Cybersecurity: an overview of EU level policy trend

By July 27, 2017EU insight

By Ana-Isabel Llacayo

Cybersecurity has recently become a priority for the development of the European Union’s Digital Single Market. Estonia, long recognised as the leading EU Member State in this field, is seeking to promote this issue under its Presidency of the European Council. Their willingness to strengthen the digital integration reinforces the recent achievements accomplished by the European Commission in the improvement of legislation for the enhancement of cyber resilience in Europe.

Accordingly, the Network Information Security Directive (the NIS Directive) is the first EU-wide legislation on cybersecurity. Considered as the main tool in support of cyber resilience, it aims to boost the overall level of cybersecurity in a more harmonised EU and counter market fragmentation. These priorities will be supported by the designation of national points of contact in the event of cyber crisis, the definition of member states’ operators of essential services and their national cybersecurity strategies.

Beside legislative developments, large scale cyber-attack have shaken the international community with the recent wave of high-profile ransomware cyberattacks. The WannaCry cyber-attack was the first time where Member States exchanged information on cybersecurity incidents within the mechanism for operational cooperation under the NIS Directive, the so-called Computer Security Incident Response Teams network (CSIRTs). From another perspective, cyber-attacks gained public visibility during the presidential elections in the US and in France through email infiltration. Hence, the public awareness of cybersecurity risks has given increased impetus to the need for more legislative intervention in the area.

The European Commission has taken the lead for the EU-level response with the upcoming cybersecurity strategy, that will be published by September this year. By reviewing the 2013 one, the new strategy will be more adapted to current needs and threats as well as engage the industry perspective under the public-private cooperation in the field. While targeting the exchange of information and cooperation, the strategy will contribute to make of the EU a key player in the cybersecurity international arena.

Within the context of the new cybersecurity strategy, there is expected to be a revision of the mandate of the European Network Information System Agency (ENISA). After rising questions over the past years, ENISA is given under the NIS Directive a strong advisory role on EU policy implementation, information and best practices sharing, in addition to responsibilities in running cyber exercises and supporting the CSIRTs Network. While being a central cyber-actor, it could also possibly have a role in the implementation of the EU framework for ICT products and services security certification.

At a time when the European Commission and the EU Member States are giving thoughtful consideration to cybercrime and related issues, political resolutions offer an opportunity to shape the stance ahead of future legislative proposals. In this way, the European Parliament will soon release a non-legislative political resolution on the fight against cybercrime, which addresses a wide range of key issues from child sexual abuse material to hotlines and online safety practitioners, and targets the fight against illegal content and the role of intermediaries.

Also, the current challenges of fighting terrorism and serious crime remain at the heart of all political discussions. In this context, it remains fundamental to highlight industry perspectives to public authorities and law enforcement. Although the threat landscape is evolving, new challenges are also posed by deployment of encryption for communications.

Considering the fast-moving aspects of cyberspace, EU institutional stakeholders will ensure resilience by preserving an engagement with the industry, which needs to understand how their corporate operations may be affected by new EU cybersecurity standards.