On September 13, 2017, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy published a Joint Communication to the European Parliament and the Council of the European Union on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” (“Joint Communication”). This Joint Communication is part of a package of EU documents adopted on the same date aimed at delivering a stronger EU response to cyber attacks. In particular, the Joint Communication puts forward targeted measures to (1) build greater EU resilience to cyber attacks, (2) better detect cyber attacks, and (3) strengthen international cooperation on cybersecurity.
Greater EU Cyber Resilience The Joint Communication first sets out measures designed to build greater EU cyber resilience, including:
- The swift adoption of a new EU Regulation that reforms the EU Cybersecurity Agency (ENISA) by giving it a permanent mandate, and sets up an EU certification framework with ENISA at its heart. This framework will define the procedure for the creation of voluntary EU-wide cybersecurity certification schemes. This will limit administrative and financial costs for businesses who need to undertake several certification processes when conducting business across the EU;
- The adoption of a joint European Commission/industry initiative to define a “duty of care” principle, which could reduce product/software vulnerabilities and promote “security by design”;
- Full and effective implementation of the EU Directive on the Security of Network and Information Systems (“NIS Directive”) by all EU Member States by May 9, 2018. On September 13, 2017, the EU Commission also issued a Communication to support the EU Member States’ efforts by providing best practice and guidance on how the NIS Directive should operate in practice;
- The swift implementation of a “Blueprint” for cross-border major incident response. The “Blueprint” was presented in an EU Recommendation and sets out the objectives and modes of cooperation among EU Member States as well as between EU Member States and relevant EU institutions, when responding to large-scale cybersecurity incidents and crises;
- The launch of an impact assessment to study the possibility of stimulating development and deployment of cybersecurity technology through a Commission proposal in 2018 to set up a network of cybersecurity competency centers, with a European Cybersecurity Research and Competence Center as the central figure;
- Prioritizing cyber awareness in EU national information campaigns and including cybersecurity as part of EU national academic and vocational training curricula; and
- Developing a single portal – an EU-wide one-stop-shop – that would provide information on the latest cyber threats and bring together practical advice and cybersecurity tools to help victims of cyber attacks.
Effective EU Cyber Deterrence The Joint Communication also sets out the following key actions to help create effective EU cyber deterrence:
- The introduction of requirements pertaining to EU procurement, research and project funding to move to the new protocol (IPv6) at the EU level, while encouraging EU Member States to consider executing voluntary agreements with service providers to drive up the uptake of IPv6;
- Proposals by the European Commission to facilitate cross-border access to electronic evidence (early 2018);
- The swift adoption of a new proposed EU Directive on combatting fraud and counterfeiting of non-cash means of payment;
- A renewed/expanded focus by the Europol Cybercrime Center on cyber forensics and monitoring the “darknet”;
- The implementation of a recently adopted framework for a joint EU diplomatic response to malicious cyber activities (“cyber diplomatic toolbox”);
- Enhanced financial support for national and transnational projects improving criminal justice in cyberspace; and
- The implementation of a cybersecurity-related education platform by 2018 to address the current skills gap in cybersecurity and cyber defense.
Strengthened International Cooperation on Cybersecurity The Joint Communication also describes measures designed to develop international cooperation and promote global cyber stability, while contributing to EU strategic autonomy in cyberspace. This includes the following measures:
- Establishing a strategic framework for conflict prevention and stability in cyberspace in the EU’s bilateral, regional, multi-stakeholder and multilateral engagements;
- Developing a new Capacity Building Network to support third countries’ ability to address cyber threats and EU Cybersecurity Capacity Building Guidelines to better prioritize EU efforts; and
- Strengthening cooperation between the EU and NATO.
According to the Joint Communication, the measures described above will result in a shift for the EU from a reactive to a proactive approach to effectively protect EU individuals against cyber threats.