To ensure a safe, secure, trustworthy and resilient digital environment for the benefit of all EU citizens, businesses and public administrations and to promote a better coordinated and coherent approach on cyber security worldwide while promoting fundamental rights both in internal and external policies.
A Cybersecurity Strategy for the European Union
Member States have varying levels of preparedness to prevent, detect and respond to NIS incidents, threats and risks: 13 MS have national cyber security strategies (ENISA April 2013).
Cooperation between MS is limited: 10 MS are part of the European Governmental CERTs (EGC) Group.
There is no widespread risk management culture in the private sector and in public administrations across the EU: 26% of EU enterprises have an ICT security policy (Eurostat 2012), 21% of citizens quote data protection and security concerns as reasons for not using online government services (Eurostat 2009).
Divergent national approaches can create barriers to the completion of the digital single market and have a detrimental effect on cross-border trade: 38% of EU internet users have security concerns (Eurobarometer 2012).
Cyber security is a global issue. Also, European ICT companies face trade barriers caused by cyber security regulation in certain third countries. International cooperation (including in particular with key partners such as the US) is embryonic.
What resources are we going to use?
Human resources: Unit H.4 resources: 4,5 (strategy implementation) + 2 (international cooperation) + 2 (relations with ENISA) full time equivalents.
Budget: study the cybersecurity market; assess the feasibility of EU-wide cooperation & information sharing mechanisms; support the implementation of the Network and Information Security (NIS) Directive; support the roll-out of mechanisms, e.g. communication channels and platforms to enhance the EU-wide capability for preparedness, information sharing, coordination and response to cyber threats between competent national authorities, CERTs, private sector and citizens.
Informational resources: Dialogues with stakeholders, e.g. NIS platform, Digital Agenda Assembly, high level conference to measure progress one year after adoption of the strategy.
Cooperation: The Communication on an EU Cybersecurity Strategy is a joint Communication with DG HOME and the European External Action Service (EEAS), and all three are involved in its implementation.
The adoption by the Commission and the High Representative of a joint Communication on an EU Cybersecurity Strategy JOIN (2013)1 and a Commission proposal Directive on network and information security (NIS) COM (2013)48 - Q1 2013
Implementation of the EU Cybsersecurity Strategy
a) adoption of Council Conclusions by the General Affairs Council/European Council (Q2-Q4 2013)
b) establishment of a NIS public-private platform (Q2 2013); NIS platform best practice guidance (Q2 2014); Commission Recommendation on good cybersecurity practices (Q4 2014)
c) final adoption, by the co-legislators, of the NIS Directive (Q4 2014) and its transposition by Member States (MS) (Q3 2016)
d) cybersecurity championship, with the support of ENISA (2014)
e) EU-wide pilot platform (ACDC) for fighting botnets (Q1-Q3 2013)
Feasibility study on a European Early Warning and Response System (Q3 2013)
Four Commission proposals for implementing acts defining formats and procedures under the NIS Directive, directed to MS (in addition an implementing act for each MS acceding the secure infrastructure will be needed) (2 acts/year between 2015-2017)Three proposals for delegated acts defining triggering events and criteria for access to the secure infrastructure under the NIS Directive, two directed to MS and one to market operators (1 act in 2018)
International joint activities, in particular with the US, entailing a synchronized (i) cyber exercise and (ii) cybersecurity month to be organized together with Member States and with the assistance of ENISA (All Member States to take part, Q4 2014)
|Baseline||26% of enterprises have ICT security policy in 2012 (Eurostat)|
|Target||30% of enterprises have ICT security policy by Q4 2016(2013-2016)|
|Baseline||MS either lack a national NIS framework or have divergent requirements among each other (ENISA studies; Commission Impact Assessment on the proposal for a Directive on NIS)|
|Target||Transposition of NIS Directive in national law in all MS(Q3 2016)|
Enhanced NIS capabilities in MS through the adoption of national NIS strategies and cooperation plans, appointment of competent national NIS authorities and establishment of national/governmental CERTs (17 MS strategies Q4 2014, all MS Q1 2017).
Closer cooperation between national competent authorities, supported by a secure infrastructure, on early warnings and coordinated responses (14MS operational cooperation by Q4 2016).
Improved preparedness by public and private actors to face NIS threats and incidents, e.g. take down botnets, counter DDoS attacks or attacks using well-known vulnerabilities, counter outages resulting from technical and human errors or natural disaster. This should result in an increased proportion of enterprises having an ICT security policy (26% in 2012) and a decreased proportion of citizens having concerns with using online government services (21% in 2009) - (30% of enterprises have ICT security policy by Q4 2016; 20% of citizens have concerns with government online services in Q4 2016).
EEA/EFTA and participation by like-minded third countries in the NIS cooperation mechanism. (EEA/EFTA participation by Q4 2017)
|Baseline||MS have varying levels of preparedness to prevent, detect and respond to NIS incidents, threats and risks: only 13 MS have national cybersecurity strategies; only 10 MS cooperate with each others operationally (ENISA studies; Commission Impact assessment on proposal for a Directive on NIS)|
|Target||All MS to have national capabilities in place; 14 MS to cooperate cross-border via the network of national competent authorities(Q1 2017)|
|Baseline||21% of EU citizens quote data protection and security concerns as reasons for not using online government services (Eurostat 2009)|
|Target||Decreased proportion of EU citizens having concerns with using online government services (from 21% to 20%)(Q4 2016)|
|Baseline||International cooperation on cybersecurity is embyonic (Commission impact assessment on proposal for a Directive on NIS)|
|Target||EEA/EFTA countries and like-minded third countries participating in the NIS network cooperation mechanism(Q4 2017)|