The Commission has launched several initiatives in relation to cybersecurity.
In 2013, the Commission launched the EU Cybersecurity Strategy setting five priorities: the increase of cyber resilience, the reduction of cybercrime, the development of the EU cyber defence policy and capabilities related to the Common Security and Defence Policy, the development of the industrial and technological resources for cybersecurity and the establishment of a coherent international cyberspace policy for the EU and promoting core EU values.
In April 2015, the Commission adopted the European Agenda on Security (2015-2020), which replaced the previous Internal Security Strategy (2010-2014). This agenda contains a number of actions to fight cybercrime.
Furthermore, the Commission adopted the Communication Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry on 5 July 2016. It sets a series of measures aiming, inter alia, at stepping up cooperation across Europe, promoting the emerging single market for cybersecurity products and services. During this occasion, as part of the Digital Single Market Strategy presented in May 2015, a public-private partnership (PPP) on cybersecurity was signed. Its aim is to foster cooperation between public and private actors to allow people in Europe to access innovative and trustworthy European solutions including ICT products, services and software. The PPP also aims to stimulate cybersecurity industry by helping to align demand and supply sectors, especially in sectors where cybersecurity solutions are important, such as energy, health, transport and finance. The PPP includes a wide range of actors, from innovative small and medium-sized enterprises, producers of components and equipment, critical infrastructure operators and research institutes. An investment of €450 million from the EU is planned, under the research and innovation programme Horizon 2020.
In the digital single market mid-term review in May 2017, the Commission identified cyber-security as one of the key three areas for further work in the years to come and announced a number of actions, including a review of the EU Cybersecurity Strategy dated 2013 and of the mandate of the European Network and Information Security Agency (ENISA).
On 18 October 2018, the European Council called for measures to build strong cybersecurity in the European Union. EU leaders referred in particular to restrictive measures able to respond to and deter cyber-attacks. The proposal sets out new initiatives, inter alia, building a stronger EU cybersecurity agency, introducing an EU-wide cybersecurity certification scheme and swiftly implementing the NIS directive.
ENISA is a centre of expertise for cybersecurity in Europe. It is located in Greece with its headquarters in Heraklion, Crete and an operational office in Athens. It was founded in 2004 by the Regulation (EC) 460/2004 of 10 March 2004. ENISA actively contributes to a high level of network and information security within the EU, thus contributing to the smooth functioning of the internal market.
ENISA works closely with member states and the private sector to provide advice and solutions. This includes pan-European cybersecurity exercises, the development of national cybersecurity strategies, Computer Emergency Response Team’s (CSIRT) cooperation and capacity-building, as well as studies on data protection issues, secure cloud adoption, technology aimed at improving life, and trust services. ENISA also supports the development and implementation of EU Network and Information Security policy and legislation.
After a year-long pilot phase, the EU institutions decided to set up a permanent Computer Emergency Response Team called CERT-EU for the EU institutions, agencies and bodies in September 2012. It is composed of a team of information technology experts and cooperates closely with other CERTs in the member states as well as with companies specialising in IT security.
On 13 September 2017, the Commission issued a proposal for a regulation on ENISA, the ‘EU Cybersecurity Agency’, and on Information and Communication Technology cybersecurity certification (‘Cybersecurity Act’). It was adopted by the EU Parliament during the 11 March 2019 plenary sessions. This Act provides an enhanced permanent mandate for ENISA and a certification for ICT products and services that comply with specified cybersecurity requirements. The resulting certificate will be recognised in all member states, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.
In 2010, the Commission published a proposal for a directive on attacks against information systems, which was eventually adopted in 2013 (Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA). Pursuant to this Directive, member states are required to criminalise the ‘intentional access, without right, to the whole or part of an information system’, at least in relation to cases that are deemed not to be minor. It also requires that illegal system interference and illegal data interference be punished as criminal offences. Provisions also oblige member states to criminalise the instigation or aiding and abetting of any of these acts.
The Directive on security of network and information systems (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, the NIS Directive) is the first EU-wide piece of legislation on cybersecurity. It was adopted in July 2016 and member states were required to transpose it at the latest by 9 May 2018 and to identify operators of essential services by 9 November 2018. It provides for legal measures to boost the overall level of cybersecurity in the EU.
The NIS Directive requires member states to adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate regulatory measures to achieve and maintain a high level of security of network and information systems, covering at least the sectors exhaustively listed in the Directive: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution and digital infrastructure. Each member state must designate a national competent authority on the security of network and information services, which will be in charge of monitoring the application of the directive at national level. One or more CSIRTs must be designated by each member state, covering at least the sectors listed in the Directive. These CSIRTs must be allocated adequate resources to carry out their tasks, which include, inter alia, the monitoring of incidents at a national level, providing early warnings, alerts, announcements and dissemination of information to relevant stakeholders, participating in the CSIRTs network or establishing cooperation relationships with the private sector. The Directive established a cooperation group to support and facilitate strategic cooperation and the exchange of information among member states and to develop trust and confidence, and with a view to achieving a high common level of security of network and information systems in the European Union.
Under the NIS Directive, two categories of actors are subject to security requirements: operators of essential services and digital service providers. Operators of essential services are private businesses or public entities with an important role for society and the economy, and will have to be identified by each member state following three criteria: the entity provides a service that is essential for the maintenance of critical societal or economic activities, the provision of that service depends on network and information systems and an incident would have significant disruptive effects on the provision of that service; they operate in the sectors exhaustively listed in the Directive. Digital service providers are defined as being any legal person that provides a service of online marketplace, online search engine and cloud computing service. Concerning digital service providers, member states will have to ensure that service providers identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems that they use in the context of offering their services. The same requirement applies to operators of essential services in relation to the security of network and information systems they use in their operations. Additionally, member states shall ensure that these operators of essential services also take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with the view to ensuring the continuity of these services. Both categories of operators are also subject to an obligation of notification to the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of their services.
The Commission adopted on 13 September 2017 a Communication (COM(2017) 476 final/2), the ‘NIS Toolkit’, which aims at supporting member states in their efforts to implement the Directive swiftly and coherently across the EU. It presents the best practices from the member states and provides explanation and interpretation of specific provisions of the Directive to clarify how it should work in practice.
On 13 September 2017, the Commission and the High Representative of the Union for Foreign Affairs and Security Policy published a Joint Communication on Resilience, Deterrence and Defense: Building Strong Cybersecurity for the EU. This wide-ranging cyber security package builds on existing instruments and presents new initiatives to further improve EU cyber resilience and response in three key areas: (i) building EU resilience to cyber-attacks and stepping up the EU’s cybersecurity capacity; (ii) creating an effective criminal law response; and (iii) strengthening global stability through international cooperation.
In addition, on 12 September 2018, the Commission presented the Proposal for a Regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (COM(2018) 630). This Regulation proposes to build from the contractual Public Private Partnership on cybersecurity created in 2016, to set up a cybersecurity competence network to support the development and deployment of cybersecurity technologies.
Back to top