== check against delivery! ==
Introduction – Cybersecurity, a shared responsibility
Mesdames et Messieurs,
C’est avec grand plaisir que je suis avec vous ce matin pour lancer ce Forum et pour vous présenter les activités de l'Union Européenne destinées à rendre notre continent plus sûr et plus compétitif dans le domaine numérique.
I think you will agree with me that our common goal is to make our cyberspace more secure and more trusted. Indeed, I strongly believe that "cybersecurity is a shared responsibility". It concerns all of us.
If we want to make sure that all Europeans can fully enjoy the benefits of the digital world and the Digital Union we aim to foster, we all have to contribute: policy makers, industry, researchers, and citizens.
Context – why do we need to act?
Let me just go back in time for a moment to put things into perspective and to explain where we come from.
When, in early 2013, the European Union adopted the "European Strategy on Cybersecurity", it was a première: for the first time, we sent out the strong message that cybersecurity is a challenge that needs a European response – and that it is a challenge where European action can bring added value to activities carried out by Member States.
In 2013, the European Commission, together with the European External Action Service, set out a joint vision for "an open, safe and secure cyberspace".
Today, the majority of Europeans rely massively on digital technologies, networks and services. In fact – each year, 200 million Europeans buy products and services online.
As for industry, digital technologies and the Internet are nowadays pervasive in sectors such as transport, energy, health or finance, which become more and more dependent on network and information systems to run their core businesses.
Our infrastructure also becomes more interconnected across borders – and will continue to do so: between 2014 and 2020, the European Union will invest more than 28 billion euros in improving trans-European energy and transport infrastructure.
However, as our economies become more interconnected and digitalised, they also become much more vulnerable and exposed to cyber threats. Attacks – be they State-sponsored or come from a terrorist background or vulnerabilities due to human error, might disrupt the supply of essential services.
Cyber security breaches occur with alarming frequency. Over 75 % of small businesses and 93% of large ones have suffered a cyberattack. And each one can cost up to €50 million, not to mention the market loss and reputational damage.
As a matter of fact, cyber threats do not respect borders. We therefore must act together, not in isolation. And we need to remember that cybersecurity, data protection and online privacy are very closely linked to each other.
The threat landscape has changed and threats have intensified since the adoption of the European Cybersecurity Strategy. However, our priorities and fields of action remain as valid as three years ago.
Let me tell you where we stand on what I consider the cybersecurity policy priorities for the European Commission:
Enhancing cybersecurity capabilities and cooperation to across the EU;
making the EU a strong player on cybersecurity;
mainstreaming cybersecurity in EU policy-making
and last but not least ensuring high level of trust and privacy protection in the digital economy.
1. Enhancing cybersecurity capabilities and cooperation across the EU;
As we are meeting today in Lille, we should not forget that France has been a driving force in promoting safe, stable and open cyberspace in Europe. France has been also at the forefront of the cybersecurity legislation within the EU.
We truly appreciate the efforts of Member States to improve their cybersecurity. At the same time, as cyberspace is borderless by nature, an EU-wide common approach to preparedness, resilience, risk management and cooperation is needed.
That's why I was very pleased last month, when we reached a political agreement in the difficult negotiations on the Network and Information Security Directive.
This directive is a real breakthrough: it is the first comprehensive European piece of legislation on cybersecurity.
The Directive will improve the national cybersecurity capabilities across the EU, which are now uneven. Member States that need to improve their capabilities will be given the possibility to catch up with those who are best in class.
The Directive foresees that each Member State establishes a dedicated incident response team to enable rapid reaction to cyber-threats and cyber-incidents. The cooperation between the Member States, which now takes place in limited circles, will also be enhanced.
The Directive also has a focus on traditional, classical infrastructure: it provides for security and reporting obligations for companies managing critical infrastructure in key important economic sectors such as energy, transport and banking that use digital infrastructure to provide their service. Comparable obligations also apply to key digital service providers.
Each Member State and each company covered by the Directive will need to take their share of responsibility. At the same time the European institutions are committed to providing assistance to facilitate this process.
ENISA, the European Network and Information Security Agency, will be an important resource in this regard. Some Member States may wish to call upon ENISA to help further develop the national Computer Security Incident Response Teams.ENISA will also be the secretariat to the network of those Teams and therefore has a key role in making the cooperation truly work.
CERT-EU on its part, is already today a trusted partner in operational cooperation and will further facilitate information sharing between Member States.
2. Making the EU a strong player in cybersecurity
My second priority is to make the European Union and its industry a strong and competitive player in cybersecurity.
Let me start with the bad news: Despite the fact that the cyberspace is borderless, the market supply for ICT security products and services in Europe is significantly fragmented. Some highly innovative European companies in this sector are still largely dependent on public procurement in their home country.
Although our European companies are strong, innovative and offer the best products and services in the world, they often do not manage to compete on the European and global scale – just because they don't manage to scale up to a significant size due to the limited size of their – national – home markets. Too often, their home market is not the European Single Market, but their national market. As a consequence, they are more easily subject to mergers and acquisitions by non-European actors.
The consequence of this market fragmentation is not only a limited competitiveness for our companies and a missed opportunity to job creation. This market fragmentation ultimately also provokes brain drain and loss of valuable expertise and knowledge from the European Union to other parts of the world.
I want to preserve Europe's digital sovereignty and I want to make sure we can rely on our companies and their knowledge in securing our digital economy. So we will need to change the current situation.
The good news is that the digital revolution that is transforming our society and economy brings enormous opportunities – also for our cybersecurity industry. Trends such as Internet of Things, mobile health, self-driving cars, smart cities, will increase ever more the already high demand for security products and solutions.
The global cyber security market is expected to be among the fastest growing segments of the ICT sector in the coming decade. In 2013 the cyber security market was worth 65.9 billion dollars and is expected to grow to 80-120 billion dollars by 2018.
We need advanced cybersecurity solutions to make our digital market trustworthy and fully unlock its potential. And we need to strengthen our own cybersecurity industry to compete globally. If we grow stronger in this area, cybersecurity could become our competitive advantage.
This is why cybersecurity is one of the pillars of our Digital Single Market Strategy.
By June this year, I will launch a cybersecurity contractual public private partnership to stimulate the competitiveness and innovation capacities of the digital security and privacy industry in Europe.
The setup of this PPP will help gather industrial and public resources to deliver innovation against a jointly-agreed strategic research and innovation roadmap. By pursuing a better coordination with and between Member States, we will maximize the available funds. By definition, the PPP will foster European cooperation – thus seeding the first elements for the development of a cross-border, European market in cybersecurity products and services.
We have recently launched a public consultation on this PPP and a broader set of possible industrial measures to accompany it. It is important that we get this right, so I encourage you to give us your input and feedback.
I am very glad that the interest from the industry to my initiative is high. I see it as a strong sign of support that senior representatives of ten top European companies in cybersecurity have accepted to work on a report and draft recommendations on the needs of the European Cybersecurity industry.
Ladies and Gentlemen, I am very much looking forward to receiving this report in some minutes.
The PPP is not the only initiative I have in mind to stimulate demand and nurture a European-grown Cybersecurity Industry. For example, we will look into how to facilitate European growth of companies by easing access to finance and how to support the development of globally competitive clusters and centres of excellence. We will also consider whether additional work on standardisation and certification might be useful.
By helping European cybersecurity industry to thrive, I want to make sure that European citizens and enterprises have access to the latest digital security technology developments, secured infrastructures and best practices, which also respect our values.
3. Mainstreaming cybersecurity in EU policies
Let me now briefly focus on my third priority, which is mainstreaming cybersecurity in EU policies. This means embedding cybersecurity in relevant sectorial policy initiatives, to make sure that it is taken into account from the very beginning.
My objective is to make "security by design" and "privacy by design" primary requirements in all the relevant policy areas: health, transport, finance, energy but also in ICT field.
4. Trust – data protection and privacy
Last but not least let me touch upon very important aspect for digital economy - data security and privacy, which is also the key theme of this year's meeting in Lille.
I strongly believe that protecting people’s privacy and the security of their information is a precondition for a thriving digital economy.
That is why, next to the policies I mentioned earlier on, we have also foreseen specific initiatives aiming at preserving and enhancing trust in the digital services.
Let me start with the General Data Protection Regulation (GDPR), which has just been agreed. It will enhance individuals' protection with respect to the processing of personal data by all organisations that offer their services on the European market, including companies established outside the European Union.
I could not talk about data protection in the digital sphere without mentioning the current negotiations on a renewed Safe Harbour Agreement.
As you know, the Court of Justice of the European Union has invalidated the current Agreement that facilitates data transfers from the European Union to the US.
My fellow Commissioner Vera Jourova is currently negotiating with our US counterparts on a new legal frameworkthat shall contain additional safeguards to make sure safe harbour is really safe and in line with the Court judgment. Negotiations are on-going and some improvements are still needed. But both the European Commission and our American partners are very constructive so that I am optimistic that we can find a political agreement in the remaining time.
To complete this privacy overview, I would like to inform you that we have started the work on the revision of the e-Privacy Directive which is dealing with the protection of privacy in the electronic communications sector.
The focus of the reform will be twofold: ensuring a high degree of protection of citizens' privacy, while ensuring that the obligations of the Directive apply equally to market operators providing substitutable services. The latter should thus guarantee the same protection to citizens irrespective of the technology used.
Mesdames, Messieurs – Ladies and Gentlemen,
Cybersecurity is there to foster Europe's digital economy, to benefit users and our businesses. It is there to build a strong European cybersecurity industry and make sure that we preserve a sufficient degree of digital sovereignty in securing our digital economy.
It is there to make European citizens fully benefit from a trustworthy digital world and to allow them to participate with trust and confidence in the Digital Union we aim to build.
There is a lot to be done, and I count on all of us to take our part of this shared responsibility.
I wish you very fruitful and constructive discussions during this year's International Cybersecurity Forum.
Merci beaucoup de votre attention.