Over the last few years, many EU documents on cybersecurity have been published (Falessi, 2012, 2-6). The European Security Strategy included cyber threats as a new risk to European security (Klimburg, ed. 2011, 5-11). The EU is active in two cybersecurity areas. The first area consists of the necessary measures applied to combat cyberattacks, including cybercrimes. The second area consists of applying the necessary measures to support critical infrastructure protection and network security. The Common Foreign and Security Policy of cyber issues is underdeveloped, mainly due to the difficulties in approaching the subject. According to a European Parliament Study, cyber issues are perceived to be a matter often left to member states (MS).

The EU Cyber Security Strategy (EUCSS) was adopted in February 2013 (Shooter, 2013, 1). The EUCSS is accompanied by a legislative proposal from the European Commission, consisting of a directive to strengthen the security of information systems in the EU. This directive has two aims. Firstly, it aims to ensure that MS and private undertakings have an adequate strategy for dealing with cybersecurity threats. Secondly, it aims to facilitate information sharing about cybersecurity threats between the public and private sectors and between MS. It is important to emphasise that the EUCSS does not foresee any legislation at this point. Nevertheless, it reflects the awareness that coordination across a range of policy areas in Europe is necessary to respond to the challenges of cybersecurity.

The importance of the EUCSS lies in the coordination of policy across three areas whose competencies and mandates used to be separated: law enforcement, the Digital Agenda, and defence, security, and foreign policy. The EUCSS has three aims: Firstly, to strengthen the security and resilience of networks and information security systems; secondly, to prevent and fight cybercrime; and thirdly, establish a more coherent cybersecurity policy across Europe. The EUCSS will require each MS to possess a well-functioning, national-level computer emergency response team (CERT) and a competent authority to speak on behalf of the country in discussions on the European level. This is easier de jure than de facto, as MS have varying types of responding authority, and not all are authorised to formulate a national level response. The question arises whether promoting incident response teams, which are inherently reactive organisations, will influence how a country deals with cyber issues on a national level, possibly undermining a more proactive approach. The CERTs do not have a strong legal basis. As a result, they regularly find themselves operating in the dark with respect to what data they can or cannot share across borders, or even with other organisations within their own country. However, CERTs communicate, exchange information, and share signatures informally, i.e., via FIRST, a community of CERTs.

From 2013 onwards, after adopting EUCSS, the EU developed a more coherent international cybersecurity policy by cooperating with its regional and international partners, guided by EU values and law. In January 2013, the European Cybercrime Centre (ECC) at Europol was established in The Hague. Its main purpose is to harmonise the cybersecurity capabilities of EU MS and to play a leading role in the EU’s fight against cybercrime. It also supports the EU’s institutions and MS in building an adequate capacity for investigations and cooperation with international partners on cybercrime. In 2016, the EU’s Directive on Security of Network and Information Systems, which was the first specific legislation of EU cybersecurity, came into force. In 2019, the EU Cybersecurity Act was implemented, equipping the EU with further legislation on the certification of cybersecurity products and services, and also reinforcing the mandate of the EU Agency for Cybersecurity.

Furthermore, the EU has supported third countries in further developing their cybersecurity and anti-cybercrime policies. The EU has also contributed to international cyberspace security and stability by using its 2017 EU cyber diplomacy toolbox and applying its 2019 cyber sanctions regime. The EU has made significant progress in furthering the development of EU Cyber Defence Cooperation by using the Cyber Defence Policy Framework as a legal basis.

Cybersecurity will remain a priority for the EU, as evidenced by its next long-term budget (2021-2027). Through the Digital Europe Programme, the EU will continue to support the further development of the cybersecurity industry and cybersecurity defence. Due to the increase in cyberattacks during the Covid-19 Crisis, additional investments in the cybersecurity industry are ensured under the Recovery Plan for Europe (Papanikos, 2020, 3-5).

Bibliography:

Falessi, Gavrila, Klejnstrup, Moulinos: National Cyber Security Strategies. Practical Guide on Development and Execution. ENISA:(2012): 2-5 [online].

Available at: https://www.enisa.europa.eu/publications/national-cyber-security-strategies-an-implementation-guide . [Accessed: 15 July 2021].

Klimburg, Tirmaa-Klaar, ed. Cyber Security and Cyber Power: Concepts, Conditions and Capabilities for Cooperation for Action within EU. OIIP:(2011): 5-11 [online].

 Available at: https://www.europarl.europa.eu/RegData/etudes/STUD/2011/433828/EXPO-SEDE_ET(2011)433828_EN.pdf . [Accessed: 15 July 2021].

Simon Shooter: Cyber Security and the EU: regulating for network security. Bird& Bird:(2013):2 [online].

Available: https://www.twobirds.com/~/media/PDFs/News/CybersecurityandtheEU06201300125701.pdf .[Accessed: 15July 2021].

Papanikos: The European Union’s recovery Plan: A Critical Evaluation. (2020):3-5 [online].

Available: https://www.researchgate.net/publication/344608777_The_European_Union’s_Recovery_Plan_A_Critical_Evaluation . [Accessed: 16 July 2021].

Cyber Defence Policy Framework (2018). [online]

Available at: https://data.consilium.europa.eu/doc/document/ST-14413-2018-INIT/en/pdf [Accessed: 16 July 2021].

Cybersecurity Act (2019). [online].

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A32019R0881&from=EN [Accessed: 16 July 2021].