OREANDA-NEWS. Cybersecurity incidents cause major economic damage of hundreds of billions of euros each year to European businesses and the economy at large.Such incidents undermine trust in the digital society. Theft of commercial trade secrets, business information and personal data breaches, disruption of services and of infrastructure result in economic losses of hundreds of billions of euros each year.

According to a recent survey, at least 80% of companies in Europe have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015, compared to 2014.

What is the Commission already doing to strengthen cybersecurity?

Since the adoption of the EU Cybersecurity Strategyin 2013, the European Commission has stepped up its efforts to better protect Europeans online. It has adopted a set of legislative proposals, in particular on network and information security, earmarked more than €600 million of EU investment for research and innovation in cybersecurity projects during the 2014-2020 period, and fostered cybersecurity cooperation within the EU and with partners on the global stage.

But more work is needed to address the increasing number and complexity of cyber-threats. This is why the Commission proposes today a series of measures to reinforce cooperation to secure Europe's digital economy and society, and to help develop innovative and secure technologies, products and services throughout the EU.

More information on EU cybersecurity initiatives can be found in this factsheet.

What does the Commission plan to do now?

The Commission has proposed an action plan to further strengthen Europe’s cyber resilience and its cybersecurity industry. This includes measures to:

  • Step up cooperationacross Europe: the Commission encourages Member States to make the most of the cooperation mechanisms under the forthcomingNetwork and Information Security (NIS) Directive and to improve the way in which they work together to prepare for a large-scale cyber-incident. This includes more work on education, training and cybersecurity exercises (such as ENISA's CyberEurope exercises).
  • Support the emerging single market for cybersecurity products and services in the EU:for example, the Commission will explore the possibility of creating a framework for certification of relevant ICT products and services, complemented by a voluntary and light weight labelling scheme for the security of ICT products; the Commission suggests also possible measures to scale up cybersecurity investment in Europe and to support SMEs active in the market.
  • Establish a contractual public-private partnership (PPP) with industry to nurture cybersecurity industrial capabilities and innovation in the EU.

I. Stepping up cooperation and improving capacities

Why does the Commission need to propose more steps on cybersecurity cooperation?

The EU Cybersecurity Strategy and the forthcoming NIS Directive already lay the groundwork for improved EU-level cooperation and cyber resilience.

However, the threat level is constantly evolving and handling a large-scale cyber incident involving several Member States simultaneously will be challenging. EU level cooperation is therefore essential for dealing with both a possible large-scale cyber-attack in several Member States and smaller-scale but potentially more frequent cyber incidents. A blueprint for a coordinated reaction, based on cross-border exchange of information, will be needed to address such incidents in the most efficient way. We have to integrate cybersecurity into existing crisis management mechanisms and procedures. It also requires better cooperation and more rapid information-sharing mechanismsbetween sectors and among Member States to respond to, and contain, such incidents.

How do these plans link to the NIS Directive?

The forthcoming NIS Directive establishes two coordination mechanisms:

  • the Cooperation Group which supports strategic cooperation and exchange of relevant information related to cyber incidents among Member States, and
  • the Network of Computer Security Incident Response Teams (so-called CSIRT network) which promotes swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.

Given the nature and multitude of cyber threats, the Commission encourages Member States to make the most of these mechanisms as well as to enhance cross-border cooperation related to preparedness for a large-scale cyber incident.

How does the Commission propose to enhance cooperation during a pan EU cyber attack?

In the first half of 2017, the Commission will present a "blueprint", which outlines a coordinated approach to crisis cooperation in case of a large-scale cyber incident. The plan should include a role for EU-level bodies such as the EU Agency for Network and Information Security (ENISA), the EU Computer Emergency Response Team (CERT-EU) and the European Cybercrime Centre (EC3) at Europol, and use tools developed in the context of the network of Computer Security Incident Response Teams. The approach presented in this blueprint should then be regularly tested in crisis management exercises.

Why do we need an information hub to support the exchange of information between the EU bodies and Member States?

Currently knowledge and expertise on cybersecurity is available in a dispersed and unstructured way. To support the NIS cooperation mechanisms, the aim of an information hub is to pool this information and make it more easily available on request to all Member States who need it. This hub would become a central resource allowing the EU institutions and Member States to exchange information as and when appropriate. The Commission, supported by ENISA, CERT-EU and with the expertise of its Joint Research Centre, will facilitate the creation and ensure the ongoing sustainability of the hub.

What does the Commission propose to do about cybersecurity training?

According to different estimates the demand for the cybersecurity workforce will rise to 6 million globally by 2019, with a projected shortfall of 1 - 1.5 million workers.

Europeans need to have the right skills and training both to prevent cybersecurity incidents and to deal with them when they arise. A lot is happening in this area already but it is also necessary, for example, to develop civil-military cooperation and look at ways in which both areas can learn from each other on training and exercise, so as to increase resilience and incident-response capabilities. The Commission, in cooperation with Member States, the European External Action Service, ENISA and other relevant EU bodies will establish a cybersecurity education, exercise and training platform to help in this process.

Why is the Commission looking into additional rules and/or guidance on cyber risk preparedness for critical sectors?

A severe cyber incident in one sector or in one Member State may directly or indirectly have an effect on – or propagate to – other sectors, or across borders. A necessary pre-requisite for addressing cross-sectoral risks is the ability of each individual sector to identify, prepare for and respond to cyber incidents. This is why the Commission will assess the risk resulting from cyber incidents in highly interdependent sectors within and across national borders, in particular on the sectors covered by the NIS Directive such as energy, transport, health or banking. Following this assessment, the Commission will consider if there is a need for further specific rules and/or guidance on cyber risk-preparedness for such critical sectors.

Why does the Commission want to encourage checks of key public network infrastructures?

Public authorities have a role to play in verifying the integrity of key public network infrastructures such as telecoms or energy smart grids, to detect issues, inform the party responsible for these networks and, if needed, provide assistance in fixing known vulnerabilities.

National regulatory authorities could use the capacities of CSIRTs to conduct regular scans of public network infrastructures. Based on this, they could encourage operators to remedy gaps or address vulnerabilities that such scans could identify. This activity could substantially contribute to the security of key internet infrastructures.

The Commission will therefore examine the necessary legal and organisational conditions in order to allow national regulatory authorities – in cooperation with national cybersecurity authorities – to request CSIRTs to conduct regular vulnerability checks of public network infrastructures.

What will be the role of ENISA? Will its mandate be changed?

Since its establishment in 2004 ENISA has been contributing to the overall goal of ensuring a high level of network and information security in the EU.

The Agency works closely together with Members States, EU institutions and the private sector to address, respond to and especially to prevent NIS problems. This includes, among the others, managing pan-European cybersecurity exercises, providing key information on NIS issues, such as the yearly cyber threat landscape report, and training.

The Commission is required to evaluate ENISA by 20 June 2018 in order to assess the possible need to extend or review its mandate, which currently expires in 2020. In view of the current cybersecurity landscape, in particular the increasing number and complexity of cyber-threats and the forthcoming adoption of the Network and Information Security Directive, the Commission aims to advance the evaluation and, subject to its results, present a proposal as soon as possible. The Commission is working to launch the evaluation by the end of this year.

II. The need for a cybersecurity single market

Why is the European Commission proposing market measures related to cybersecurity?

Europe needs high-quality, affordable and interoperable cybersecurity products and solutions. However, the supply of ICT security products and services within the single market remains very fragmented geographically. On the one hand, this makes it difficult for European companies to compete on the national, European and global level; on the other, it reduces the choice of viable and usable cybersecurity technologies that citizens and businesses have access to. No single EU country alone can overcome this fragmentation to help the industry achieve the economies of scale on a European level.

Why would it be relevant to have an EU certification framework for ICT security products?

Certification plays an important role in increasing trust and security in products and services. National initiatives are emerging to set high-level cybersecurity requirements for ICT components on traditional infrastructure, including certification requirements. While these show that the importance of certification is recognised, these bear the risk of creating fragmentation in the single market and of creating interoperability issues. Only in a few Member States are there effective security certification schemes for ICT products. An ICT vendor might therefore need to undergo several certification processes in order to sell in several Member States. It is possible that an ICT product or service designed to fulfil cybersecurity requirements in one Member State would not be considered to fulfil similar requirements in another. This is why the Commission will consider options for an EU ICT security certification framework. 

Why would it be relevant to have an EU labelling scheme for ICT security products?

Labelling might be a useful tool to help users understand the level of cybersecurity of commercial products and increase their competitiveness in the single market and globally. National initiatives have started to emerge in this respect. Therefore, in addition to certification, the Commission will also explore the creation of a European, commercially oriented, voluntary and lightweight labelling scheme for the security of ICT products.

Why do we need more investment in cybersecurity in the EU?

The cybersecurity sector depends a lot on innovative SMEs, and the problems affecting investment in this area weigh heavily on the capacity to develop the European cybersecurity industry. The innovative SMEs in the field are often unable to scale up their operations because of a lack of easily available funding to support them in the early phases of development. Companies also have limited access to venture capital in Europe and their available budget for marketing to improve their visibility, or to deal with different sets of standardisation and compliance requirements, is inadequate. 75% of respondents to the recent public consultation on cybersecurity felt they lacked sufficient access to financial resources to finance cybersecurity projects and initiatives.