Last year’s WannaCry attack, which affected infrastructure operators as well as thousands of companies, was a serious indication that cybersecurity is one of the biggest policy challenges in the digital sphere.
Less than a month later came yet another major cyberattack, NotPetya, which caused millions of euros’ worth of economic damage to European companies. It a¬ffected small local businesses such as supermarkets, advertising agencies or law firms as well as major shipping companies.
Such attacks indicate the complexity and scale of a threat that is becoming increasingly common and is equally relevant for individuals, businesses and infrastructure; this it touches upon every aspect of our daily lives.
There is no doubt that technological advancement brings new opportunities, hand-in-hand with new challenges. To face these challenges, we need a response at EU level. We need to create effective cyber deterrence, including through criminal law, to improve protection for Europe’s citizens, businesses and public institutions. The EU is taking initiatives along three main strands.
We do not have to start from scratch. We already have the directive on security of network and information systems (NIS), which introduced rules on cybersecurity. This serves as the basis for the first EU-wide legislation for improved cybersecurity.
Thanks to this new legal framework, EU countries are now strengthening their cooperation in cybersecurity policy and coordinating their efforts to build better response capacities. The new rules entered into force in 2016; member states are currently transposing the directive, putting in place their national strategies and improving resilience of critical sectors.
To further strengthen the Union’s cybersecurity and build the EU response capacity, last year the Commission proposed a cybersecurity act. This proposal gives the EU cybersecurity agency (ENISA) a strong and permanent mandate for delivering advice and solutions, thereby contributing to a high level of network and information security. The agency works closely with member states and the private sector. The act is a priority file and the aim is to adopt it within the mandate of this Commission and Parliament.
In addition to capacity building, we need to improve our responsiveness in the case of EU-wide cyberattacks. The Commission has therefore also proposed a blueprint for cooperation and coordinated response in the event of large-scale, cross-border cybersecurity incidents.
It will also align cyber concerns with existing crisis management mechanisms It identified three vital activities; coordinated response, shared situational awareness and common/coordinated public communication.
We need to make appropriate investments in cybersecurity at the European level, particularly in research, innovation and technology, as well as advanced skills in the area of cybersecurity.
This includes tapping into, and enhancing, the pool of female experts. This is why our new multiannual financial framework foresees a greater role for cybersecurity, with €2bn earmarked for this area in the Digital Europe Programme and further funds coming from Horizon Europe.
However, these are still relatively modest figures compared with the expenditure for cybersecurity technological capabilities in other parts of the world. The Commission has proposed setting up a European cybersecurity industrial technology and research competence centre to pool EU and national resources to support cybersecurity research, innovation and industrial activities.
It will pursue its mission by setting up and helping coordinate a network of national coordination centres and a broad and open cybersecurity competence community. It will carry out or support procurement of the latest cybersecurity technology, provide support to cybersecurity start-ups and SMEs in connecting with potential market and to attract investment, and driving high cybersecurity standards both in technology and cybersecurity systems and in skills development.
The competence centre will seek to enhance cooperation between the civil and defence spheres of cybersecurity with regard to dual-use technologies and applications, and enhancing synergies in relation to the European Defence Fund.
Each of these policy initiatives constitutes a step closer to a more cyber-resilient society and economy, reflecting the Commission’s overall ambition of increasing the internal security of the EU.
The risks that our citizens face when using digital technologies are growing exponentially; that is why cyber preparedness is central to the completion of the digital single market.
We need to boost and encourage cooperation on several levels and involve many actors. I am confident that together we will manage to build a robust and secure digital environment in the EU, addressing the challenges and taking advantage of the opportunities.