New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient

New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient

On December 16, 2020, the European Commission published the EU’s Cybersecurity Strategy for the Digital Decade.

The 29-pages document outlines the European Union’s vision on Cybersecurity for the next seven years and will be of paramount importance in guiding and shaping the digital transition within the Union and, ideally, around the world.


Why is Cybersecurity important?

Nowadays, industries, economies, public services and private lives heavily rely on the use of interconnected digital technologies. The number of mobile devices in use is rapidly approaching 25 billion and, following the current COVID-19 pandemic, telework has become the rule for millions of employees.
At the same time, almost one European out of two experiences cybersecurity issues, in particular phishing emails or calls, and the global cost of cybercrime has reached €5.5 trillion (European Commission and High Representative of the Union for Foreign Affairs and Security Policy, 2020).

In this scenario, software and digital connections’ security represents a key element to ensure both personal safety and economic growth.

To address these concerns, the EU has delineated a Strategy based on 3 main pillars

1. Resilience, Technological Sovereignty and Leadership;

2. Operational Capacity to Prevent, Deter and Respond;

3. Advancing a Global and Open Cyberspace.

Which, respectively, focus on promoting and improving:

1. The resilience of digital infrastructures across the Union against cyber threats and attacks;

2. Cooperation among Member States, to prevent and counter cyber threats and attacks;

3. Cooperation at an international level towards a global and open cyberspace.


1.     Resilience, Technological Sovereignty and Leadership;

The first pillar addresses the Cybersecurity issue from both a technical and an operational point of view. It identifies the need for improvement in the security of digital infrastructures throughout the Union, and outlines the actions to be taken.

Cybersecurity by design

To ensure that IT systems are resilient to cyber-attacks and cyber-threats, they must be conceived and coded following a process that gives cybersecurity a central role.

The adoption of a new, amended, Directive on the security of Network and Information Systems (NIS), has thus been proposed by the Commission to provide more specific cybersecurity rules for essential sectors such as healthcare, finance, transportation and energy.

Threats Monitoring and Fast Response

Security threats must be constantly monitored, and their identification must trigger quick and effective responses.

To this end, the EU proposes to improve the action of the Security Operations Centers (SOC) present around the Union, by:

· Enhancing their monitoring capabilities through the employment of Artificial Intelligence Systems, in particular machine learning;

· Connecting the different SOCs in a European Network that would serve as an EU Cyber Shield, providing timely warnings on cybersecurity threats and activities.

Communications and IoT (Internet of Things)

Privacy, confidentiality, state secrets are not the only interests jeopardized by cyberattacks directed to communication systems. The advent of 5G and the incessant growth in the number of IoT devices leads to new opportunities for cybercriminals and, consequently, to new threats. Think for example of those stemming from the hacking of self-driving vehicles, smart houses and even smart prosthesis.

Ensuring the security of communication systems, including mobile networks, is therefore essential, and the EU aims to do so by:

  • Developing secure, space-based communication systems;
  • Promoting a risk-based approach to 5G cybersecurity, already laid down in the 5G toolbox, adopted in January 2020;
  • Creating a European Public DNS (Domain Name System) root system;
  • Working towards the adoption of security and certification solutions for IoT devices, together with new horizontal rules to improve the cybersecurity of all connected products and associated services. Interestingly, this initiative might entail the creation of a new duty of care specific to manufacturers of IoT devices requiring them to “to address software vulnerabilities including the continuation of software and security updates as well as ensuring, at the end of life, deletion of personal and other sensitive data” (European Commission and High Representative of the Union for Foreign Affairs and Security Policy, 2020).  
    As software and IoT devices are increasingly used in the healthcare industry, the envisionment of new rules concerning cybersecurity and of a new duty of care will probably increase the responsibilities borne by manufacturers of medical devices.

Research & Development

As technology develops at a rapid pace, cybersecurity solutions must always be kept up to date with the latest innovations. The EU Strategy envisions several initiatives directed at supporting research on cybersecurity. Among these, is the creation of the Cybersecurity Industrial, Technology and Research Competence Centre and Network of Coordination Centers (CCCN). The new body will serve the function of collecting input from the industry’s and academic communities, to develop the EU’s technological sovereignty in the domain of cybersecurity.


2.     Operational Capacity to Prevent, Deter and Respond

The second pillar of the EU Strategy focuses on cooperation, at different levels and between several actors, within the Union.

The first initiative proposed by the Commission concerns the creation of the Joint Cyber Unit, a platform directed at fostering cooperation among the different EU cybersecurity communities. The Unit will focus on the coordination of operations against major cross-border cyber-threats and cyber-attacks, and will serve three main purposes:

· Ensuring preparedness across cybersecurity communities;

· Providing continuous shared situational awareness;

· Reinforcing coordinated response and recovery.

Remarkably, the EU’s Strategy acknowledges the importance of enhancing cooperation among Member States against cybercrime to ensure the identification and prosecution of offenders.

As they take place in the cyberspace, cybercrimes are de-territorialized and often trigger the competence of several jurisdictions. Victim and perpetrator might reside in different member states, while the electronic evidence required by law enforcement could be stored on a server located in another different State.

Thus, the Commission aims at promoting the cooperation of law enforcement among different Member States to facilitate the coordination of cross-border investigations, the access to electronic evidence and the prosecution of offenders.

Finally, diplomatic channels are regarded as an important instrument to assist both the prevention of and response to cyberattacks too. For this reason, the Commission envisages the establishment of a Member States’ EU cyber intelligence working group, which will help in increasing the situational awareness on cyber-threats and in developing fast diplomatic responses.


3.    Advancing a Global and Open Cyberspace

As cyberspace knows no boundaries, nor physical nor jurisdictional, an effective governance of it requires the joint effort of the international community, rather than solitary and independent initiatives.

The last pillar of the EU Strategy is built on this premise specifically, and it calls for international cooperation towards an open, stable and secure cyberspace based on the respect for democratic values and Europeans core principles.

According to the EU’s vision, the promotion of safety and security should not end up in the infringement or curtailment of fundamental rights and freedoms, such as the right to privacy and the freedom of expression. Cyberspace should be free from any form of mass surveillance, censorship or repression.

For these reasons, the EU aims at:

  • Assuming a leadership position in International Standardization Processes, to support more effectively the adoption of regulatory standards in line with the values of the Union;
  • Promoting the respect of international law and non-binding norms;
  • Supporting third countries who wish to adhere to the Budapest Convention on Cybercrime;
  • Promoting a form of Internet governance based on the cooperation of multiple stakeholders, such as private companies, public entities and academia (poly-centric governance).

Conclusions

In the early 2000s, a TV ad recited “Power is nothing without control” (Pirelli, 2019). Likewise, one might say, digital innovation is nothing without cybersecurity. The actions proposed by the EU Cybersecurity Strategy promise to shape and sustain the digital transition. However, this is only the first step of a long journey. The months and years ahead will reveal how the EU’s commitments will translate into practice.


Tommaso POLES

Regulatory Department

18.02.2021


Looking for more information on EU legislation? Contact us!

Get in touch

References: