Roberto Viola, Brussels Taking a cyber leap forward A European response to cyber threats
Taking a cyber leap forwards
Europe must respond to the evolving cyber threat landscape
22 by Roberto Viola, Director-General, DG CONNECT, European Commission, Brussels
The increased connectedness and the borderless nature of digital communications have put cybersecurity at the forefront of EU policy, leading to the adoption of the first pieces of EU-wide legislation on cybersecurity. Despite this effort, the proliferation of interconnected devices and the rollout of high-capacity communications infrastructure, such as 5G, give rise to a plethora of new vulnerabilities and risks. Moreover, state actors are increasingly employing cyber tools to achieve geopolitical goals. Therefore, the European Union will have to adapt to this evolving threat landscape by developing new responses and by making the most of the legal framework recently adopted.
A robust framework has been put in place Over the last five years, the European Union has developed a set of measures that has strengthened the cyber resilience of organisations, improved the EU’s ability to respond to external threats and laid the ground for enhancing the security of ICT products, services and processes. With the adoption in 2016 of the Directive on security of network and information systems (NIS Directive) 1 , the European Union has developed its first cybersecurity legislation. The directive requires Member States to ensure that key companies in essential sectors, such as energy or transport, take appropriate security measures and notify national authorities of cyber incidents. It has served as a catalyst for Member States, triggering real change on the ground. However, the NIS Directive is much more than just a set of common rules. It has also established the Cooperation Group, a forum where Member States exchange experiences, align regulatory approaches and build trust. The group serves as a platform for developing common approaches on a wide variety of subjects, such as election security, sector-specific alignment and security of 5G networks. In order to address the external dimension of cybersecurity, the Council, with the support of the European External Action Service, has developed the Cyber Diplomacy Toolbox. The framework consists of a number of measures, including a new sanctions regime adopted in May 2019. The regime enables the EU to put in place targeted restrictive measures to deter and respond to external cyber-attacks. It allows the EU to impose sanctions on individuals and entities, including travel bans and freezing assets. The recently adopted Cybersecurity Act 2 illustrates in a powerful manner that cybersecurity has evolved into a priority at EU level: fifteen years after its foundation, ENISA, the European Union Agency for Cybersecurity, has now been given a permanent mandate, more resources and new tasks related to cybersecurity certification and operational support in the case of cyber-attacks. The act also puts in place a legal framework for EU-wide cybersecurity certification schemes to improve the security of ICT products, services and processes. The Commission has already asked ENISA to prepare a first candidate scheme and more will follow. We are also exploring the introduction of mandatory schemes in priority areas.
Cyber resilience remains a priority The Commission will continue to work to increase the Union’s cyber resilience. European Commission President-elect Ursula von der Leyen has proposed to set up a Joint Cyber Unit to prevent, respond to, but also investigate cybersecurity incidents. The purpose is to speed up information sharing and bring cooperation between Member States and EU institutions to a new level. This initiative will build on existing work on rapid emergency response, notably on the Blueprint, a set of commonly agreed procedures ensuring a coherent Union-wide response in the event of a large-scale cyber incident.
Creating a real single market for cybersecurity will remain an important priority for the Commission. This will entail enhancing Europe’s technological sovereignty. We will invest in technologies such as blockchain, high-performance computing and algorithms. The next multiannual financial framework 2021-2027 will provide funding opportunities for cybersecurity under two programmes: Horizon Europe to promote research and the Digital Europe Programme (DEP) for deployment. The DEP will set aside almost 10 billion euros of funding, exclusively earmarked for supercomputing, artificial intelligence, cybersecurity, advanced digital skills, and ensuring a wide use of digital technologies across the economy and society. We also intend to push for a swift adoption of the Commission’s proposal for a European Cybersecurity Competence Network and Centre. 3 By managing the cybersecurity funds under the next multi-annual financial framework, the initiative will help to create an interconnected, Europe-wide cybersecurity industrial and research ecosystem. photo: © ipopba, stock.adobe.com
Technological sovereignty Technological sovereignty also means defining our own standards for crucial new-generation technologies. For example, the Member States, with the support of the Commission and ENISA,
DG CONNECT The Directorate-General for Communications Networks, Content and Technology (DG CONNECT) is the European Commission department responsible for developing a digital single market to generate smart, sustainable and inclusive growth in Europe. The EU has adopted a wide-range of measures to shield the European Digital Single Market and protect infrastructure, governments, businesses and citizens. These measure include, amongst others the Directive on security of network and information systems (NIS), the EU Cybersecurity Act, and the European Cybersecurity Certification Network. DG CONNECT issued a brochure on how the EU works on many fronts to strengthen cybersecurity and cyber resilience:
has been the Director-General of the Euro
pean Commission’s Directorate-General for
Communications Networks, Content and
Technology (DG CONNECT) since 2015. He
holds a Doctorate in Electronic Engineering
and a Master’s degree in Business Administration (MBA). From 1985 onwards, Mr
Viola served in various positions including as Head of Telecommunication and Broadcasting Satellite Services at the European Space Agency (ESA). Prior to his current post, Mr Viola was the Deputy Director-General of DG CONNECT.
have just concluded a coordinated EU-wide risk assessment on 5G security under the NIS Cooperation Group. The results will feed into a toolbox of mitigating measures by the end of the year. It will address the 5G risks identified by Member States and facilitate a common approach. In our endeavour to strengthen the single market, we will also make the most of existing instruments. For instance, we intend to develop more certification schemes in the coming years, such as on Internet of Things devices or cloud computing. This will happen in very close cooperation with national experts and representatives from the private sector. An obvious candidate for a future scheme are 5G networks and equipment, complementing the work currently undertaken by the Cooperation Group. In addition, the Commission will review the functioning of the NIS Directive at the latest by spring 2021. The last five years have put cybersecurity at the top of the political agenda and we have been able to lay crucial groundwork at the EU level. We have recently witnessed some of the largest cyber incidents to date. Malware attacks such as WannaCry and NotPetya have generated global costs in the range of billions of dollars. They have demonstrated the relevance of our cross-border policy response to cyber risks. Given the continued importance of cybersecurity, we must now breathe life into the EU’s newly established legal framework and push for another round of ambitious steps forward.
1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. 2 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013. 3 Proposal for a Regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres.