Ladies and gentlemen

Computer security has been with us for almost as long as computers. As we all know, things have changed a lot in the last decades, even in the last year.

Like technology, cyber threats evolve quickly. The perpetrators change constantly. So do the motives and means that they use to wreak havoc.

The dark web is offering more and more cyber-attack tools readily available for purchase. An international monetised service: no borders, no laws, no limits.

New technology can even make things easier for hackers, who might have political goals, financial motives or no objective other than to 'disrupt'.

It might be a threat made through ransomware, a hybrid threat or even malicious cyber activities carried out by nation-states.

Cyber-attacks on critical infrastructure - manufacturing plants, power grids, chemical plants, transport and water systems, financial networks, even nuclear facilities – are the new reality.

This year alone has seen a spate of attacks against political parties and national elections. We all know these attacks are happening.

They are no longer the fantasy of film producers or conspiracy theorists.

In the United States, they have been called "Cyber Pearl Harbor": a targeted cyberspace attack that could disable a substantial proportion of IT infrastructure and services, potentially on a national basis.

Perhaps I should apologise for my rather gloomy introduction.

But the threat is very real.

Everyone is vulnerable. People and businesses, large and small; organisations and governments. And Europe is as vulnerable as anywhere else.

The recent WannaCry attack is just one example of how much the threat landscape has evolved and has gone global.

This wave of coordinated ransomware attacks hit hundreds of thousands of users in more than 150 countries.

In Europe, it prompted the first-ever instance of EU-wide operational cooperation. That is encouraging – but it was not really enough.

In this case, a major crisis was averted. But Wannacry also revealed some worrying gaps and shortcomings in our cyber-defence.

We still lack EU-wide operational capability for a proper response, especially to a sophisticated major attack spreading rapidly across EU country borders.

A big problem is that EU countries differ in their level of cyber-readiness.

Some have put fully-fledged cybersecurity strategies and laws in place, and well-resourced response teams.

However, not everyone is there yet. And that makes us collectively vulnerable.

So what are we doing to fix this?

Without resorting to a crystal ball, the short answer is: as much as we can.

This autumn, as part of the plan to build a Digital Single Market, we will review and update the EU's cybersecurity strategy – a necessary step that EU leaders endorsed just a few days ago.

Nothing is yet fixed, options are open.

The Internet of Things is a good starting point to illustrate the basics of our approach.

The internet is no longer just a web to which people connect. It has become so much more. It has become a computerised, networked and interconnected world.

The modern refrigerator in your kitchen is a computer that keeps things cold. Your oven is a computer that makes things hot.

Your car is effectively a computer with four wheels and engine attached.

This is not even to mention the power and flexibility of your mobile phone.

All these objects are becoming increasingly linked in themselves. Within a couple of decades, we will be looking at tens of billions of devices connected to the internet.

That will have a huge impact on every aspect of our lives.

I have no doubt that it will be great for productivity, for lifestyles.

But without strong and effective cybersecurity, this hyper-connectivity may come at a massive social and economic cost.

This is why Commission experts are working with the ICT industry, standardisation bodies and regulators to stop hackers from targeting and taking control of Internet of Things devices.

Imagine that happening with a connected car on the move.

Or a flight control system.

Here, we see certification and labelling as a possible way forward – because there are no rules yet for the security of these devices.

EU-wide certification and widely recognised labelling would strengthen trust and confidence in the online environment, while making sure that cybersecurity products and services are technically compatible between countries.

This would help European companies to grow and compete internationally, as the digital economy expands and offers more innovation opportunities.

In the constant battle against cybercrime, it is clear that Europe needs high-quality, affordable, interoperable and trustworthy cybersecurity products.

When it comes to trust and security, the key is strong encryption.

It is the basis for secure digital ID, electronic financial transactions and most importantly, effective cyber-defence.

I am against any backdoors, or weakening of encryption technology.

This erodes trust and security. Especially when there are better ways to help law enforcement authorities to obtain valuable information that can save lives.

No message is written or read in encrypted format.

Intentionally inserting a weakness into systems that are meant to be secure will eventually end up in misuse. That could have potentially catastrophic effects, not to mention the spectre of mass surveillance.


Ladies and gentlemen: overall, our aim is to strengthen the resilience of Europe's network and information systems.

But resilience does not happen overnight. It accumulates over the long term.

For that to happen, cybersecurity should be included in business and government policy. It should be integrated into EU-wide crisis management as well as EU diplomacy overseas.

That means:

- more training and education;

- more cyber-hygiene;

- more cyber-awareness and cooperation as Europe increases its technical, operational and organisational capabilities.

The EU's network information security agency ENISA will play an important part in all of this.

As part of the autumn review, we will re-examine ENISA's role and mandate.

It should become a modern centre, supporting EU countries in their work towards higher cybersecurity standards.

Safety and security are paramount for the Digital Single Market that we are building in Europe. It needs a secure cyber space to be able to function properly.

But cybercrime is a global problem, one that does not recognise country borders either in Europe or elsewhere.

It represents a daily threat that no country can tackle on its own.

To tackle cybercrime effectively requires more active cooperation across countries and communities: everywhere. From national and international law enforcement, to cybersecurity authorities, to the private sector - which owns and operates the vast majority of global critical infrastructure.

Cybersecurity is now at the top of the list of business risks - and not just for the financial sector. It affects every one of us.

It has an economic and fundamental rights impact that we cannot afford to neglect. It is a daily risk that we should all take very seriously.

In Europe, we are playing our part. Thank you.