20 April 2023

Cybersecurity: how the EU tackles cyber threats


Critical sectors such as transport, energy, health and finance have become increasingly dependent on digital technologies to run their core business. While digitalisation brings enormous opportunities and provides solutions for many of the challenges Europe is facing, not least during the COVID-19 crisis, it also exposes the economy and society to cyber threats.

Cyberattacks and cybercrime are increasing in number and sophistication across Europe. This trend is set to grow further in the future, given that 41 billion devices worldwide are expected to be linked to the Internet of Things by 2025.

A stronger cybersecurity response to build an open and secure cyberspace can create greater trust among citizens in digital tools and services.

In October 2020, EU leaders called for stepping up the EU’s ability to:protect itself against cyber threats provide for a secure communication environment, especially through quantum encryption ensure access to data for judicial and law enforcement purposes

EU cybersecurity strategy

In December 2020, the European Commission and the European External Action Service (EEAS) presented a new EU cybersecurity strategy. The aim of this strategy is to strengthen Europe’s resilience against cyber threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. The new strategy contains concrete proposals for deploying regulatory, investment and policy instruments.

On 22 March 2021, the Council adopted conclusions on the cybersecurity strategy, underlining that cybersecurity is essential for building a resilient, green and digital Europe. EU ministers set as a key objective achieving strategic autonomy while preserving an open economy. This includes reinforcing the ability to make autonomous choices in the area of cybersecurity, with the aim to strengthen the EU's digital leadership and strategic capacities.Council adopts conclusions on the EU's cybersecurity strategy (press release, 22 March 2021)

The EU is also working on two legislative proposals to address current and future online and offline risks:an updated directive to better protect network and information systems

What is cybersecurity?

Cybersecurity includes the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.

(EU Cybersecurity Act)
EU Cybersecurity Act

The EU Cybersecurity Act entered into force in June 2019 and introduced:an EU-wide certification scheme 
a new and stronger mandate for the EU Agency for CybersecurityEU Cybersecurity Act (European Commission)
EU-wide cybersecurity certification scheme

Certification plays a critical role in ensuring high cybersecurity standards for ICT products, services and processes. The fact that different security certification schemes are currently used by different EU countries generates market fragmentation and regulatory barriers.

With the Cybersecurity Act, the EU has introduced a single EU-wide certification framework that will:build trust
increase the cybersecurity market's growth
ease trade across the EU

The framework will provide a comprehensive set of rules, technical requirements, standards and procedures. EU cybersecurity certification scheme (European Commission)

The EU cybersecurity marketEuropean countries occupy 18 of the top 20 places in the global cybersecurity index
The value of the EU cybersecurity market is estimated at more than €130 billion and it is growing at a rate of 17% a year
The EU has more than 60 000 cybersecurity companies and more than 660 centres of cybersecurity expertise
EU Agency for Cybersecurity

The new EU Agency for Cybersecurity builds on the structures of its predecessor, the European Union Agency for Network and Information Security, but with a strengthened role and a permanent mandate. It has also adopted the same acronym (ENISA).

It supports member states, EU institutions and other stakeholders in dealing with cyberattacks. European Union Agency for Cybersecurity (website)
Network and information systems directive

The directive on the security of network and information systems (NIS) was introduced in 2016 as the first ever EU-wide legislative measure with the purpose of increasing cooperation between member states on the vital issue of cybersecurity. It laid down security obligations for operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services).

In December 2020, the European Commission proposed a revised NIS directive (NIS2) to replace the 2016 directive. The new proposal responds to the evolving threat landscape and takes into account the digital transformation, which has been accelerated by the COVID-19 crisis.

The Council and the European Parliament reached a provisional agreement on the new measures in May 2022. The new legislation will: ensure stronger risk and incident management and cooperation

Your life online: how is the EU making it easier and safer for you?

The EU is actively working on improving the digital environment for the benefit of all Europeans. Our digital life needs to be safe, easy and respectful of basic freedoms.

Read our feature story to discover how the EU protects users online, ensures cybersecurity and facilitates the exchange of information between EU member states' e-justice systems.Check out our feature story

EU fight against cybercrime

Cybercrime takes various forms and many common crimes are cyber-facilitated. For example, criminals can:gain control over personal devices using malware
steal or compromise personal data and intellectual property to commit online fraud
use internet and social media platforms to distribute illegal content
use the 'darknet' to sell illicit goods and hacking services

Some forms of cybercrime, such as child sexual exploitation online, cause serious harm to their victims.
€5.5 trillion

global annual cost of cybercrime

A specialised European cybercrime centre has been created within Europol to help EU countries investigate online crimes and dismantle criminal networks. European cybercrime centre (Europol)

The European multidisciplinary platform against criminal threats (EMPACT) is a security initiative driven by member states to identify, prioritise and address threats posed by organised international crime. Countering cyberattacks is one one of its priorities.The EU's fight against organised crime (background information)
Tackling non-cash payment fraud

Fraud and counterfeiting involving non-cash means of payment pose a serious threat to the EU’s security and provide a significant income for organised crime. Moreover, this kind of fraud affects the trust of consumers in the security of digital technologies.

In April 2019, the EU adopted new rules to fight non-cash payment fraud. Member states should implement the new rules in 2021. The EU puts in place tighter rules to fight non-cash payment fraud (press release, 9 April 2019)
Improving the safety of children online

In May 2022, the European Commission proposed a new legislation to tackle online child sexual abuse and exploitation. The new rules are currently being discussed at the Council.

In the meantime, the EU has adopted temporary rules, as a derogation to articles 5(1) and 6(1) of the ePrivacy directive, to allow providers of web-based email and messaging services to continue detecting child sexual abuse online.

In May 2021, the negotiators from the Council and the European Parliament reached a provisional agreement on the temporary measures which allow providers of electronic communications services such as web-based email and messaging services to continue to detect, remove and report child sexual abuse online, also covering anti-grooming, until permanent legislation is in place. The measures entered into force in August 2021 and will expire in 2024. Combating child abuse online – informal deal with European Parliament on temporary rules (press release, 29 April 2021)
Justice and law enforcement

EU rules and policies also tackle other justice and law enforcement aspects of the fight against cybercrime and crime in general, such as access to e-evidence, encryption and data retention.
Access to e-evidence

Criminals exploit digital technology to commit offences and to hide illicit activities. Law enforcement and judicial authorities therefore rely more and more on electronic evidence, such as texts, e-mails or messaging apps, for their criminal investigations and prosecutions.

This is why the EU is working on new rules which will make access to e-evidence across borders easier and faster.Better access to e-evidence to fight crime (background information)

To further facilitate cross-border access to e-evidence for criminal proceedings, the EU:is negotiating an agreement with the US – the country where most service providers are located
participates in the negotiations for the second additional protocol to the Budapest ConventionCouncil gives mandate to Commission to negotiate international agreements on e-evidence in criminal matters (press release, 6 June 2019)
Encryption

The EU is striving to establish an active discussion with the technology industry to strike the right balance between ensuring the continued use of strong encryption technology and guaranteeing the powers of law enforcement and the judiciary to operate on the same terms as in the offline world.

In December 2020, the Council adopted a resolution on encryption, highlighting the needs for both security through encryption and security despite encryption.Council adopts resolution on encryption (press release, 14 December 2020)
Data retention

To fight crime effectively today, it is important that service providers retain certain data that can be disclosed under certain strict conditions for the purpose of fighting crime. However, data retention can infringe individual fundamental rights, in particular the rights to privacy and to protection of personal data.

The Council adopted conclusions with regard to the retention of electronic communication data for the purpose of fighting crime. The Council tasked the Commission with gathering further information and organising targeted consultations as part of a comprehensive study on possible solutions for retaining data, including the consideration of a future legislative initiative.Data retention to fight crime: Council adopts conclusions (press release, 6 June 2019)
Boosting cyber diplomacy

The European Union and its member states strongly promote an open, free, stable and secure cyberspace where human rights, fundamental freedoms and the rule of law are fully respected for the social stability, economic growth, prosperity and integrity of free and democratic societies.

The EU invests much effort in protecting itself against cyber threats coming from third countries, especially through a joint diplomatic response called the ‘cyber diplomacy toolbox’. This response includes diplomatic cooperation and dialogue, preventative measures against cyberattacks, and sanctions.

The EU cybersecurity strategy adopted by the European Commission and EEAS in December 2020 reinforces the EU’s diplomatic response to cyberattacks.
Sanctions against cyberattacks

In May 2019, the Council established a framework which allows the EU to impose targeted sanctions to deter and respond to cyberattacks which constitute an external threat to the EU or its member states.

More specifically, this framework allows the EU for the first time to impose sanctions on persons or entities that are responsible for cyberattacks or attempted cyberattacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on other persons or entities associated with them.

Restrictive measures include:a ban on persons travelling to the EU
an asset freeze on persons and entities

The first ever sanctions for cyberattacks were imposed on 30 July 2020.Cyberattacks: Council is now able to impose sanctions (press release, 17 May 2019)
Cooperation on cyber defence

Cyberspace is considered as the fifth domain of warfare, as critical to military operations as land, sea, air, and space. It is a domain encompassing everything from information and telecommunication networks, infrastructure, and the data they support, to computer systems, processors and controllers.

The EU cooperates on defence in cyberspace through the activities of the European Defence Agency (EDA), in collaboration with the EU cybersecurity agency and Europol. The EDA supports member states in building a skilled military cyber-defence workforce and ensures the availability of proactive and reactive cyber-defence technology.

The EU cybersecurity strategy adopted in December 2020 by the Commission and the EEAS reinforces:cyber defence coordination
cooperation and building cyber defence capabilities

The EU policy on cyber defence, adopted in November 2022 by the Commission and the EEAS, aims to boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities.Cyber Defence: EU boosts action against cyber threats (European Commission)
Funding and research
Recovery plan

Cybersecurity is one of the EU’s priorities in the response to the COVID-19 pandemic, which has seen increased cyberattacks. The plan includes additional investments in this area.A recovery plan for Europe (background information)
Horizon Europe

Reaching innovative solutions that can protect us against the latest, most advanced cyber threats is crucial. For this reason, cybersecurity is an important part of the EU research and innovation funding framework programmes Horizon 2020 and its successor Horizon Europe. In May 2020, the EU committed €49 million to boost innovation in cybersecurity and privacy systems.Horizon Europe (European Commission)
Digital Europe

In the framework of the Digital Europe Programme for the period 2021-2027, the EU has committed to invest €1.6 billion into cybersecurity capacity and the wide deployment of cybersecurity infrastructures and tools across the EU, for public administrations, businesses, and individuals.Digital Europe programme: informal agreement with European Parliament (press release, 14 December 2020)
Cybersecurity competence centre

In December 2020, the Council and European Parliament reached an informal agreement on the proposal to set up the European Cybersecurity Industrial, Technology and Research Competence Centre, backed by a network of national coordination centres.

The Council adopted the regulation establishing the centre and the network in April 2021. Bucharest-based Cybersecurity Competence Centre gets green light from Council (press release, 20 April 2021)

The new centre aims to:further improve cyber resilience
contribute to the deployment of the latest cybersecurity technology
support cybersecurity start-ups and SMEs
enhance cybersecurity research and innovation
contribute to closing the cybersecurity skills gap

Bucharest was selected by EU member states as the seat of the new centre.Selection of the seat of the European cybersecurity competence centre (background information)
Cybersecurity of critical infrastructure
Secure connected devices

Connected devices, including machines, sensors and networks that make up the Internet of Things (IoT), will play a key role in further shaping Europe’s digital future, and so will their security.

In December 2020, the Council adopted conclusions acknowledging the increased use of consumer products and industrial devices connected to the internet and the related new risks for privacy, information security and cybersecurity. The conclusions set out priorities to address this crucial issue and to boost the global competitiveness of the EU’s IoT industry by ensuring the highest standards of resilience, safety and security.Cybersecurity of connected devices – Council adopts conclusions (press release, 2 December 2020)
Protecting 5G networks

5G networks are crucial not only for digital communication but also for critical sectors such as energy, transport, banking, and health. Ensuring that 5G networks are resilient is therefore essential to our society.

With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.

In January 2020, the EU agreed on a toolbox to identify a possible common set of measures to mitigate the main cybersecurity risks of 5G networks and to provide guidance.Secure 5G networks: questions and answers on the EU toolbox (European Commission)

No comments: