New European cybersecurity package
Securing network and information systems in the EU is essential to keep the online economy running and to ensure prosperity. The European Union works on a number of fronts to promote cyber resilience across the EU. In view of a dynamically evolving threat landscape and building on the review of the 2013 EU cybersecurity strategy, tackling the cybersecurity perils together was one of the three challenges identified in the mid-term review of the Digital Single Market.
On 13 September 2017, the Commission adopted a cybersecurity package. The package builds upon existing instruments and presents new initiatives to further improve EU cyber resilience and response.
For an enhanced cyber resilience
ENISA – the European Union Agency for Network and Information Security – has a key role to play but is constrained by its current mandate. The Commission presents an ambitious reform proposal, including a permanent mandate for the agency to ensure that ENISA can provide support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive. It will also contribute to stepping up both operational cooperation and crisis management across the EU.
A single cybersecurity market
The growth of the cybersecurity market in the EU – in terms of products, services and processes – is held back in a number of ways, also due to lack of a cybersecurity certification scheme recognised across the EU. The Commission is therefore putting forward a proposal to set up an EU certification framework with ENISA at its heart.
A joint Commission-industry initiative will also be launched to define a ‘duty of care’ principle to reduce product and software vulnerabilities and promote a ‘security by design’ approach for all connected devices.
The NIS directive
It is necessary to swiftly implement the NIS directive (Directive on security of network and information systems), adopted in July 2016. This will be facilitated thanks to Commission guidance on how the Directive should operate in practice and additional interpretation of specific provisions included in the September 2017 package.
Blueprint for rapid emergency response
The Commission presents a blueprint so that the EU has in place a well-rehearsed plan in case of a large-scale cross-border cyber incident or crisis. It sets out the objectives and modes of cooperation between the Member States and EU Institutions in responding to such incidents and crises, and explains how existing Crisis Management mechanisms can make full use of existing cybersecurity entities at EU level.
The EU strongly promotes the position that international law, and in particular the UN Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible State behaviour that have been articulated by the UN Group of Governmental Experts. It also encourages the development and implementation of regional confidence building measures, both in the Organisation for Security and Co-operation in Europe and other regions.
On a bilateral level, cyber dialogues will be further developed and complemented by efforts to facilitate cooperation with third countries to reinforce principles of due diligence and state responsibility in cyberspace.
The recently adopted framework for a joint EU diplomatic response to malicious cyber activities (the ‘cyber diplomacy toolbox’) sets out the measures under the Common Foreign and Security Policy, including restrictive measures which can be used to strengthen the EU’s response to activities that harm its political, security and economic interests. Implementation work on the Framework is currently ongoing with Member States and would also be taken forward in close coordination with the Blueprint to respond to large scale cyber incidents.
The Commission will present concrete proposals in early 2018 to facilitate swift cross-border access to electronic evidence.