New EU’s cybersecurity package: ambitious proposals, daring tasks and deeper cooperation

As it did in 2017, the European Commission gave EU member states an early Christmas present on 16 December 2020 by publishing a cybersecurity package. This time, the package consists of three documents: (1) the Cybersecurity Strategy for the Digital Decade, (2) a proposal for the Directive on measures for a high common level of cybersecurity across the Union, and (3) a proposal for the Directive on the resilience of critical entities.

Cybersecurity, a multi-level issue

The Cybersecurity Strategy for the Digital Decade aims to respond to the cyber-related challenges posed by increasing digitalisation, the dependence on modern technologies and various complex threats. According to the document, cyberspace ‘is increasingly exploited for political and ideological purposes’ and the EU ‘lacks collective situational awareness of cyber threats’ (pp.2-3). It thus describes the daunting task of improving the EU’s cybersecurity to safeguard fundamental rights and freedoms and to boost effective and systematic cooperation.

The Strategy acknowledges cybersecurity as a multi-level issue, proposing a holistic approach. The text is divided into three areas of action: (1) resilience, technological sovereignty and leadership; (2) building operational capacity to prevent, deter and respond; and (3) advancing a global and open cyberspace. All these areas contain concrete proposals for deploying instruments regarding regulatory, investment and policy initiatives. It also recognises the critical nature of the EU institutions, bodies and agencies that carry a greater risk of becoming targets of cyber-attacks.

New cooperation and security solutions

The strategy seeks to harness cutting edge technologies – quantum technologies, 5G or Artificial Intelligence (AI) – and many strategic plans are based on their deployment. For example, the EU plans to build a network of Security Operations Centres across its territory powered by AI to constitute a European ‘cybersecurity shield’. These centres would detect signs of cyberattacks and warn the authorities to avoid possible damage and casualties. This network’s cooperation should also be beneficial to the Joint Cyber Unit, which is supposed to strengthen cooperation amongst the EU bodies and member states’ authorities. Under the Strategy, this unit is not meant to be a standalone body but a virtual and physical platform fulfilling three objectives across cybersecurity communities (civilian, diplomatic, law enforcement and defence): ensuring preparedness, providing continuous shared situational awareness and reinforcing coordinated response and recovery.

The EU plans to deploy an ultra-secure quantum communication infrastructure for Europe for the transmission of confidential information. It stresses the role of the EU 5G Toolbox, a comprehensive and objective risk-based approach concerning mitigating measures for cybersecurity risks of 5G and future generations of networks. Member states are once more encouraged to implement this Toolbox and, in its Appendix, the Strategy identifies complex next steps for the EU, member states and stakeholders to follow.

Regarding prevention, discouraging, deterring and responding to malicious cyber activities, the possible revision and strengthening of the EU cyber diplomacy toolbox, which encompasses the EU’s possibilities for a joint diplomatic response, is also mentioned in the Strategy.

Furthermore, the importance of functionality and the integrity of the internet is also addressed. The Strategy introduces an intent to develop a contingency plan ‘for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system’ (p.10). To increase the EU’s ability to respond to cyberattacks and other technical incidents and reduce security concerns over market concentration, the development of the ‘DNS4EU’ initiative, a public European DNS resolver service, is discussed.

The EU also intends to increase cybersecurity to develop technological and industrial capacities and reduce dependence across the digital supply chain by an unprecedented amount of investments in cybersecurity research and innovation, including the promising role of the European Cybersecurity Competence Centre co-governed with the member states. Given the increased use and importance of devices connected to the internet, the Strategy also includes an initiative to comprehensively improve the cybersecurity of all connected products placed on the internal market (referred to as the Internet of Secure Things) by creating new horizontal rules.

Cyber defence and promotion of EU’s perspective

The Strategy also tackles cyber defence. A review of the Cyber Defence Policy Framework (CDPF) should be undertaken to deepen the coordination and cooperation between EU actors to ensure that ‘cybersecurity and cyber defence are further integrated into the wider security and defence agenda’ (p.18). The importance of developing cyber defence capabilities by member states or conducting cyber defence research innovation and capability development is mentioned. Member states are also encouraged to use the European Defence Fund to provide financial support for cyber defence solutions.

In its external activities, the EU aims to engage more in international standardisation processes. The forthcoming standards will complement ‘traditional regulatory efforts in areas such as AI, cloud, quantum computing and quantum communication’ (p.20) and the EU aims to ensure that these new standards correspond with the union’s values. The Strategy also highlights the importance of voluntary, non-binding norms, rules and principles of responsible state behaviour. Hence, member states should ‘develop an EU position on the application of international law in cyberspace’ (p.20). The EU should also strengthen and expand its cyber dialogues with third countries, especially the Western Balkans, and form an informal EU Cyber Diplomacy Network. EU-NATO cooperation should continue, especially in the area of cyber defence interoperability requirements.

Addressing deficiencies of the NIS Directive

In 2016, the Network and Information Security (NIS) Directive introduced the first common minimum cybersecurity requirements and obligations across the EU. However, according to the European Parliamentary Research Service, its implementation resulted more in fragmentation than desired unification. Multiplied by the digital transformation, emerging cyber challenges and Covid-19 pandemic effects, the NIS was found to have deficiencies that need to be tackled.

Hence, a proposal of a revised directive – Directive on measures for high common level of cybersecurity across the Union (abbreviated as “NIS 2”) – was published by the Commission. It aims to address the deficiencies of the NIS and set up broader cybersecurity requirements and obligations to achieve a much-needed adequate level of cybersecurity across the whole EU and its crucial sectors. The NIS 2 proposal significantly extends the scope of the regulated entities to all medium and large entities within the selected sectors. In addition, member states can identify selected service providers or providers of critical nature regardless of their size (Article 2).

All these entities would have to follow more precise incident reports obligations and a minimum prescribed set of security requirements, including risk analysis, application of information security policies and procedures and supply chain security requirements as so-called essential or important entities. This newly proposed categorisation based on the relative importance of these entities is related to their different supervisory regimes.

NIS 2 harmonises the conditions for imposing administrative fines in Article 31 when the obligations are breached, which can be up to €10 million or 2 per cent of the total worldwide annual turnover, whichever is higher. Given the incident reporting, Article 20 obliges essential and important entities to notify the relevant national authorities about any significant incident within 24 hours and to submit a final report regarding the incident’s description, impact and applied mitigation measures no later than one month after the notification.

Deeper and more effective cooperation

NIS 2 also brings new tasks for the European Union Agency for Cybersecurity (ENISA), which should be required to develop and maintain a European vulnerability registry (Article 6). Such a registry of known vulnerabilities of ICT products or services should be accessible to all interested parties to enable effective incident handling. In addition, ENISA should be tasked to create and maintain the registry for essential and important entities (Article 25) and participate in the coordinated risk assessments of critical supply chains (Article 19).

The Cooperation Group set up by the current NIS Directive is to be advanced by Article 12 to enhance the information sharing and cooperation between member states. The mutual coordination is meant to be strengthened by the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), proposed in Article 14. EU-CyCLONe’s objective is to support coordinated management during large-scale cybersecurity incidents and crises.

Towards a more resilient EU

The last part of the announced cybersecurity package is the proposal for a Directive on the Resilience of Critical Entities (CER) focusing on resilience against physical risks. It expands the scope and depth of the European Critical Infrastructure Directive (2008), which covers only the energy and transport sectors. The CER proposal aims to cover the same ten key infrastructure sectors as the essential entities under the NIS 2: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space.

A ‘critical entity’, according to Article 2, is a public or private entity identified by the member state in accordance with Article 5. The criteria for identification include providing essential service or allowing such essential service to be provided by others. Member states will be obliged to identify and list these entities, adopt national strategies for reinforcing their resilience (Article 3) and carry out regular risk assessments taking into account ‘all-hazards risks’, natural and man-made (Article 4). The risk assessment obligation also applies to the critical entities themselves (Article 10). They will be tasked to adopt the appropriate and proportionate technical and organisational measures set by Article 11 to ensure resilience.

The linkage with the proposed NIS 2 Directive is that such critical entities would be subject to respective cyber resilience obligations under NIS 2. Therefore, the competent authorities under both proposals should cooperate effectively.

Next steps

In February, the Strategy was mentioned in the conclusions of the European Council, which requested a report on its implementation by June 2021. The Strategy’s conclusions have also been adopted by the Council of the EU in March, along with encouragement to the Commission to establish a detailed implementation plan.

The Strategy includes several other regulatory initiatives suggesting that the Commission’s regulatory tendencies in cybersecurity are growing. Based on the level of involvement of both the EU and its member states in several other proposed ambitious initiatives, it will be soon clearer whether, when and to what extent the expectations and desired aims for cybersecurity within the EU will be achieved.

The two directives’ proposals have to go through the ordinary legislative procedure to be agreed by the European Parliament and the Council. Once adopted, member states will have 18 months to transpose them before they enter into force.

Author: Michaela Prucková, Masaryk University

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.