On March 3, BSA/The Software Alliance, a software industry advocacy group, released the EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace (the “EU Dashboard”), an analysis of data security laws and policies in the 28 European Union member countries. The EU Dashboard states that governments must have proper cybersecurity legal and policy frameworks in place to effectively guard against cyber-attacks. Overall, the EU Dashboard analysis finds that “[c]onsiderable discrepancies exist between Member States’ cybersecurity policies, legal frameworks and operational capabilities, creating notable cybersecurity gaps across Europe.”
The EU Dashboard summarizes certain high-level principles for constructing a proper legal and policy framework on cybersecurity issues. First, the EU Dashboard states that a robust framework should be risk-based and establish “a hierarchy of priorities—based on an objective assessment of risk—with critical assets and/or critical sectors at the top.” In addition, a government’s approach to cybersecurity protection should be technology neutral; the EU Dashboard notes that “[s]pecific requirements or policies that mandate the use of certain technology only undermine security by restricting evolving security controls and best practices and potentially creating single points of failure.” Further, a proper legal and policy framework must be practicable, flexible and take into account privacy and civil liberties concerns. The EU Dashboard states that "[e]nsuring that requirements and obligations are proportionate, do not represent more intrusion in fundamental rights than what is strictly necessary, follow due process and are supported by adequate judicial oversight are all important considerations to address in any cybersecurity framework."
With respect to individual Member States, the EU Dashboard focuses on five areas of each country’s cybersecurity apparatus: legal foundations, operational capabilities, public-private partnerships, sector-specific cybersecurity plans and education. Regarding legal foundations, the EU Dashboard observes that “19 of the 28 Member States have more or less detailed and comprehensive cybersecurity strategies in place, while eight have not declared any such framework at all.” BSA’s conclusion is more encouraging in the operations area, as the EU Dashboard notes that almost all EU Members States have in place operational computer emergency response teams, “with only Cyprus and Ireland yet to make their [computer emergency response teams] fully operational.”
The story is mixed concerning public-private partnerships, where “[f]ive countries—Austria, Germany, the Netherlands, Spain and the United Kingdom—are leading the way by having established formal public-private partnerships for cybersecurity,” while such partnerships “are either non-existent, very restricted, or still at a very early stage of development in the majority of the Member States.” With respect to sector-specific plans, the EU Dashboard states that the “same countries that are leading the way in public-private partnerships also are the leaders in this field, often establishing sector-specific dialogues and information exchanges with the private sector.” Finally, the EU Dashboard hails the EU’s “strong commitment to cybersecurity education and awareness raising” but notes that “a small number of countries, including Greece, Malta, Portugal and Slovenia have yet to implement national education strategies in this field.”
The EU Dashboard provides further guidance on tactics to avoid when implementing cybersecurity policy frameworks and offers advice to Member States relating to establishing information sharing procedures among relevant stakeholders. Finally, the EU Dashboard includes cybersecurity country summaries for the Member States. The United Kingdom, for example, “has a comprehensive cybersecurity strategy” and a "well-developed system of public-private partnerships," while Malta “has yet to develop a comprehensive legal and policy framework for supporting cybersecurity, although its Digital Malta Strategy and e-government plan promise the elaboration of a cybersecurity strategy.”