EU releases cybersecurity strategy

Cybersecurity Law Alert


Understanding the increasing threat of cybercrime and its potential impact on the economy, the EU Commission has published its proposal for a European cybersecurity strategy, together with a draft directive for consideration by the EU Parliament. 

These documents, which are at a much earlier phase of policy development than the Obama Administration’s Cybersecurity Executive Order, were released on February 7, five days before that Executive Order. 

The strategy outlines the Commission's vision, clarifies roles and responsibilities between agencies and sets out the required actions to make the EU the safest online environment in the world.  The strategy also sets out the principles that should guide cybersecurity policy in the EU and internationally, including the protection of fundamental rights of expression and privacy, access for all, democratic multi-stakeholder governance and a shared responsibility for security.

The strategy sets out to achieve this through five strategic priorities to address the challenges.  These are:

  • To achieve cyber resilience by establishing, strengthening and modernising the resources available to prevent, detect and handle incidents.  This will include agencies such as ENISA, the European Computer Emergency Response Team (CERT-EU), national Network and Information Security (NIS) competent authorities and improve the preparedness and engagement of the private sector.  The proposed legislation will ensure that players in key areas, such as energy, transport, banking and ISPs, assess the risk and ensure networks and information systems are reliable and resilient to attack.  There will also be a general requirement to raise awareness regarding the risks, including through the conduct of coordinated publicity campaigns with the US commencing in 2014.
  • Reducing cybercrime through establishing strong and effective legislation and an enhanced capability to combat cybercrime.  Critical to these efforts will be the coordination and collaboration of efforts among the recently established European Cybercrime Centre (EC3) within Europol and national and regional law enforcement and judicial authorities.
  • Developing cyberdefence policy and capabilities within the framework of the Common Security and Defence Policy (CSDP).  Capability development will concentrate on detection, response and recovery form sophisticated attacked to increase the resilience of the ICT systems supporting the defence and national security interests of the member states.
  • Developing industrial and technological resources for cybersecurity by encouraging a domestic EU-wide market for highly secure products and providing incentives for the private sector to adopt secure systems.  This will be achieved in part by fostering more investment in R&D and innovation.
  • Establishing a coherent international cyberspace policy for the EU and to promote its core value, including active participation in international efforts to build cybersecurity capacity and a renewed emphasis on working together with countries that have a like-minded approach and who share the same values.  In this respect, cooperation with the US will be particularly important, notably in the context of the EU-US Working Group on Cyber-Security and Cyber-Crime.

The proposed legislation is a key element of the strategy with the aim that it will improve protection for consumers, business and governments against NIS incidents.  It would be used to ensure adequate preparation is achieved at a national level which would contribute to a climate of mutual trust and provide co-ordinated responses to cross-border events. 

The legislation would also be used to create a strong incentive to manage security risks effectively, by placing an obligation on public bodies and businesses to take "appropriate technical and organisational measures to manage the risks posed" to the security of NIS they control and use.  They would also be obliged to notify the national nominated authority of any event having a "significant impact" on the security of the core services that they provide.  These obligations would be supported by the power of the national nominated authority to investigate non-compliance and to impose sanctions that are required to be "effective, proportionate and dissuasive".

In addition, the proposed legislation indicates that the national authorities have the power to make public information disclosed about security incidents and also to share the information with ENISA and the national authorities of other members states. 

It is important for US readers to understand that not only is the European Union strategy still in formation, but also that EU directives do not take effect upon passage and must be transposed into member states’ laws through national legislation.

For further information please contact [email protected] or Stewart James at [email protected].


What companies need to know about the Obama Administration’s Cybersecurity Order


UK: The real risk of cyber attack