On 13 September, in his annual State of the Union Address, President Jean-Claude Juncker stated: “In the past three years, we have made progress in keeping Europeans safe online. But Europe is still not well equipped when it comes to cyber-attacks. This is why, today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks.”
Europeans place great trust in digital technologies. They open up new opportunities for citizens to connect, facilitate the dissemination of information and form the backbone of Europe’s economy. However, they have also brought about new risks as non-state and state actors increasingly try to steal data, commit fraud or even destabilise governments. Last year, there were more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cybersecurity incident. The economic impact of cyber-crime has risen five-fold over the past four years alone.
To equip Europe with the right tools to deal with cyber-attacks, the European Commission and the High Representative are proposing a wide-ranging set of measures to build strong cybersecurity in the EU. This includes a proposal for an EU Cybersecurity Agencyto assist Member States in dealing with cyber-attacks, as well as a new European certification scheme that will ensure that products and services in the digital world are safe to use.
Federica Mogherini, High Representative/Vice-President, said: “The EU will pursue an international cyber policy promoting an open, free and secure cyberspace as well as support efforts to develop norms of responsible state behaviour, apply international law and confidence building measures in cybersecurity.”
With recent ransomware attacks, a dramatic rise in cyber-criminal activity, the increasing use of cyber tools by state actors to meet their geopolitical goals and the diversification of cybersecurity incidents, the EU needs to build a stronger resilience to cyber-attacks and create an effective EU cyber deterrence and criminal law response to better protect Europe’s citizens, businesses and public institutions. This is what today’s Cybersecurity Package is about.
An EU Cyber Security Agency: Building on the existing European Agency for Network and Information Security (ENISA), the Agency will be given a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. It will improve the EU’s preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of Information Sharing and Analyses Centres. It will help implement the Directive on the Security of Network and Information Systemswhich contains reporting obligations to national authorities in case of serious incidents.
The Cybersecurity Agency would also help put in place and implement the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. Just as consumers can trust what they eat thanks to EU food labels, new European cybersecurity certificates will ensure the trustworthiness of the billions of devices (“Internet of Things”) which drive today’s critical infrastructures, such as energy and transport networks, but also new consumer devices, such as connected cars. Cybersecurity certificates will be recognised across Member States, thereby cutting down on the administrative burden and costs for companies.
Stepping up the EU’s cybersecurity capacity
It is in the EU’s strategic interest to ensure that the technological tools of cyber security are developed in a way that allows the digital economy to flourish, while also protecting our security, society and democracy. This includes the protection of critical hardware and software. To reinforce the EU’s cybersecurity capacity, the Commission and the High Representative are proposing:
- A European Cybersecurity Research and Competence Centre (pilot to be set up in the course of 2018). Working with Member States, it will help develop and roll out the tools and technology needed to keep up with an ever-changing threat and make sure our defences are as state-of-the-art as the weapons that cyber-criminals use. It will complement capacity-building efforts in this area at EU and national level.
- A Blueprint for how Europe and Member States can respond quickly, operationally and in unison when a large-scale cyber-attack strikes. The proposed procedure is laid down in a Recommendation adopted last week. The Recommendation also asks Member States and EU institutions to establish an EU Cybersecurity Crisis Response Framework to make the Blueprint operational. It will regularly be tested in cyber and other crisis management exercises.
- More solidarity: In the future, the possibility of a new Cybersecurity Emergency Response Fund could be considered for those Member States that have responsibly implemented all the cybersecurity measures required under EU law. The Fund could provide emergency support to help Member States – just as the EU’s Civil Protection Mechanism is used to help with cases of forest fires or natural disasters.
- Stronger cyber defence capabilities: Member States are encouraged to include cyber defence within the Framework of Permanent Structured Cooperation (PESCO) and the European Defence Fund to support cyber defence projects. The European Cybersecurity Research and Competence Centre could also be further developed with a cyber defence dimension. To address the skills gap in cyber defence, the EU will create a cyber defence training and education platform in 2018. The EU and NATO will together foster cyber defence research and innovation cooperation. Cooperation with NATO, including participation in parallel and coordinated exercises, will be deepened.
- Enhanced international cooperation: The EU will strengthen its response to cyber-attacks by implementing the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, supporting a strategic framework for conflict prevention and stability in cyberspace. This will be coupled with new cyber capacity building efforts to assist third countries to address cyber threats.
Creating an effective criminal law response
A more effective law enforcement response focusing on detection, traceability and the prosecution of cyber criminals is central to building an effective disincentive to commit such crimes. The Commission is therefore proposing to boost deterrence through new measures to combat fraud and the counterfeiting of non-cash means of payment.
The proposed Directive will strengthen the ability of law enforcement authorities to tackle this form of crime by expanding the scope of the offences related to information systems to all payment transactions, including transactions through virtual currencies. The law will also introduce common rules on the level of penalties and clarify the scope of Member States’ jurisdiction in such offences.
To step up effective investigation and prosecution of cyber-enabled crime, the Commission will also present proposals to facilitate cross-border access to electronic evidence in the beginning of 2018. In addition, by October, the Commission will present its reflections on the role of encryption in criminal investigations.
Recent figures show that digital threats are evolving fast and that the public perceives cyber-crime as an important threat: Whilst ransomware attacks have increased by 300% since 2015, the economic impact of cyber-crime rose fivefold from 2013 to 2017, and could further rise by a factor of four by 2019, studies suggests. 87% of Europeans regard cyber-crime as an important challenge to the EU’s internal security
The European Agenda on Security and the Mid-term review of the Digital Single Market Strategy guide the Commission’s work in this area, setting out the main actions for boosting cybersecurity. The measures proposed today complement already existing rules and fill the gaps where the threat landscape has evolved since the adoption of the 2013 EU Cybersecurity Strategy, delivering on the key priority to support Member States in ensuring internal security under the Bratislava Declaration and Roadmap..