On this page
- New cybersecurity Strategy
- Legislation and certification
- Investment: research, capacities, cyber centre and network
- Policy guidance: Blueprint, Joint Cyber Unit, 5G, elections
- Skills and awareness
- Cyber community: ENISA, ISACs, JRC, CSIRTs/ CERTs, ECSO, Women4Cyber
- Other cyber policy areas: cybercrime, cyber diplomacy, defence, support to third countries
On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy.
The Strategy covers the security of essential services such as hospitals, energy grids and railways and ever-increasing number of connected objects in our homes, offices and factories, building collective capabilities to respond to major cyberattacks and working with partners around the world to ensure international security and stability in cyberspace. It outlines how a Joint Cyber Unit can ensure the most effective response to cyber threats using the collective resources and expertise available to the EU and Member States.
Legislation and certification
Cybersecurity threats are almost always cross-border, and a cyberattack on the critical facilities of one country can affect the EU as a whole. EU Member States therefore need to have strong governmental bodies that supervise cybersecurity in their country, especially in sectors that are critical for our societies, and to work together with their counterparts in other Member States by sharing information.
They agreed with the EU to ensure this by adopting the NIS Directive (Directive on security of Network and Information Systems), which all countries have now implemented. This Directive was reviewed at the end of 2020.
As a result of the review process, the proposal for a directive on measures for high common level of cybersecurity across the Union (NIS2 Directive) was presented by the Commission on 16 December 2020.
The Cybersecurity Act (in force since June 2019) strengthens the role of ENISA: the agency now has a permanent mandate, and got empowered to contribute to stepping up both operational cooperation and crisis management across the EU. It also has larger financial and human resources than before.
ENISA – the EU cybersecurity agency
ENISA (‘European Union Agency for Network and Information Security’) is the EU’s agency that deals with cybersecurity. It provide support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive.
Our digital lives can only work well if there is general public trust in the cybersecurity of IT products and services. Therefore, it is important that we can see that a product has been checked and certified to conform to high cybersecurity standards. At the moment, there are various of different security certification schemes for IT products around the EU. Having a single common scheme for certification would be easier and clearer for everyone.
The Commission is therefore working on an EU-wide certification framework, with ENISA at its heart. The Cybersecurity Act outlines the process for achieving this framework.
Investment: research, capacities, cyber centre and network
Cybersecurity is one of the Commission’s priorities in its response to the Coronavirus crisis, which saw increased cyberattacks during the lockdown. The Recovery Plan for Europe therefore includes additional investments in cybersecurity.
Support for research and innovation: Horizon H2020 and cPPP; Horizon Europe
Research into digital security is essential to reach innovative solutions that can protect us against the latest, most advanced cyber threats. That is why cybersecurity is an important part of the Commission’s research and innovation funding framework programmes, Horizon 2020 and its successor Horizon Europe.
As part of Horizon 2020, for the period 2014-2020, the Commission has been co-funding research and innovation into topics such as cybersecurity preparedness through cyber ranges and simulation, cybersecurity for small and medium enterprises, cybersecurity in the Electrical Power and Energy System, and cybersecurity and data protection in critical sectors. These topics fall under the cluster “Secure societies - Protecting the freedom and security of Europe and its citizens”.
In 2016, the H2020 contractual Public Private Partnership (cPPP) on Cybersecurity was established between the European Commission and the European Cyber Security Organisation (ECSO), an association consisting of members from cyber industry, academia, public administrations and more.
In Horizon Europe, for the period 2021-2027, cybersecurity is part of the ‘Civil Security for Society’ cluster. The Work Programme 2021-2022 is currently under preparation.
Support for cyber capacities and deployment
Our physical and digital infrastructures are very closely intertwined. Therefore, the Commission also invests in cybersecurity as part of its infrastructure investment funding programme, the Connecting Europe Facility (CEF), for the period 2014-2020. So far, CEF support has gone to Computer Security Incident Response Teams, operators of essential services (OES), digital service providers (DSPs), single points of contact (SPOC) and national competent authorities (NCAs). This enhances the cybersecurity capabilities and the cross-border collaboration within the EU, supporting the implementation of the EU Cybersecurity strategy.
The upcoming Digital Europe Programme, for the period 2021-2027, is an ambitious programme that is planned to invest €1.9 billion into cybersecurity capacity and the wide deployment of cybersecurity infrastructures and tools across the EU, for public administrations, businesses, and individuals.
Cybersecurity is also a part of InvestEU. InvestEU is a general programme that brings together many financial instruments and uses public investment to leverage further investment from the private sector. Its Strategic Investment Facility will support strategic ‘value chains’ in cybersecurity. It is an important part of the recovery package in response to the Coronavirus crisis.
Cybersecurity Competence Centre and Network; Atlas
To strengthen European cybersecurity capacity, the Commission proposed the creation of a new European Cybersecurity Industrial, Technology and Research Competence Centre and a network of national coordination centres. The proposed centre would pool expertise and align European development and deployment of cybersecurity technology. It would work with industry, the academic community and others to build a common agenda for investments into cybersecurity, and decide on funding priorities for research, development and roll-out of cybersecurity solutions (through the Horizon Europe and Digital Europe Programmes).
Currently, four pilot projects are running to lay the groundwork for the Competence Centre and Network. They involve more than 170 partners.
To have a better overview of cybersecurity expertise and capacity across the EU, the Commission has developped a comprehensive platform called the Cybersecurity Atlas.
Policy guidance: Blueprint, Joint Cyber Unit, 5G, elections
Blueprint for coordinated response to major cyber-attacks
The Commission's blueprint for rapid emergency response provides a plan in case of a large scale cross-border cyber incident or crisis. It sets out the objectives and modes of cooperation between the Member States and EU Institutions in responding to such incidents and crises, and explains how existing Crisis Management mechanisms can make full use of existing cybersecurity entities at EU level.
Joint Cyber Unit
As a follow-up, Commission President von der Leyen has announced a proposal for an EU-wide Joint Cyber Unit. This initiative will aim at further coordinating cybersecurity operational capabilities across the EU.
Secure 5G deployment in the EU
5G networks are planned to be rolled out across the EU. They will offer huge benefits, but also have more potential entry points for attackers due to their less centralised architecture, more antennas and increased dependency on software. The EU Toolbox on 5G sets out measures to strengthen security requirements for 5G networks, apply relevant restrictions for suppliers considered high-risk, and ensure the diversification of vendors.
Securing the electoral process
Our European democracies have become increasingly digital: political campaigns take place online, and elections themselves often happen through electronic voting. The Commission therefore issued recommendations for the cybersecurity of elections for the European Parliament, published in September 2018 as part of a broader package of recommendations to support free and fair European elections. A month before the 2019 European elections, the European Parliament, EU Member States, the Commission and ENISA carried out a live test of their preparedness.
Skills and awareness
We can only ensure digital security if we have experts with the right knowledge and skills, and there are currently not enough. That is why the Commission does many things to stimulate the development of cybersecurity skills. For example, it prepared a call for coherent framework for teaching cybersecurity skills in university and professional education. The four pilot projects that prepare the Cybersecurity Competence Centre and Network by ECSO are currently working on this. There are also recurring initiatives meant directly for students, such as the yearly European Cyber Security Challenge.
Cybersecurity skills fall under the Commission’s general agenda on Digital Skills. They are also a part of the funding efforts under Horizon 2020, Horizon Europe and the Digital Europe Programme. An example is the funding for ‘cyber ranges’, which are live simulation environments of cyber threats for training.
The human factor is often the weak link in cybersecurity; someone clicking on a phishing link can have huge consequences. Therefore, the Commission raises awareness of cybersecurity and promotes best practices among the general public. For instance, once a year it organises the European Cyber Security Month together with ENISA.
Cyber community: ENISA, ISACs, JRC, CSIRTs/ CERTs, ECSO, Women4Cyber
ENISA – the EU cybersecurity agency
ENISA is the EU’s agency that deals with cybersecurity. It provide support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive.
The cybersecurity community in different sectors of the economy works together through Information Sharing and Analysis Centres (ISACs). Further developing ISACs both at EU level and at national level is a priority for the Commission. In collaboration with ENISA, it also promotes the establishment of new ISACs in sectors where there is none. The “Empowering EU ISACs consortium”, supervised by the Commission, provides legal, technical and organisational supports for ISACs.
The Joint Research Center (JRC) of the Commission is actively contributing to Cybersecurity in the EU. For example, the JRC has developed a Cybersecurity Taxonomy. This aligns the terminology used in cybersecurity so that we can have a clearer overview of cybersecurity capabilities in the EU.
The JRC also recently published a report that provides insights into the current EU cybersecurity landscape and its history, entitled “Cybersecurity – our digital anchor”.
Under the NIS Directive, EU Member States are required to ensure that they have well-functioning Computer Security Incident Response Teams ('CSIRTs'), also known as Computer Emergency Response Teams (‘CERTs’). These teams provide deal with cybersecurity incidents and risks in practice. They cooperate with each other at EU level, and also work together with the private sector.
All types of operators of essential services and digital service providers have to be covered by designated CSIRTs.
The main CSIRTs' tasks are:
- monitoring incidents at a national level
- providing early warning, alerts, announcements and other information about risks and incidents to relevant stakeholders
- responding to incidents
- providing dynamic risk and incident analysis and situational awareness
- participating in the CSIRTs network
The European Cybersecurity Organisation (ECSO) was created in 2016 in order to act as the Commission’s counterpart in a contractual public-private partnership covering Horizon 2020 in the years 2016 to 2020. The majority of ECSO’s 250 members belong either to the Cybersecurity industry or to research and academic institutions in the field. To a lesser degree, ECSO’s members also comprise public sector actors and demand-side industries.
Besides making recommendations on Horizon 2020, ECSO carries out various activities aiming at community building and industrial development at European level.
It is important to highlight the role of women in the cybersecurity community, who are underrepresented. That is why the Commission has set up the Women4Cyber Registry, in cooperation with ECSO’s Women4Cyber initiative. It makes it easier for media, event organisers and others to find the many talented women working in cybersecurity, so these women become more visible and prominent in the cyber community and the public debate.
Other cyber policy areas: cybercrime, cyber diplomacy, defence, support to third countries
Ordinary criminals also make use of cyberattacks that threaten Europeans. That is why the Migration and Home Affairs department of the Commission monitors and updates EU law on cybercrime and supports law enforcement capacity, as further described on its webpage. The Commission also works together with the European Cybercrime Centre in Europol.
The EU is making efforts to protect itself against cyber threats from outside. As a part of this, the Commission works together with the European External Action Service and Member States on the implementation of a joint diplomatic response to malicious cyber activities (the ‘cyber diplomacy toolbox’). This response includes diplomatic cooperation and dialogue, preventative measures against cyberattacks, and sanctions against those involved in cyberattacks threatening the EU.
The Commission assists in decision-making on responding to external cyber threats wherever needed. It also directly funds the ongoing EU Cyber Diplomacy Support Initiative.
The EU cooperates on defence in cyberspace through the activities of the European Defence Agency, as well as ENISA, Europol and the Directorate-General in the Commission responsible for Defence Industry.
Cyber capacity building in third countries
The EU cooperates with other countries to help build up their capacity to defend against cybersecurity threats. The Commission supports various cybersecurity programmes in the Western Balkans and the six Eastern Partnership countries in the EU’s immediate neighbourhood, as well as in other countries worldwide through its International Cooperation and Development department.