Changing EU cybersecurity: The Commission’s cybersecurity package and the Council’s response

Across Europe, citizens and businesses rely heavily on digital technologies and services. However, the continuous growth of such technologies comes with an increase in cyber incidents and attacks, attempts to steal data, commit fraud or even destabilise governments.

The recent reports from the biggest IT companies have warned of an unprecedented plague of malicious virtual behaviours. In 2016 alone, more than four thousand ransomware attacks per day were noticed and the number of times hackers searched the Internet of Things connection rose by 458%. Taking into consideration that 89% of all cyber-attacks involve financial or espionage motivations, it becomes obvious that cyber-crimes can destabilise Member States and their industries and citizens.

The European Commission therefore decided to upgrade the EU’s cyber protection scheme, presenting its Cybersecurity Package on 19 September 2017.

The package is composed of several non-legislative measures and the legislative proposal for the Regulation on Network and Information Security Agency (ENISA) and on the Information and Communication Technology (ICT) cybersecurity certification (Cybersecurity Act). According to the Commission, it aims to: strengthen the EU cybersecurity body, create a first pan-European cybersecurity certification framework, activate a Blueprint scheme of response to large-scale cybersecurity incidents, and establish a European Cybersecurity Research and Competence Centre.

The package also complements the framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and supports measures to boost international cooperation on cybersecurity.

Led by the Estonian Presidency, the Council of the EU has reacted promptly to the Commission’s move and adopted its Conclusions on 20 November 2017. The following briefing examines the Commission’s solutions, included in the proposal for the Cybersecurity Act, and links them with the Council’s recent views and additional recommendations, presented in the Conclusions.

Strengthening ENISA: what does it mean?  

Taking into account that the current mandate of ENISA will expire in 2020, and considering developments in the cybersecurity landscape since its creation, the Commission believes it is necessary to modify the role of this EU cybersecurity body. For this reason, the Commission seeks to transform ENISA into a real EU Cybersecurity Agency, with a permanent mandate and competences enabling it to assist Member States in preventing and responding to cyber-attacks.

The Commission also believes that the support of a stronger ENISA would help Member States to better implement the Directive on the Security of Network and Information Systems (NIS). Through this Regulation, ENISA would be granted a permanent mandate and as a result would obtain a stable role in the institutional framework.

As a centre of cybersecurity expertise, it would assist Member States and EU institutions to implement any policies related to cybersecurity. It would also act as a supporter in capacity building and preparedness, and as a coordinator at the EU level.

A greater mandate for ENISA would come with more resources. In addition to its contribution from the EU budget and its assigned revenue in accordance with its financial rules, it would be granted extra EU funding on an ad hoc basis. It would also benefit from contributions from third countries participating in ENISA’s work or any additional contributions from Member States.

In terms of its structure, ENISA would be composed of a Management Board comprising one representative from each Member State and others from the European Commission, and an Executive Board that would manage and represent the agency.

ENISA would publish annually a single programming document that would outline its key actions that year as well as those planned for the years to come. After adoption by the Management Board, the Report would be submitted directly to the Commission, the European Parliament and the Council. The Commission considers this would allow ENISA far greater cooperation with other competent authorities from third countries by, for instance, establishing other working arrangements.

Lastly, changing ENISA’s mandate from 2020 to indefinite would oblige the Commission to evaluate its performance every five years.

Preventing Market Fragmentation: An EU Cybersecurity Certification Framework

In line with fostering EU cybersecurity, the Commission proposed in the Cybersecurity Act a “one size fits all” approach to cybersecurity certification for Information and Communication Technologies (ICT). According to the Commission, creating an ICT security certification framework goes hand in hand with strengthening security and trust in services and products within the Digital Single Market.

Today, there are several national security certification schemes for ICT products. The Commission considers they may jeopardise the smooth functioning of the Digital Single Market in the EU if the fragmentation of certification regimes continues.  

Therefore, the Commission believes that creating a voluntary European Cybersecurity certification framework would introduce new descriptions of security requirements that are met by services, products or systems. This would allow the harmonisation of criteria to comply with such requirements as they would be recognised by all Member States.

The Commission also claims that the voluntary character of the scheme would create an incentive for market players, as they would want to attract consumers by proving that their services and products comply with the high EU level of cybersecurity. Undoubtedly, from the consumer’s side the creation of such a certification framework would increase the transparency of cybersecurity assurance for ICT products and services.

The Council’s response and suggestions to the Commission’s cybersecurity package

It was the Estonian Presidency that put greater development in the EU digital policy at the top priority level of political discussions. Therefore, Member States adopted on 20 November 2017 the Council’s Conclusions on the Joint Communication: “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”.

Even though it’s a response to the most descriptive part of the cybersecurity package, by explaining the actions that the Commission proposes in this area this Joint Communication still sends an important political message regarding the legislative proposal. It directly acknowledges a need for all Member States to make the necessary resources and investment available to address cybersecurity.

In a nutshell, the Council welcomed the key points of the proposal and invited Member States to conduct additional measures. Concerning ENISA, the Council agreed with the introduction of the permanent mandate, emphasising that it will increase the support and development of collaboration between Member States and could boost the confidence of EU citizens in the new digital Europe.

The Conclusions invite the Member States to establish an effective collaboration network of educational points of contact (POCs) within the work of ENISA. The latter would enable the exchange of best practices, and improve coordination on cybersecurity education and awareness through training, capacity building and exercises. It also invited ENISA to work closely with EUROPOL and EUROJUST, in accordance with their respective mandates and competences.

The Council also backed the proposal of establishing a European Cybersecurity Certification Framework, which is considered a helpful mechanism to increase confidence in digital solutions and innovations.

It emphasised the need for the latter to correspond to the needs of the market and its users, building upon existing experiences of certification capacities and processes, and respecting the European industry, governments and evaluation specialists’ respective expertise.  It further stressed the necessity for certifications to be proportionate to the level of assurance needed when using any ICT products, systems or services.

Overall, the Council highlighted the importance of establishing a pan-European approach to prevent and respond more efficiently to cybercrime. It also stressed the importance of international collaboration in the field.

Next Steps

Concerning further developments, the debate is expected to focus on the legislative proposal for the Cybersecurity Act.

From the Parliament’s side, the upcoming discussions would take place in the EP ITRE Committee and the Rapporteur (Angelika Niebler, EPP, Germany) is expected to establish a timetable for the preparation of the draft Report on the file in the coming months.

This draft Report should be ready in 2018, and would then be amended and voted on at Committee level.

When it comes to the Council, the Horizontal Working Party on Cyber Issues and the Working Party on Telecommunications and Information Society is expected to continue its discussion in the coming months.

Once the European Parliament and the Council reach their positions on the proposal, they would carry out 'trilogue' negotiations, assisted by the Commission, with a view to reaching an agreement.

All developments concerning this file will be closely monitored and analysed by the EU Issue Tracker.

Relevant acts

  • Proposal for a Regulation of the European Parliament and of the Council of 13 September 2017 on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') COM(2017)477
  • Council Conclusions of 20 November 2017 on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU 14435/17