On 16 December, 2020 the EU Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented the new EU Cybersecurity Strategy, which aims to ensure a global and open Internet with strong safeguards where there are risks to security and the fundamental rights of people in Europe.
As a key component of Shaping Europe's Digital Future, the Recovery Plan for Europe and the EU Security Union Strategy, the Strategy will bolster Europe's collective resilience against cyber threats and will help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools.
Building upon the achievements of the past months and years, the new EU Cybersecurity Strategy contains concrete proposals for regulatory, investment and policy initiatives, in three areas of EU action:
1. Resilience, technological sovereignty and leadership: the Commission is making proposals to address both cyber and physical resilience of critical entities and networks: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), and a new Directive on the resilience of critical entities, in order to increase the level of cyber resilience of critical public and private sectors: hospitals, energy grids, railways, but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines, as well as other critical infrastructure and services, must remain impermeable, in an increasingly fast-moving and complex threat environment. The Commission also proposes to launch a network of Security Operations Centres across the EU, powered by artificial intelligence (AI), which will constitute a real ‘cybersecurity shield' for the EU, able to detect signs of a cyberattack early enough and to enable proactive action, before damage occurs.
2. Building operational capacity to prevent, deter and respond: a new Joint Cyber Unit, to strengthen cooperation between EU bodies and Member State authorities responsible for preventing, deterring and responding to cyber-attacks, including civilian, law enforcement, diplomatic and cyber defence communities. The High Representative puts forward proposals to strengthen the EU Cyber Diplomacy Toolbox to prevent, discourage, deter and respond effectively against malicious cyber activities, notably those affecting our critical infrastructure, supply chains, democratic institutions and processes. The EU will also aim to further enhance cyber defence cooperation and develop state-of-the-art cyber defence capabilities, building on the work of the European Defence Agency and encouraging Member States to make full use of the Permanent Structured Cooperation and the European Defence Fund.
3. Advancing a global and open cyberspace through increased cooperation: The EU will further strengthen its EU Cyber Diplomacy Toolbox, and increase cyber capacity-building efforts to third countries by developing an EU External Cyber Capacity Building Agenda. Cyber dialogues with third countries, regional and international organisations as well as the multi-stakeholder community will be intensified. The EU will also form an EU Cyber Diplomacy Network around the world to promote its vision of cyberspace.
Moreover, the proposed Critical Entities Resilience (CER) Directive expands both the scope and depth of the 2008 European Critical Infrastructure directive. Ten sectors are now covered: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Under the proposed directive, Member States would adopt a national strategy for ensuring the resilience of critical entities and carry out regular risk assessments. The Commission, in turn, would provide complementary support to Member States and critical entities, for instance by developing a Union-level overview of cross-border and cross-sectoral risks, best practice, methodologies, cross-border training activities and exercises to test the resilience of critical entities.
Further details are available here.