The ransomware pandemic is a reality. Cybercrime has doubled in 2019, trebled in 2020, and right now, in 2021, we face a third wave that has not yet peaked. European businesses and governments need much greater protection against cybercriminals and nation states penetrating their networks.
European security services warn, year after year, that the threat landscape is deteriorating, and the headlines in the newspapers reinforce this - we see incidents affecting vital aspects of our societies, such as hospitals, energy agencies and government websites.
Incidents in the cyber realm can nowadays severely disrupt our day-to-day lives. But investments in cybersecurity do not live up to this reality - so it’s time for action.
The Revised Directive on Security of Network and Information Systems, better known as NIS2, is perhaps the most important legislation for tackling these issues.
The Commission, in its proposal from December, introduced stricter cybersecurity measures and reporting obligations for European companies, and also laid down the framework for Member States to strengthen their cybersecurity capabilities and to enhance their cooperation. It is important that this Directive places responsibility for cybersecurity at board level. I believe it is a chefsache - a “matter for the boss”.
In this day and age, cybersecurity should be a priority at the highest levels of management, particularly where you are providing services that are essential or important for Europe and its citizens.
As the rapporteur on NIS2, I’m happy to say that both the sense of urgency and the main philosophy are shared across the European Parliament. Everyone sees the need for cybersecurity investments, improved capabilities and enhanced responsibility.
“We are not doing enough to monitor, detect and counter cyber espionage against our own networks. As a result, we are allowing foreign governments to compromise our work”
But how is the European Parliament itself performing? Are we living up to the standards we want other organisations and companies to uphold? Should NIS2 not also apply to the European institutions? Should we not be at least as strict on ourselves?
I believe we should; cybersecurity within our organisation is lacking. Parliament has to deal with hundreds of threats each week, some of them very serious, and there are insufficient resources and security professionals to deal with them.
We are not doing enough to monitor, detect and counter cyber espionage against our own networks. As a result, we are allowing foreign governments to compromise our work.
I believe this is long overdue. We should invest significantly in cybersecurity measures in the parliament. We need legislation for EU institutions. And perhaps most of all, cybersecurity should become a priority for this House. Not simply in boardrooms in businesses but also at the top of our own organisation, both on cybersecurity and on safety and security in a broader sense.
I therefore call on the President of this Parliament to take the swift action needed.