European Union

The European Union (EU) is a unique politico-economic partnership between 28 European countries, which operates through several supranational independent institutions and intergovernmental negotiation mechanisms serving its Member States. The documents adopted by the EU that are most relevant for cyber security are either those expressing political consensus, but which are legally non-binding (such as communications), or different types of legally binding acts that place obligations on Member States or specific entities.

The EU has been working on network and information security and cybercrime for more than a decade, and in 2013 it published the first comprehensive document tackling the wide range of cyber threats – the Cybersecurity Strategy of the European Union . The strategy outlines the vision, roles, responsibilities and required actions for the EU in the domain of cyber security. Importantly, the document underlines that in the context of cyber security, centralised EU supervision is not the answer, and hence national governments should remain as the principle entities organising the prevention of and response to cyber incidents at the national level. EU addresses cyber security with three pillars – network and information security, law enforcement, and defence – and defines national and EU-level entities responsible for ensuring cyber security. Cyber security-related actions have also been incorporated to the EU’s Digital Agenda, which sees internet trust and security as vital to a vibrant digital society, and to the European Agenda on Security, which prioritises cybercrime (together with terrorism and organized crime) as one of the most relevant emerging threats (see INCYDER news). Also, the Council of the EU adopted the EU Cyber Defence Policy Framework EU Cyber Defence Policy Framework as an additional document to support European institutions in their work related to cyber defence and to provide the EU Cybersecurity Strategy with an implementation tool (see INCYDER news).

In the area of network and information security, the principal EU players include the European Commission, the European Networks and Information Security Agency (ENISA), CERT-EU, a network of competent authorities, and the European Public-Private Partnership for Resilience (EP3R). In 2013, the Commission proposed to adopt a Directive on Network and Information Security, which aims at setting the standard for legal measures and giving incentives to make the EU’s online environment the most secure in the world. The EU’s policy also underlines the importance of international cooperation and collaboration with the private sector. In addition, the policy on Critical Information Infrastructure Protection (CIIP) ((European Commission, “Policy on Critical Information Infrastructure Protection (CIIP)”, press release, 07.02.2013.…)) aims to strengthen the security and resilience of vital ICT infrastructure by stimulating and supporting the development of a high level of preparedness, security and resilience capabilities, both at national and at EU level.

In the area of law enforcement, the principal EU players include the European Cybercrime Centre (EC3) and EUROPOL, CEPOL and Eurojust. In addition to already existing instruments of crime-fighting, Directive 2013/40/EU on attacks against information systems and replacing Council Framework Decision 2005/222/JHA was adopted and aims to tackle large-scale cyber attacks by requiring Member States to strengthen national cybercrime laws and introducing tougher criminal sanctions.

In the area of defence, the principal EU players include the European External Action Service (EEAS), the European Union Military Staff (EUMS) and the European Defence Agency (EDA). The EU Cyber Security Strategy also identifies developing cyber defence policy  and capabilities related to the framework of the Common Security and Defence Policy (CSDF) as one of its objectives, and outlines a list of actions envisaged for the collaboration of the EDA and Member States.

Importantly, the EU Cyber Security Strategy states that ‘a particularly serious cyber incident or attack could constitute sufficient ground for a Member State to invoke the EU Solidarity Clause (Article 222 of the Treaty on the Functioning of the European Union )’.