Angelika Niebler MEP, Brussels/Strasbourg How MEPs work to boost Europe’s cybersecurity Cyber resilience is a top issue in the EU

Cybersecurity issues are becoming a day-to-day struggle for businesses and consumers. The high number of recent cyber-attacks shows us how vulnerable our data and privacy really are. 88% of daily internet users fear that they will become victims of cyber-attacks and 77% are concerned about the use of their personal information on the internet. Alarming developments In past years, many people still thought of cyber-attacks as science fiction and a story that makes a good Hollywood movie. However, in recent years, cases of cyber-attacks have increased, such as “WannaCry” in 2017 that infected 300,000 computers in 150 countries, demanding that users hand over money in exchange for codes to de-encrypt files. 80% of European companies have already been the victim of at least one cybersecurity incident. While in the past, hacking efforts have been more about spying and stealing information, attacks are now more aimed towards sabotaging our critical infrastructure such as electricity and communication networks. In Germany, the national cybersecurity authority, BSI, recorded 157 attacks in the second half of 2018 – 19 of which were against the electricity grid. However, the actual number might be much higher as it is assumed that not all mid-sized infrastructure attacks are reported. Shaping a European cybersecurity strategy These developments are alarming. Therefore, years ago, the European Union passed a cybersecurity strategy on how to best prevent and respond to cyber-attacks. The NIS Directive on critical infrastructure (Directive on Network and Information Systems Security) was the first piece of EU-wide legislation to provide legal measures to boost the overall level of cybersecurity in the EU. It was adopted in July 2016 and became fully binding last year. As it stands, the NIS Directive is going to be implemented in all EU Member States. The next important milestone in the EU-wide cybersecurity strategy was the adoption of the Cybersecurity Act last year. As rapporteur of the Cybersecurity Act in the European Parliament, I strongly believe that cybersecurity is not only a national issue, but it also needs a European answer. Therefore, the European Parliament supported and strengthened the Commission’s proposal for a strong cybersecurity unit at an EU level and a European framework for cybersecurity certification. Europe needs a cyberspace that is safe and secure, and the Cybersecurity Act largely conby Prof Dr Angelika Niebler MEP, Rapporteur for the Cybersecurity Act in the European Parliament, Brussels/Strasbourg

Prof Dr Angelika Niebler MEP is a Member of the European Parliament since 1999. She is a Member of the Committee on Industry, Research and Energy and a Substitute Member of the Committee on Legal Affairs. Since November 2018, Professor Niebler has been President of the Economic Advisory Committee Bavaria, and she has been the Party Vice-Chair of the CSU since 2015. She was appointed Honorary Professor at the Faculty of Business Management at the Munich University of Applied Sciences in 2016.

tributes to this target. The European Parliament stressed that cybersecurity is not only about protecting critical infrastructure and industry, but about users’ confidence in the safety of their connected devices. Thus, in increasing the cyber resilience in Europe, it must be our objective to look at and evaluate the whole cyber ecosystem. The European Parliament worked hard to ensure a strong European response to the increasing number of threats. The result is the establishment of a European cybersecurity certification framework, which will be implemented on a voluntary basis to begin with. However, the European Commission is obliged to assess whether some certification schemes should be made mandatory, in particular in view of critical infrastructures. These certifications will be a common European approach and will be valid throughout the EU. The dynamic and risk-based certification schemes will be market-oriented and will also take into account globally relevant international standards. The European Parliament also strengthened stakeholders’ involvement in the certification process. Furthermore, we required that the European Commission create a work programme on upcoming certification schemes for more transparency. And, last but not least, ENISA, the European cybersecurity agency, will have a permanent mandate and a much stronger role.

What internet users can do As already addressed, the European Parliament wants to make sure that all users of Internet of Things (IoT) devices can place their trust in the safety and security of their products. With more and more devices and services connected to the internet, users are increasingly put at risk of cyber-attacks. By 2020, the vast majority of our digital interactions will be machine-to-machine with tens of billions of IOT devices. As we all know, humans are often the biggest security risk. We do not change our passwords regularly or protect our home routers and smart home appliances. However, every user can help to create a safe environment and therefore, has to play an active role. In order to support the user, product information for smart devices must now be provided, so that users are given guidance and learn about secure configurations and maintenance of their devices, availability and duration of updates and known vulnerabilities. If users follow these recommendations, it will provide for more cybersecurity and resilience. Furthermore, the Cybersecurity Act also asks for cybersecure default configurations and cybersecurity by design applications. This means that undertakings, organisations and the public sector should configure the ICT products, services or processes defined by them in a way that ensures a higher degree of security and therefore provides the first user with a default configuration including the most secure settings possible and no burden on the user to configure the product themselves. It also means that security measures should be implemented at the earliest stage of the design and development to allow for the highest possible degree of cybersecurity from the very beginning and throughout its entire lifecycle. All future cybersecurity certification schemes have to be designed in a way that addresses these security objectives. Thanks to the European Parliament, security and resilience now have to be built in by default and by design more adequately to ensure our internet connected devices are more secure.

The way ahead The next effort at an EU level to strengthen cybersecurity in the Union is the establishment of a network of cybersecurity industrial, technology and research centres. These centres shall be a common platform to share expertise, help deploy cybersecurity products and solutions and build up strategic cooperation between industry, research and governments. The digital world provides a lot of opportunities for society and industry. However, in order to create a prosperous European Digital Single Market, we have to improve on cybersecurity, trust and privacy! The topic of cybersecurity and how to build up cyber resilience and expertise must continue to be at the top of our political agenda in the EU.

The Cybersecurity Act of 17 April 2019 This new regulation strengthens the European Union Agency for Cybersecurity (ENISA) by granting to the agency a permanent mandate, reinforcing its financial and human resources and overall enhancing its role in supporting EU to achieve a common and high level cybersecurity. The CybersecurityAct establishes the first EU-wide cybersecurity certification framework to ensure a common cybersecurity certification approach in the European internal market and ultimately improve cybersecurity in a broad range of digital products and services. > Web https://bit.ly/2OLS5ri