European Commission to Adopt a New Cyber Security Directive

‘Digital Agenda for Europe’ is the European Union’s (EU) initiative from 2010 that was originally adopted as an integral part of the Europe 2020 strategy, with the goal of stimulating the digital economy and focusing on challenges related to the increasing use of information and communication technologies (ICT). In December 2012, the EC adopted a Communication ‘The Digital Agenda for Europe – Driving European growth digitally’ (COM(2012) 784) that reviewed the success of the Digital Agenda and concluded that, since the EU is not positioning itself well enough to benefit from digital developments, it may be losing out in global competitiveness, as well as risking its economic growth and societal development.¹ The Communication puts forward seven key transformative actions as the Digital Agenda’s refocused goals.

From the perspective of cyber security, the most significant new priority is the proposal for an EU Strategy and Directive on network and information security. The Communication suggests establishing a common minimum level of preparedness within the EU Member States and setting up a cooperation mechanism for the prevention and countering of the wide range of cross-border cyber incidents. From the EU side, the EC sees the establishment of the European Cybercrime Centre (EC3) at Europol and the adoption of the Directive on attacks against information systems² as the means to reinforce the capacity of the EU to tackle cybercrime. Such initiatives will also form part of the proposed European Cyber Security Strategy that will focus on the resilience and reliability of network and ICT systems, the fight against cybercrime, and creating a more coherent external cyber security policy. Additionally, risk management and incident reporting requirements for public administrations should be adopted, as this would, in the long run, help to stimulate a larger European market for security and privacy-by-design products.³

The other priorities adopted by the EC aim to achieve the following objectives: 1) creating a new and stable broadband regulatory environment; 2) supporting new public digital service infrastructures (e.g., eIDs, eSignatures, etc.) through the Connecting Europe Facility; 3) launching a Grand Coalition on Digital Skills and Jobs (e.g., investing in developing an ICT-skilled workforce); 4) updating the EU’s Copyright Framework; 5) accelerating cloud computing through public sector buying power (e.g., launching pilot actions in the European Cloud Partnership), and 6) launching a new electronics industrial strategy (including for micro- and nano-electronics).⁴

Such priorities mark the EU’s growing ambition in adopting not only technical but also legal and policy standards in the domain of network and information security. Since security is an area that, to a great extent, belongs within the mandate of national governments, such attempts to regulate this delicate topic will no doubt be thoroughly debated and scrutinised. The EC has underlined the fact that responsibilities related to cyber security will remain with national governments.

Together with the recent publication of the Commission’s strategy for unleashing the potential of cloud computing in Europe, the refocused goals of the Digital Agenda are a step towards the EU’s common cyber security strategy. However, the level of ICT development and cyber security can vary significantly across different Member States and thus the standards proposed by the new Cyber Security Directive may be challenging to follow for some of the States. At the same time, the Directive would certainly push for a more effective EU-wide network of Computer Emergency Response Teams (CERT) and government offices that is vital in responding to large-scale cyber incidents.