Guest author: Pier Giorgio CHIARA
On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy (JOIN(2020) 18 final). The new strategy lays down the framework within which the Proposal for a NIS 2.0 and the Proposal for a Directive on the Resilience of Critical Operators of Essential Services are implemented. Thus, it sets out how the EU will shield its people, businesses and institutions from cyber threats, and how it will advance international cooperation and lead in securing a global and open Internet.
The Commission acknowledges that improving cybersecurity is essential, on the one hand, to trust and benefit from innovation, connectivity and automation; on the other hand, for safeguarding fundamental rights and freedoms, including the rights to privacy and to the protection of personal data, and the freedom of expression and information.
The Strategy casts the light on different proposals for deploying regulatory, investment and policy instruments. Against this backdrop, three areas of EU action are under scrutiny: they regard (1) resilience, technological sovereignty and leadership; (2) building operational capacity to prevent, deter and respond; and (3) advancing a global and open cyberspace.
As regards (1) resilience, technological sovereignty and leadership, the EU should ensure the following strategic initiatives:
- Adoption of a revised NIS Directive (see https://encavibs.uni.lu/2020/12/21/proposal-for-nis-2-0/);
- An EU network of AI-enabled Security Operation Centres and an ultra-secure communication infrastructure harnessing quantum technology in order to deploy new and more secure forms of encryption;
- Completion of the implementation of the 5G risk-based Toolbox by Q2/21;
- Regulatory measures for an Internet of Secure Things, via new horizontal cybersecurity rules applicable to IoT products and related services;
- Widespread adoption of cybersecurity technologies through dedicated support to SMEs under the Digital Innovation Hubs;
- Development of an EU DNS resolver service as a safe and open alternative for EU citizens, businesses and public administration to access the Internet; and
- Through the CCCN investment in cybersecurity to reach up to €4.5 billion in public and private investments over 2021-2027 to reinforce presence on the technology supply chain.
As regards (2) building operational capacity to prevent, deter and respond, the EU should:
- Complete the European cybersecurity crisis management framework and determine the process, milestones and timeline for establishing the Joint Cyber Unit;
- Continue implementation of cybercrime agenda under the Security Union Strategy, by fostering the cooperation between cybersecurity actors and law enforcement (i.e. ENISA and Europol);
- Advance the EU’s cyber deterrence posture to prevent, discourage, deter and respond to malicious cyber activities, via its cyber diplomacy toolbox;
- Encourage and facilitate the establishment of a Member States’ cyber intelligence working group residing within the EU INTCEN and review the Cyber Defence Policy Framework;
- Facilitate the development of an EU “Military Vision and Strategy on Cyberspace as a Domain of Operations” for CSDP military missions and operations; and
- Support synergies between civil, defence and space industries and reinforce cybersecurity of critical space infrastructures under the Space Programme.
As regards (3) advancing a global and open cyberspace, the EU should:
- Define a set of objectives in international standardisation processes, and promote these at international level, by promoting its values;
- Advance international security and stability in cyberspace, notably through the proposal by the EU and its Member States for a Programme of Action to Advance Responsible State Behaviour in Cyberspace (PoA) in the United Nations;
- Offer practical guidance on the application of human rights and fundamental freedoms in cyberspace;
- Strengthen and promote the Budapest Convention on Cybercrime, including through the work on finalising the Second Additional Protocol;
- Strengthen and expand EU cyber dialogue with third countries, regional and international organisations, including through an informal EU Cyber Diplomacy Network;
- Reinforce the exchanges with the multi-stakeholder community, notably by regular and structured exchanges with the private sector, academia and civil society; and
- Propose an EU External Cyber Capacity Building Agenda and an EU Cyber Capacity Building Board.
Finally, the Commission addresses the necessity to improve the overall level of cybersecurity within EU institutions, bodies and agencies through consistent and homogeneous rules: the Commission will therefore make proposals for common binding rules on information security and for common binding rules on cybersecurity for all EU institutions, bodies and agencies in 2021, based on ongoing EU inter-institutional discussions on cybersecurity.