A New Digital Era and the Need to Protect Critical Societal Functions

News item | 07-12-2016

The EU Cybersecurity Strategy adopted in 2013 identified important gaps across the European Union in terms of national capabilities, coordination in cross-border incidents, and private sector involvement and engagement. On 6 July 2016 the NIS Directive was adopted in response to this identified need. On the eve of the adoption, the European Commission signed a contractual Public-Private Partnership (cPPP) with the EU’s cyber security industry, in order to better equip Europe against cyber-attacks and to strengthen the competitiveness of its cybersecurity sector.

Written by: Mr. Christer E. Hammarlund, Cyber Defence Policy Officer at the Cybersecurity and Digital Privacy Unit of the European Commission’s Directorate General for Communications Networks, Content and Technology (DG CONNECT)

With the digital economy making headway across the globe, mobile communications and the Internet are now pervasive in every business and service sector all over the world, as well as in our private lives. Companies fighting for a competitive edge are increasingly presenting their customers with digital solutions. The number of Internet users worldwide has tripled over the past decade, and broadband and smartphones are faster, cheaper, and more widespread. However, with the digital economy comes the inevitable issue of security.

The NIS Directive

In 2013, the European Union adopted the Cyber Security Strategy and launched a legislative proposal (known as the ‘NIS Directive’) with the objective to bring cybersecurity capabilities at the same level of development across all the EU Member States and ensure efficiency in the exchanges of information and cooperation both nationally but also at cross-border level. The Directive was finally adopted by the European Parliament on 6 July this year, and is now awaiting Member State implementation. The NIS Directive is the first EU-wide cyber security directive of its kind.

Günther H. Oettinger, European Commissioner for the Digital Economy and Society, signing the new Public-Private Partnership with industry, 5 July 2016. Credits: European Commission.

The need for such a legislative framework has become more pressing in light of ongoing developments in this field. For example, according to a recent survey, the number of security incidents across all industries worldwide rose by 38% in 2015 while at least 80% of European companies experienced at least one cybersecurity incident over the past year.

The Directive’s first objective is to increase national cyber security capabilities. This will be achieved through Member States developing a national strategy on NIS, the formation of an NIS national authority, and the launch of a Computer Security Incident Response Team (CSIRT).

Secondly, the Directive aims to improve EU-level cooperation by setting up a Cooperation Group for strategic cooperation among the EU Member States, the European Commission (acting as the secretariat), and the EU Network and Information Security Agency (ENISA). There will also be a CSIRT network for operational cooperation between the national CSIRTs, CERT-EU, and ENISA (acting as the Secretariat).

Thirdly, the Directive aims to cover the main risks by working to protect the most critical networks in society, known as Operators of Essential Services (EOSs). These include sectors such as energy, water, health, transport, banking, financial markets (e.g. trading venues, central counterparties), digital infrastructure (e.g. internet exchange points, domain name system service providers, top level domain name registries), and certain digital businesses that are considered to be of general importance when it comes to cyber security (so called ‘digital service providers’, or DSPs); online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online), cloud computing services and search engines. These operators will be required to report serious incidents to their pertinent national authorities.

The first European PPP on cybersecurity

In parallel, other initiatives are brought forward to better equip Europe address cyber threats and improve the competitiveness if its cybersecurity sector. A flagship initiative in this field and first of its kind in Europe is the now up-and-running contractual Public-Private Partnership (cPPP) on cyber security. Under the EU’s research and innovation programme (“Horizon 2020”), the EU has pledged to invest 450 million Euro in this partnership between the European Commission and the European Cyber Security Organisation that represents European cybersecurity market players. The cPPP includes 150 stakeholders from business, academia and research in Europe, forming an ecosystem in cyber security. The PPP will help European industry tackle cyber threats, strengthen cooperation across the EU, and trigger up to €1.8bn of investment by 2020.

Need for additional, complimentary measures

The European Commission is also working to strengthen industrial capabilities in Europe by addressing the current cybersecurity market fragmentation. To this end, a possible European certification framework for ICT security products is another measure currently under consideration, while there is recognition for the need to support innovative cybersecurity SMEs scale up their operations by facilitating their financing, potentially through the EU investment plan. Evidently, the rapidly evolving cybersecurity landscape calls for a comprehensive set of measures that address the multi-sectoral nature of the cybersecurity challenges at hand.

This article first appeared in the second issue of the Global Cyber Expertise Magazine – November 2016.