New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient
The Commission and the High Representative of the Union for Foreign Affairs and Security Policy are presenting a new EU Cybersecurity Strategy. As a key component of Shaping Europe's Digital Future, the Recovery Plan for Europe and the EU Security Union Strategy, the Strategy will bolster Europe's collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. Whether it is the connected devices, the electricity grid, or the banks, planes, public administrations and hospitals Europeans use or frequent, they deserve to do so with the assurance that they will be shielded from cyber threats.
The new Cybersecurity Strategy also allows the EU to step up leadership on international norms and standards in cyberspace, and to strengthen cooperation with partners around the world to promote a global, open, stable and secure cyberspace, grounded in the rule of law, human rights, fundamental freedoms and democratic values.
Furthermore, the Commission is making proposals to address both cyber and physical resilience of critical entities and networks: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), and a new Directive on the resilience of critical entities. They cover a wide range of sectors and aim to address current and future online and offline risks, from cyberattacks to crime or natural disasters, in a coherent and complementary way.
Trust and security at the heart of the EU Digital Decade
The new Cybersecurity Strategy aims to safeguard a global and open Internet, while at the same time offering safeguards, not only to ensure security but also to protect European values and the fundamental rights of everyone. Building upon the achievements of the past months and years, it contains concrete proposals for regulatory, investment and policy initiatives, in three areas of EU action:
1. Resilience, technological sovereignty and leadership
Under this strand of action the Commission proposes to reform the rules on the security of network and information systems, under a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), in order to increase the level of cyber resilience of critical public and private sectors: hospitals, energy grids, railways, but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines, as well as other critical infrastructure and services, must remain impermeable, in an increasingly fast-moving and complex threat environment.
The Commission also proposes to launch a network of Security Operations Centres across the EU, powered by artificial intelligence (AI), which will constitute a real ‘cybersecurity shield' for the EU, able to detect signs of a cyberattack early enough and to enable proactive action, before damage occurs. Additional measures will include dedicated support to small and medium-sized businesses (SMEs), under the Digital Innovation Hubs, as well as increased efforts to upskill the workforce, attract and retain the best cybersecurity talent and invest in research and innovation that is open, competitive and based on excellence.
2. Building operational capacity to prevent, deter and respond
The Commission is preparing, through a progressive and inclusive process with the Member States, a new Joint Cyber Unit, to strengthen cooperation between EU bodies and Member State authorities responsible for preventing, deterring and responding to cyber-attacks, including civilian, law enforcement, diplomatic and cyber defence communities. The High Representative puts forward proposals to strengthen the EU Cyber Diplomacy Toolbox to prevent, discourage, deter and respond effectively against malicious cyber activities, notably those affecting our critical infrastructure, supply chains, democratic institutions and processes. The EU will also aim to further enhance cyber defence cooperation and develop state-of-the-art cyber defence capabilities, building on the work of the European Defence Agency and encouraging Member States to make full use of the Permanent Structured Cooperation and the European Defence Fund.
3. Advancing a global and open cyberspace through increased cooperation
The EU will step up work with international partners to strengthen the rules-based global order, promote international security and stability in cyberspace, and protect human rights and fundamental freedoms online. It will advance international norms and standards that reflect these EU core values, by working with its international partners in the United Nations and other relevant fora. The EU will further strengthen its EU Cyber Diplomacy Toolbox, and increase cyber capacity-building efforts to third countries by developing an EU External Cyber Capacity Building Agenda. Cyber dialogues with third countries, regional and international organisations as well as the multi-stakeholder community will be intensified. The EU will also form an EU Cyber Diplomacy Network around the world to promote its vision of cyberspace.
The EU is committed to supporting the new Cybersecurity Strategy with an unprecedented level of investment in the EU's digital transition over the next seven years, through the next long-term EU budget, notably the Digital Europe Programme and Horizon Europe, as well as the Recovery Plan for Europe. Member States are thus encouraged to make full use of the EU Recovery and Resilience Facility to boost cybersecurity and match EU-level investment. The objective is to reach up to €4.5 billion of combined investment from the EU, the Member States and the industry, notably under the Cybersecurity Competence Centre and Network of Coordination Centres, and to ensure that a major portion gets to SMEs.
The Commission also aims at reinforcing the EU's industrial and technological capacities in cybersecurity, including through projects supported jointly by EU and national budgets. The EU has the unique opportunity to pool its assets to enhance its strategic autonomy and propel its leadership in cybersecurity across the digital supply chain (including data and cloud, next generation processor technologies, ultra-secure connectivity and 6G networks), in line with its values and priorities.
Cyber and physical resilience of network, information systems and critical entities
Existing EU-level measures aimed at protecting key services and infrastructures from both cyber and physical risks need to be updated. Cybersecurity risks continue to evolve with growing digitalisation and interconnectedness. Physical risks have also become more complex since the adoption of the 2008 EU rules on critical infrastructure, which currently only cover the energy and transport sectors. The revisions aim at updating the rules following the logic of the EU's Security Union strategy, overcoming the false dichotomy between online and offline and breaking down the silo approach.
To respond to the growing threats due to digitalisation and interconnectedness, the proposed Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2') will cover medium and large entities from more sectors based on their criticality for the economy and society. NIS 2 strengthens security requirements imposed on the companies, addresses security of supply chains and supplier relationships, streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States. The NIS 2 proposal will help increase information sharing and cooperation on cyber crisis management at national and EU level.
The proposed Critical Entities Resilience (CER) Directive expands both the scope and depth of the 2008 European Critical Infrastructure directive. Ten sectors are now covered: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Under the proposed directive, Member States would each adopt a national strategy for ensuring the resilience of critical entities and carry out regular risk assessments. These assessments would also help identify a smaller subset of critical entities that would be subject to obligations intended to enhance their resilience in the face of non-cyber risks, including entity-level risk assessments, taking technical and organisational measures, and incident notification. The Commission, in turn, would provide complementary support to Member States and critical entities, for instance by developing a Union-level overview of cross-border and cross-sectoral risks, best practice, methodologies, cross-border training activities and exercises to test the resilience of critical entities.
Securing the next generation of networks: 5G and beyond
Under the new Cybersecurity Strategy, Member States, with the support of the Commission and ENISA - the European Cybersecurity Agency, are encouraged to complete the implementation of the EU 5G Toolbox, a comprehensive and objective risk-based approach for the security of 5G and future generations of networks.
According to a report published yesterday, on the impact of the Commission Recommendation on the Cybersecurity of 5G networks and the progress in implementing the EU toolbox of mitigating measures, since the progress report of July 2020, most Member States are already well on track of implementing the recommended measures. They should now aim to complete their implementation by the second quarter of 2021 and ensure that identified risks are adequately mitigated, in a coordinated way, particularly with a view to minimising the exposure to high-risk suppliers and avoiding dependency on these suppliers. The Commission also set out key objectives and actions aimed at continuing the coordinated work at EU-level.
Latest News from
Council agrees on emergency measures to reduce energy prices03/10/2022 16:33:00
EU energy ministers recently (30 September 2022) reached a political agreement on a proposal for a Council Regulation to address high energy prices.
Guidelines on general visa issuance in relation to Russian applicants and controls of Russian citizens at the external borders03/10/2022 15:25:00
The Commission recently (30 September 2022) presented updated guidelines to Member States on visa procedures as well as on border controls for Russian citizens at the EU's external borders.
Message of President Charles Michel on Russia's illegal annexation of Ukrainian regions03/10/2022 14:33:00
Message of President Charles Michel on Russia's illegal annexation of Ukrainian regions (30 September 2022).
Ethiopia: Statement by Commissioner Lenarčič on the humanitarian situation and International Humanitarian Law in northern Ethiopia03/10/2022 13:25:00
Ethiopia: Statement given recently (30 September 2022) by Commissioner Lenarčič on the humanitarian situation and International Humanitarian Law in northern Ethiopia.
Antitrust: Commission upgrades eLeniency tool to grant companies online access to leniency and settlement documents03/10/2022 12:10:00
The European Commission has upgraded its online platform “eLeniency” to ensure that companies who are parties to cartel and antitrust proceedings can easily and securely access documents online.
State aid: Commission approves aid to support the resolution of the Polish Getin Noble Bank S.A.03/10/2022 11:33:00
The European Commission has approved, under EU State aid rules, several support measures in the context of the resolution of the Polish Getin Noble Bank S.A.
Council and Parliament reach provisional political agreement on access to Union waters, extending the current rules for fishermen for another ten years30/09/2022 15:25:00
The Czech Presidency of the Council of the European Union and the European Parliament reached a provisional political agreement as regards the regime for access of fishing vessels to member states’ territorial waters.
Ensuring radiation protection: Commission refers LATVIA to Court to guarantee citizens' protection from ionising radiation-exposure risks30/09/2022 14:33:00
The Commission is taking legal steps to ensure the protection of citizens, workers and patients against the dangers arising from exposure to ionizing radiation.
Investor citizenship scheme: Commission refers MALTA to the Court of Justice30/09/2022 13:25:00
The European Commission yesterday decided to refer Malta to the Court of Justice of the European Union for its investor citizenship scheme, also referred to as the ‘golden passports'.
Human rights: EU increases support to the protection of human rights defenders worldwide30/09/2022 12:38:00
Human rights are increasingly under threat worldwide. Against this global backdrop, reconfirming the European Union's strong support to human rights, fundamental freedoms and democracy, and their defenders worldwide, Commissioner Jutta Urpilainen yesterday signed €30 million, a substantial increase, for the new phase of the EU Human Rights Defenders Mechanism, in the presence of civil society organisations and human rights defenders, for the period 2022–2027.