacks during the lockdown. The Recovery Plan for Europe includes additional investments in cybersecurity.
Support for research and innovation: Horizon 2020 and cPPP; Horizon Europe
Research into digital security is essential to reach innovative solutions that can protect us against the latest, most advanced cyber threats. That is why cybersecurity is an important part Horizon 2020 and its successor Horizon Europe.
In Horizon Europe, for the period 2021-2027, cybersecurity is part of the ‘Civil Security for Society’ cluster. The Work Programme 2021-2022 is currently under preparation.
As part of Horizon 2020, the Commission cofunded research and innovation into topics such as cybersecurity preparedness through cyber ranges and simulation, cybersecurity for small and medium enterprises, cybersecurity in the electrical power and energy system, and cybersecurity and data protection in critical sectors. These topics fall under the cluster “Secure societies - Protecting the freedom and security of Europe and its citizens”.
In 2016, the Horizon 2020 contractual Public Private Partnership (cPPP) on cybersecurity was established between the European Commission and the European Cyber Security Organisation (ECSO), an association consisting of members from cyber industry, academia, public administrations and more.
Support for cyber capacities and deployment
Our physical and digital infrastructures are very closely intertwined. Therefore, the Commission also invests in cybersecurity as part of its infrastructure investment funding programme, the Connecting Europe Facility (CEF), for the period 2014-2020.
So far, CEF support has gone to computer security incident response teams, operators of essential services (OES), digital service providers (DSPs), single points of contact (SPOC) and national competent authorities (NCAs). This enhances the cybersecurity capabilities and the cross-border collaboration within the EU, supporting the implementation of the EU Cybersecurity strategy.
The upcoming Digital Europe Programme, for the period 2021-2027, is an ambitious programme that plans to invest €1.9 billion into cybersecurity capacity and the wide deployment of cybersecurity infrastructures and tools across the EU for public administrations, businesses and individuals.
Cybersecurity is also a part of InvestEU. InvestEU is a general programme that brings together many financial instruments and uses public investment to secure further investment from the private sector. Its strategic investment facility will support strategic value chains in cybersecurity. It is an important part of the recovery package in response to the coronavirus crisis.
Cybersecurity Competence Centre and Network; Atlas
To strengthen European cybersecurity capacity, the Commission proposed the creation of a new European cybersecurity industrial, technology and research competence centre and a network of national coordination centres. The proposed centre would pool expertise and align European development and deployment of cybersecurity technology. It would work with industry, the academic community and others to build a common agenda for investments into cybersecurity, and decide on funding priorities for research, development and roll-out of cybersecurity solutions (through the Horizon Europe and Digital Europe Programmes).
Currently, four pilot projects are running to lay the groundwork for the Competence Centre and Network. They involve more than 170 partners.
For a better overview of cybersecurity expertise and capacity across the EU, the Commission has developed a comprehensive platform called the Cybersecurity Atlas.
Blueprint for coordinated response to major cyber-attacks
The Commission's blueprint for rapid emergency response provides a plan in case of a large-scale cross-border cyber incident or crisis. It sets out the objectives and modes of cooperation between the Member States and EU Institutions in responding to such incidents and crises. It explains how existing Crisis Management mechanisms can make full use of existing cybersecurity entities at EU level.
Joint Cyber Unit
As a follow-up, Commission President Ursula von der Leyen announced a proposal for an EU-wide Joint Cyber Unit. This initiative will aim at further coordinating cybersecurity operational capabilities across the EU.
Secure 5G deployment in the EU
5G networks are planned to be rolled out across the EU. They will offer huge benefits, but also have more potential entry points for attackers due to the less centralised nature of their architecture, greater number of antennas and increased dependency on software. The EU Toolbox on 5G sets out measures to strengthen security requirements for 5G networks, apply relevant restrictions for suppliers considered high-risk, and ensure the diversification of vendors.
Securing the electoral process
Our European democracies have become increasingly digital: political campaigns take place online and elections themselves happen through electronic voting in many countries.
The Commission has issued recommendations for the cybersecurity of elections for the European Parliament, as part of a broader package of recommendations to support free and fair European elections. A month before the 2019 European elections, the European Parliament, EU Member States, the Commission and ENISA carried out a live test of their preparedness.
Skills and awareness
We can only ensure digital security if we have experts with the right knowledge and skills, and there are currently not enough. That is why the Commission is taking action to stimulate the development of cybersecurity skills.
The Commission prepared a call for coherent framework for teaching cybersecurity skills in university and professional education. The four pilot projects that prepare the cybersecurity competence centre and network by ECSO are currently working on this. There are also recurring initiatives meant directly for students, such as the yearly European cyber security challenge.
Cybersecurity skills fall under the Commission’s general agenda on digital skills. They are also a part of the funding efforts under Horizon 2020, Horizon Europe and the Digital Europe Programme. One example is the funding for ‘cyber ranges’, which are live simulation environments of cyber threats for training.
The human factor is often the weak link in cybersecurity: someone clicking on a phishing link can have huge consequences. Therefore, the Commission raises awareness of cybersecurity and promotes best practices among the general public. For instance, once a year it organises the European Cyber Security Month together with ENISA.
ENISA – the EU cybersecurity agency
ENISA is the EU’s agency that deals with cybersecurity. It provide support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive.
Information Sharing and Analysis Centres (ISACs) foster collaboration between the cybersecurity community in different sectors of the economy. Further developing ISACs both at EU level and at national level is a priority for the Commission. In collaboration with ENISA, the Commission also promotes the establishment of new ISACs in sectors that are not covered. The “empowering EU ISACs consortium”, supervised by the Commission, provides legal, technical and organisational support for ISACs.
The Joint Research Center (JRC) of the Commission is actively contributing to Cybersecurity in the EU. For example, the JRC has developed a Cybersecurity Taxonomy. This aligns the terminology used in cybersecurity so that we can have a clearer overview of cybersecurity capabilities in the EU.
The JRC also recently published a report that provides insights into the current EU cybersecurity landscape and its history, entitled “Cybersecurity – our digital anchor”.
Under the NIS Directive, EU Member States are required to ensure that they have well-functioning Computer Security Incident Response Teams ('CSIRTs'), also known as Computer Emergency Response Teams (‘CERTs’). These teams provide deal with cybersecurity incidents and risks in practice. They cooperate with each other at EU level, and also work together with the private sector.
All types of operators of essential services and digital service providers have to be covered by designated CSIRTs.
The main tasks of CSIRTs are:
- monitoring incidents at a national level
- providing early warning, alerts, announcements and other information about risks and incidents to relevant stakeholders
- responding to incidents
- providing dynamic risk and incident analysis and situational awareness
- participating in the CSIRTs network
The European Cybersecurity Organisation (ECSO) was created in 2016 in order to act as the Commission’s counterpart in a contractual public-private partnership covering Horizon 2020 in the years 2016 to 2020. The majority of ECSO’s 250 members belong either to the Cybersecurity industry or to research and academic institutions in the field. To a lesser degree, ECSO’s members also comprise public sector actors and demand-side industries.
Besides making recommendations on Horizon 2020, ECSO carries out various activities aiming at community building and industrial development at European level.
It is important to highlight the role of women in the cybersecurity community, who are underrepresented. That is why the Commission has set up the Women4Cyber Registry, in cooperation with ECSO’s Women4Cyber initiative. It makes it easier for the media, event organisers and others to find the many talented women working in cybersecurity, so these women become more visible and prominent in the cyber community and the public debate.
Other cyber policy areas
Ordinary criminals make use of cyberattacks that threaten Europeans. The Migration and Home Affairs department of the Commission monitors and updates EU law on cybercrime and supports law enforcement capacity, as further described on its webpage. The Commission also works together with the European Cybercrime Centre in Europol.
The EU is making efforts to protect itself against cyber threats from outside its borders. As a part of this, the Commission works together with the European External Action Service and Member States on the implementation of a joint diplomatic response to malicious cyber activities (the ‘cyber diplomacy toolbox’). This response includes diplomatic cooperation and dialogue, preventative measures against cyberattacks, and sanctions against those involved in cyberattacks threatening the EU.
The Commission assists in decision-making on responding to external cyber threats wherever needed. It also directly funds the ongoing EU Cyber Diplomacy Support Initiative.
The EU cooperates on defence in cyberspace through the activities of the European Defence Agency, as well as ENISA, Europol and the Directorate-General in the Commission responsible for defence industry.
Cyber capacity building in third countries
The EU cooperates with other countries to help build up their capacity to defend against cybersecurity threats. The Commission supports various cybersecurity programmes in the Western Balkans and the six eastern partnership countries in the EU’s immediate neighbourhood, as well as in other countries worldwide through its International Cooperation and Development department.