In view of a dynamically evolving threat landscape and building on the review of the 2013 EU cybersecurity strategy, tackling the cybersecurity perils together was one of the three challenges identified in the mid-term review of the Digital Single Market.
On 13 September 2017 the Commission adopted a cybersecurity package. The package builds upon existing instruments and presents new initiatives to further improve EU cyber resilience and response.
For an enhanced cyber resilience
ENISA – the EU cybersecurity agency
The European Union Agency for Network and Information Security (ENISA) has a key role to play but is constrained by its current mandate. The Commission presents an ambitious reform proposal, including a permanent mandate for the agency to ensure that ENISA can provide support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive.
It will also contribute to stepping up both operational cooperation and crisis management across the EU.
A single cybersecurity market
The growth of the cybersecurity market in the EU – in terms of products, services and processes – is held back in a number of ways, also due to lack of a cybersecurity certification scheme recognised across the EU. The Commission is therefore putting forward a proposal to set up an EU certification framework with ENISA at its heart.
A joint Commission-industry initiative will also be launched to define a “duty of care” principle to reduce product and software vulnerabilities and promote a “security by design” approach for all connected devices.
The NIS directive
It is necessary to swiftly implement the NIS directive (Directive on security of network and information systems), adopted in July 2016. This will be facilitated thanks to Commission guidance on how the Directive should operate in practice and additional interpretation of specific provisions included in the September 2017 package.
Blueprint for rapid emergency response
The Commission presents a blueprint so that the EU has in place a well-rehearsed plan in case of a large scale cross-border cyber incident or crisis. It sets out the objectives and modes of cooperation between the Member States and EU Institutions in responding to such incidents and crises, and explains how existing Crisis Management mechanisms can make full use of existing cybersecurity entities at EU level.
The EU strongly promotes the position that international law, and in particular the United Nations (UN) Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible State behaviour that have been articulated by the UN Group of Governmental Experts. It also encourages the development and implementation of regional confidence building measures, both in the Organisation for Security and Co-operation in Europe and other regions.
On a bilateral level, cyber dialogues will be further developed and complemented by efforts to facilitate cooperation with third countries to reinforce principles of due diligence and state responsibility in cyberspace.
The recently adopted framework for a joint EU diplomatic response to malicious cyber activities (the “cyber diplomacy toolbox”) sets out the measures under the Common Foreign and Security Policy, including restrictive measures which can be used to strengthen the EU's response to activities that harm its political, security and economic interests. Implementation work on the Framework is currently ongoing with Member States and would also be taken forward in close coordination with the Blueprint to respond to large scale cyber incidents.
The Commission will present concrete proposals in early 2018 to facilitate swift cross-border access to electronic evidence.
You can find more details on cyber deterrence and cyber defence in the factsheet.
Communications, Legislative proposals and staff working documents
- Communication 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU'
- Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').
- Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises
- Communication "Making the most of NIS – towards effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union
- Commission staff working document assessment of the EU 2013 cybersecurity strategy
- Proposal for a Directive on combating fraud and counterfeiting of non-cash means of payment
- Report assessing the extent to which the Member States have taken the necessary measures in order to comply with Directive 2013/40/EU on attacks against information systems
- Factsheet on the cybersecurity package
- Factsheet on ENISA and the EU framework for cybersecurity certification
- Factsheet on Tackling Non-Cash Payment Fraud
- Final report on the evaluation of the European Union Agency for Network and Information Security (ENISA)
- Full report on the public consultation on the evaluation and review of the European Union Agency for Network and Information Security (ENISA)
- Commissioner King's speech at the EU Cybersecurity Conference "Digital Single Market, Common Digital Security 2017", 15 September 2017, in Tallinn, Estonia