Christmas comes early: EU unwraps cybersecurity package and boosts ENISA

The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy issued a Joint Communication to the European Parliament and the Council [JOIN(2017) 450 final] on 13 September 2017, bearing the title Resilience, Deterrence and Defence: Building strong cybersecurity for the EU.

The Joint Communication was released on the day of the ‘State of the European Union’ speech by the President of the European Commission, Jean-Claude Juncker. It is part of a larger ‘EU cybersecurity package’, consisting of:

The Joint Communication resembles a cybersecurity strategy, but the EU decided to keep its current strategy from 2013 in place and the Joint Communication serves as its indirect update. The Joint Communication provides both strategic views and practical measures to be taken to improve cybersecurity in the EU; the measures are listed under the subheadings of resilience, deterrence, and defence. However, we use ‘cooperation’ rather than defence as the last subheading, following the logic of Commissioner King’s speech.

Resilience

According to the Joint Communication, to achieve a strong cyber resilience the existing EU and respective national structures have to be promoted and extended in terms of effectiveness and response. The mandate of the European Union Agency for Network and Information Security (ENISA) is to be made permanent, and its tasks, personnel and funding expanded. This expansion leads to the strengthening of the role of the ENISA as an advisory agency on policy development and implementation, helping to set up Information Sharing and Analysis Centres in critical sectors. ENISA will also organise and conduct an annual Europe-wide cybersecurity exercise, and will contribute to EU-wide situational awareness by cooperating with national CSIRTs, CERT-EU, Europol and the EU Intelligence and Situation Centre (INTCEN). The ENISA will also play a major role in EU-wide cybersecurity certification.

The proposal to set up an EU cybersecurity certification framework was also put forward by the European Commission. This is meant to be a voluntary framework to ensure security in critical or high-risk applications, widely deployed digital products and Internet of Things devices. The Commission will work to analyse the implications of liability raised by new digital technologies. Also, the effect of foreign acquisition on critical technologies is becoming a key aspect in the framework of screening foreign investments.

The requirements of the NIS Directive come into full effect on 10 May 2018. The Commission plans to provide guidelines in autumn 2017 to support a more harmonised implementation, notably in relation to operators of essential services. It has already issued a Communication as part of the cybersecurity package to provide guidance and best practice for the implementation.

According to the Joint Communication, ‘cyber aspects should be mainstreamed into existing EU crisis management mechanisms’, which encompass ‘the EU integrated political crisis response, coordinated by the Presidency of the Council’ and the ‘EU’s general rapid alert systems’. The EU solidarity clause can be invoked in case of a ‘particularly serious cyber incident’. The Commission presented a corresponding Blueprint as part of the cybersecurity package.

Beside this, a network of cybersecurity competence centres is to be set up, with a European Cybersecurity Research and Competence Centre to be established in 2018 at its heart. The Centre’s initial focus would be on ‘[p]ooling and shaping research efforts’, handling multinational projects and giving impetus to the competitiveness of EU industry regarding next-generation digital technologies. The Centre should make use of EU plans to scale up High Performance Computing infrastructure.

In a second phase, the Centre could be developed with a defence dimension in full respect of the treaty provisions related to the common security and defence policy. The Centre would have to work to complement the ENISA with respect to cyber resilience, and the European Defence Agency (EDA) with respect to cyber defence. Common cybersecurity projects could be financed from the European Defence Fund. There is the possibility of duplicating structures, but there is also an opportunity for the wider field of cybersecurity in comparison to cyber defence to be covered in a more comprehensive way.

A strong EU cyber skills base should be developed with the help of the above-mentioned organisations, and cyber hygiene and awareness will be promoted by measures such as setting up a one-stop-shop website and launching awareness campaigns.

Deterrence

The EU perceives the fight against cybercrime as an integral part of cybersecurity efforts. The word ‘deterrence’ is applied here in a broader sense than usual, applying not only to adversary states and non-state proxies, but also to criminality in general.

The capacity to identify malicious actors is viewed as a high priority. Europol’s cybercrime unit will be reinforced with cyber experts, and the increased uptake of IPv6 should enable easier identification of cybercrime perpetrators.

Facilitating cross-border access to electronic evidence will step up the law enforcement response, as announced under the European Agenda on Security, and the plan to draft a 2nd Additional Protocol to the Convention on Cybercrime is also mentioned. Forensic capacity at Europol will be developed, adapting the resources at the European Cybercrime Centre. Europol will focus on ‘darknet’ investigations. The Commission will put forward the reflections on the role of encryption in criminal investigations in October 2017, and a proposed Directive on combatting fraud and counterfeiting of non-cash means of payment [COM/2017/0489 final] should help to fight cybercrime in the financial sector.

Member States should improve their cybercrime investigative capabilities and train judges and prosecutors accordingly, with the Commission supporting them through the Internal Security Fund-Police Programme. The European Union Agency for Law Enforcement Training (CEPOL) should be of help.

Moving towards activities with significant effect on international relations, the framework for a joint EU diplomatic response to malicious cyber activities, known as the cyber diplomacy toolbox, is mentioned.

In this context, those member states with more advanced cybersecurity capabilities should consider sharing them with support from the High Representative, the Commission and the EDA in the Permanent Structured Cooperation (PESCO). Hybrid threats are to be covered by the EU Hybrid Fusion Cell and the recently established European Centre for Countering Hybrid Threats in Helsinki. A cyber defence training and education platformwill be put in place by 2018 by the Commission services, working in close cooperation with the EEAS, Member States and other relevant EU bodies.

Cooperation

The EU ‘strongly promotes’ the applicability of international law to cyberspace, and supports the norm-development efforts of the UN GGE and the OSCE. In this context, the EU Human Rights Guidelines on Freedom of Expression Online and Offline from 2014 were mentioned. There is also a Commission proposal to modernise EU export controls, which would introduce controls on the export of cyber-surveillance technologies.

The EU would like to support capacity building both among its Member States and third countries. For this purpose, it is planning to set up a dedicated EU Cyber Capacity Building Network, which would bring together the EEAS, Member States’ cyber authorities, EU agencies, Commission services, academia and civil society. Guidelines are to be developed to provide political guidance and prioritisation of EU efforts in assisting third countries.

The cooperation between EU and NATO will be fostered through cyber defence exercises involving the EEAS and other EU and NATO bodies. This includes the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, which, strictly speaking, is not a NATO body. The NCIRC cooperation with CERT-EU is briefly mentioned, as is the EU Hybrid Fusion Cell and the NATO Hybrid Analysis Branch cooperation.

Way ahead

The Joint Communication is now on the table of the General Affairs Council, which should obtain the approvals of EU member states and adopt it on 20 November 2017 as Council Conclusions. The ‘Cybersecurity Act’, which will take form of a Regulation of the European Parliament and of the Council, will go through the ordinary legislative procedure.

For a critical analysis of the strengths and weaknesses of the EU cybersecurity package, see https://ccdcoe.org/news/2017/eu-cybersecurity-package-new-potential-for-eu-to-cooperate-with-nato

The EU issued several more documents related to cybersecurity on 13 September 2017. It is not clear which of them are part of the ‘cybersecurity package’, since there is no official list. They are listed below for reference:

  • Report assessing the extent to which the Member States have taken the necessary measures in order to comply with Directive 2013/40/EU on attacks against information systems [COM (2017) 474 final];
  • Proposal for a Directive on combating fraud and counterfeiting of non-cash means of payment [COM (2017) 489 final];
  • Commission Staff Working Document: Assessment of the EU 2013 Cybersecurity Strategy http://ec.europa.eu/transparency/regdoc/rep/other/SWD-2017-295-F1-EN-0-0.PDF;
  • Proposal for a Regulation on a framework for the free flow of non-personal data [COM (2017) 495 final];
  • Proposal for a Regulation establishing a framework for screening foreign direct investments into the EU [COM (2017) 487 final]; and
  • Commission Implementing Regulation to the NIS Directive http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1506945973231&uri=PI_COM:Ares(2017)4460501.

Authors: Torsten Corall and Tomáš Minárik, NATO CCDCOE Law Branch researchers

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.