by Dr Roberto Viola, Director General, DG CNECT, European Commission, Brussels
As the digital and the physical worlds are converging more and more, it is of utmost importance to enhance cybersecurity. Cyberattacks know no borders. Therefore, a comprehensive EU approach based on trust, solidarity and mutual assistance is key to fight current and future threats and to be a point of reference for other international actors.
European cyber resilience is vital
The war in Ukraine is only the tip of the iceberg of what we have been experiencing in the global security environment, which is becoming more contested, complex and interconnected. The cyber resilience of Europe and beyond is being challenged more than ever by both cyber – such as wipers, phishing, misinformation – and hybrid attacks.
Beyond the current conflict, as reported by the European Agency for Cybersecurity (ENISA), and in terms of the general cyber situation, local and public administration, government and healthcare form the most targeted groups in Europe. Incidents in the EU over the last year involve mostly ransomware cases by cybercriminal gangs, followed by hacktivist activity by Russian-led or otherwise pro-Russian threat actors. Hacktivists primarily attack institutions to have a greater media exposure, while criminals favour targets that are most likely to pay ransoms due to the relative high impact of the disruption (e.g. hospitals, service-providing public institutions). Cyber espionage also remains a growing threat.
The EU has done its homework
In such a heightened threat environment, it is reassuring that the EU has done its homework to raise the resilience of our critical infrastructure. Almost 10 years ago, the Commission proposed the first EU-wide law on cybersecurity – the NIS Directive, which came into force in 2016. These rules laid the ground for improved EU level of cooperation and increased cyber resilience of the Member States.
Revised NIS Directive: The Directive has already been reviewed and will be soon repealed by the NIS2 Directive, which entered into force in January 2023. The NIS2 Directive will ensure an even safer and stronger Europe by significantly expanding the sectors and type of entities falling under its scope, streamlining incident reporting obligations, introducing more stringent supervisory measures and enforcement requirements for national authorities, and strengthening security requirements for companies.
Cybersecurity Strategy for the Digital Decade: Among the many initiatives to enhance cybersecurity the EU has provided since then is the EU’s Cybersecurity Strategy for the Digital Decade, which focuses on building collective capabilities to respond to major cyber-attacks and working with partners around the world to ensure international security and stability in cyberspace. The Strategy announced €2bn in funding for cybersecurity under the EU research programmes, Horizon Europe, and the Digital Europe Programme. In addition to this, about €134.5bn of the €672.5bn Recovery and Resilience Facility consisting of grants and loans has been earmarked for investments in the whole digital technology supply chain.
Cyber Resilience Act: The Strategy also mentions the need for the extension of cybersecurity obligations to the Internet of Things, which was addressed in a proposal for a new Cyber Resilience Act presented in September last year. The act will ensure that products with digital elements, such as wireless and wired products and software, are more secure for business users and consumers across the EU. The European Cyber Resilience Act will be another key milestone to raising Europe’s cybersecurity across all domains and could set an example for our partners all over the world.
New EU Cyber Defence Policy: In November last year, the Commission and the High Representative put forward a new EU Cyber Defence Policy to address the deteriorating security environment following unjustified Russian aggression against Ukraine.
It sets the path towards stronger military and civilian cooperation on crisis management and information sharing. With both NATO and the EU calling for Member States to boost their cyber defence capabilities, it provides a strong framework for closer cooperation with NATO. The EU will have a key role to play through investing in research and development in areas such as Artificial Intelligence (AI) and quantum, which are crucial for cyber defence.
Last month, the third Joint Declaration on NATO-EU cooperation was signed, where the EU and NATO agreed to create a taskforce on resilience and critical infrastructure protection, also addressing cybersecurity matters.
The Joint Communications on EU Cyber Defence Policy also announced that the Commission is preparing an EU Cyber Solidarity Initiative to strengthen common EU detection and situational awareness, and Member States preparedness and response capabilities to major cybersecurity incidents. It will do so by supporting the creation of a pan-European infrastructure of Security Operations Centres to improve cyber threat detection and analysis. It will also strengthen preparedness and response actions across the EU by gradually building an EU-level cyber reserve with services from trusted private providers and by supporting the testing of critical entities for potential vulnerabilities.
We will not stop here
The Union remains open to an ambitious and mutually beneficial cybersecurity engagement with all like-minded partners. For instance, we are cooperating closely with the United States, including through regular cyber dialogues, to enhance transatlantic cooperation to prevent, detect and respond to malicious cyber activities and protect critical infrastructure.
Moreover, the EU is continuously supporting Ukraine in building its cyber resilience. We will not stop here. Technology is constantly evolving, making our lives easier, bringing new opportunities, but also new risks. We are constantly learning, closely observing developments in the digital field, analysing potential difficulties and drawing possible scenarios. Cybersecurity is a shared responsibility and is more important than most think.