The European Commission Set Out a European Agenda on Security for the Period 2015-2020 – Fighting Cybercrime among Top Priorities

On 28th April 2015 the European Commission issued the new European Agenda on Security which calls for enhanced cooperation and joint action in the fight against three major threats: cybercrime, terrorism and organised crime.

The Agenda is a strategy paper suggesting concrete tools and measures to be implemented in countering the prioritised and interlinked areas which show in particular a strong cross-border dimension. Many measures highlighted in the Agenda build on already existing pillars of EU actions but certainly form an attempt to reinforce, review and complement them.

Background and general aspects of the Agenda

The European Agenda on Security replaces the previous Internal Security Strategy 2010-2014 which was adopted in 2010. It is a communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions. Compared to the previous strategy, the Agenda aims for better information exchange, increased operational cooperation and mutual trust in the fight against terrorism, organised crime and cybercrime as the most pressing threats. Even though the word ‘internal’ has disappeared from the title of the new document, the overall result of this Agenda is intended to remain the same – an EU area of internal security by ensuring that the internal and external dimensions of security work in tandem.1

Concrete legislative proposals which were not mentioned in more detail will follow later and will have to be approved by member states and by the EU parliament. Reactions from the European Parliament were not overwhelming, stating inter alia that the Agenda falls too far short of addressing the issues at stake (such as fighting discrimination), and is counter-productive in ensuring that EU citizens are safe.2

With regard to the already existing EU actions, the Agenda stresses a number of different measures related to cyber security. To begin with, the Agenda addresses data protection.3  A higher degree of effective cooperation between the law enforcement and judicial authorities is sought by common data protection rules. By the end of 2015, agreement will be reached on the Data Protection reform and on the proposal for a Data Protection Directive for police and criminal justice authorities. In addition, ‘The Data Protection Umbrella Agreement’ between the EU and the USA is currently being negotiated, representing an international framework agreement to ensure a high-level protection of personal USA-EU cross-border data which serve among others the investigation and prosecution of criminal offences. Furthermore, the Agenda indicates that the Commission is eager to tie up its effort on legally sound and sustainable solutions for EU Passenger Name Record (PNR) data exchange after the European Parliament declared that ‘in the case of processing of personal data for intelligence purposes, under US law, non-US citizens do not enjoy any judicial or administrative avenue to protect their rights, [which] nullifies the protections for EU citizens laid down in the existing PNR agreement [with the USA]’.4

The Agenda declares further that monitoring national legislative developments in the field of communications data is to be continued, after the ECJ judgement of 2014 declared the Data Retention Directive to be invalid.5

Almost casually, the Agenda mentions its mandate of European standardization organisations to produce a ‘privacy by design’ standard to promote the inserting of not only high security standards but also the embedding of fundamental rights in the technological design process. By complying with this standard the EU aims for more respect of individuals’ rights and enhancement of consumer confidence in EU security products and services.6

Key actions for fighting cybercrime

The Agenda foresees the following four action measures to fight cybercrime:

  1. Giving renewed emphasis to implementation of existing policies on cybersecurity, attacks against information systems, and combatting child sexual exploitation;
  2. Reviewing and possibly extending legislation on combatting fraud and counterfeiting of non-cash means of payments to take account of newer forms of crime and counterfeiting in financial instruments, with proposals in 2016;
  3. Reviewing obstacles to criminal investigations on cybercrime, notably on issues of competent jurisdiction and rules on access to evidence and information;
  4. Enhancing cyber capacity building action under external assistance instruments.

Concerning the first action measure, the Commission refers in particular to three Directives7 . First, the 2013 Directive on attacks against information systems is highlighted. According to its Article 5 the use of tools such as malicious software is being penalised. Secondly, the Agenda refers to the 2011 Directive on child sexual exploitation, tackling child sexual abuse online. Equally noteworthy is the call by the Commission for the quick adoption of the proposal for a Directive on network and information security, which would promote enhanced cooperation between law enforcement and cybersecurity authorities as well as provide for cyber-security capacity building. Ensuring the correct implementation of these Directives is therefore identified as one major goal. In addition, concerning the second key action, the Commission remarked that the 2001 framework decision combating fraud and counterfeiting of non-cash means of payments does not reflect today’s challenges of virtual currencies and mobile payment. Assessing the state of the art on the current legislation and the need for further measures as well as consulting stakeholders are additional tasks to be tackled.

With regard to the third measure, the Commission invites the competent judicial authorities to rethink the way they cooperate within their jurisdiction and applicable law in order to ensure prompt cross-border access to evidence and information, considering technological developments such as cloud computing and the ‘Internet of Things’. Main aspects are thus gathering internet-based evidence (e.g. owners of IP addresses) in real time from other jurisdictions and ensuring its admissibility in court. This new approach to law enforcement includes a better cooperation with the private sector in the form of public-private partnerships to structure a common effort in fighting online crime. According to the Commission, Europol’s European Cybercrime Centre is on its way to becoming the central information hub for law enforcement in this area. By contrast, according to the Agenda, Eurojust should continue with its work on exchanging of best practice and identifying the challenges regarding the collection and use of e-evidence in investigations and prosecutions of internet-facilitated crimes. It is one of the Commission’s aims to enable modern means of communication such as voice-over internet protocol to become part of judicial investigation, prosecution and mutual legal assistance.

Finally, the Commission stated that synergies with cyber capacity building actions funded under external assistance instruments should be enhanced. Without going into detail on this key action, it can be assumed that the Commission aims to expand its engagement with international partners and organisations, the private sector and society in general in order to promote global capacity-building, including in third countries, enabling better access to information and preventing cyber threats.8

Other actions relevant to cyber security

Two other actions regarding cyber security are mentioned within the Agenda’s first priority area that focuses on terrorism and foreign terrorist fighters.

First, the Commission emphasised a concrete proposal to enhance Europol’s role by creating a European Counter Terrorist Centre which will help the EU Agency to increase support for national law enforcement authorities. A soon-to-be established Internet Referral Unit (EU IRU)9 would be part of this Centre and its main role would be supporting member states in identifying and removing violent extremist content online, in cooperation with industry partners.10

The second highlight is the idea of the Commission to launch an enhanced dialogue with the IT industry. The Commission’s plan is to establish an EU-level Forum, starting to be active from 2015, enabling IT companies to connect with law enforcement authorities and civil society. The Forum will aim to discover best tools to counter online terrorist propaganda as well as to explore the concerns of law enforcement authorities on new encryption technologies.11

A way ahead

The Agenda proposes a number of action measures which take into account new and modern risk developments, aiming for a higher level of security within the EU. However, its successful implementation in the end depends on the commitment of all actors. EU institutions, member states and EU agencies will have to be able to react in a dynamic way in order to consider future crime developments and recognise security risks. A properly-regulated set of tools, including the adoption of already existing proposals, such as the NIS Directive, PNR Directive and the Data protection reform mentioned above, will promote the key target of the EU: an EU area of internal security. Ultimately, the Agenda deserves to be applauded in particular for its efforts to share data more effectively, to engage the IT industry more and to better cooperate against cross-border threats.

Lorena Trinberg

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

  1. European Security Agenda, p. 2. []
  2. See more for example: http://www.enar-eu.org/EU-Security-Agenda-falls-short-of;https://www.theparliamentmagazine.eu/articles/news/commission-security-p… http://www.diplomaticintelligence.eu/european-union-news/597-european-ag… accessed 05 May 2015. []
  3.  See more for example: http://www.enar-eu.org/EU-Security-Agenda-falls-short-of;https://www.theparliamentmagazine.eu/articles/news/commission-security-p… http://www.diplomaticintelligence.eu/european-union-news/597-european-ag… accessed 05 May 2015. []
  4. European Parliament, Electronic Mass Surveillance of EU Citizens, p. 22, http://www.europarl.europa.eu/document/activities/cont/201410/20141016AT…, accessed 11 May 2015. []
  5. European Security Agenda, p. 7; Judgment in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, See also INCYDER news of 18 July 2014 ‘Data Retention Directive Invalid’, or related topic in INCYDER news of 21 April 2015, ‘Mass Surveillance Endangers Human Rights and Does Not Prevent Terrorist Attacks, Says Council of Europe’ , accessed 05 May 2015. []
  6. European Security Agenda, p 11. []
  7. European Security Agenda, p. 19. []
  8. See also Cyber Security of the European Union: An Open, Safe and Secure Cyberspace, (JOIN2013) 1 final, p. 16, http://eeas.europa.eu/policies/eu-cyber-security/cybsec_comm_en.pdf, accessed 05 May 2015. []
  9. To be established in Europol by July 2015. []
  10.  European Security Agenda, p. 13. []
  11.  Ibid, p. 13 []