National cybersecurity strategies emerged in Europe mainly after the 2007 cyberattack campaign against Estonia and the Commission Communication ‘Digital Agenda for Europe’, a flagship initiative under the Europe 2020 Strategy.
In 2007, coordinated cyber attacks were launched against Estonian government agencies, banks, and media and telecommunications companies. In the follow-up of these events, Estonia became the first EU Member State to adopt a national cybersecurity strategy seeking to reduce the inherent vulnerabilities of cyberspace. While Slovakia followed with a national strategy in 2009, only nine EU Member States (Belgium, Cyprus, Estonia, Finland, Germany, Lithuania, Luxembourg, the Netherlands, Slovakia) had a national cyber security strategy in place when the European Commission presented its Proposal for a NIS Directive on 7 February 2013 in connection with the European Cybersecurity Strategy ‘An Open, Safe and Secure Cyberspace’. The Proposal for a NIS Directive foresaw that each Member State adopts a national ‘NIS strategy’ and a ‘national NIS cooperation plan’ (Art. 5 Proposal for a NIS Directive). In light of an increasing threat landscape and in view of a forthcoming obligation to adopt a national cybersecurity strategy, a further six Member States adopted a national strategy in 2013: Romania in May, Poland and Hungary in June, Austria in July, and Italy and Spain in December. When the NIS Directive, and thus the obligation to have a national strategy on the security of NIS in place, was adopted in July 2016, only three Member States still lacked a national cybersecurity strategy: Bulgaria, which adopted its first strategy before the NIS Directive entered into force, Greece and Sweden, which both adopted their first strategy in 2017. Today, most Member States have updated their national cybersecurity strategy at least once.
The hyperlink provided links to the respective strategy (if available, an English language version is provided).