You are currently viewing The New EU Cyber Security Strategy – Exploring Ways to Shape Europe’s Digital Future
Kaboompics

The New EU Cyber Security Strategy – Exploring Ways to Shape Europe’s Digital Future

04 April 2021

In December 2020, the EU released its new Cybersecurity Strategy (EUCSS). The move comes as the EU experiences a surge in cyber-attacks and is attempting to strengthen resilience against major security breaches and state backed cyber-attacks (Cerulus, 2020).

The COVID-19 pandemic accelerated digitalisation across various sectors in the EU at an unprecedented scale, but increased digitalisation also entails increased vulnerability to cyber-attacks and other malicious online activities. As Commission President Ursula von der Leyen already outlined in 2019: “cyber security and digitalisation are two sides of the same coin. This is why cyber security is a top priority.” (European Commission, 2019)

The new EU Cybersecurity Strategy (EUCSS) tries to tackle these evolving threats and proposes a number of new initiatives to foster resilience and situational awareness of cyberthreats (European Commission, 2020a). The strategy identifies three dimensions of EU action and provides concrete proposals for regulatory, investment, and policy initiatives to safeguard a global and open internet and to protect European values (European Commission, 2020b).

The first dimension aims at improving resilience, technological sovereignty, and leadership across European private and national institutions. Two legislative proposals that were published together with the EUCSS lie at the heart of the attempt to promote greater resilience of the single market for cybersecurity: the Directive on measures for high common level of cybersecurity across the Union (NIS2) and the Critical Entities Resilience Directive (CER) (European Commission, 2020b). Furthermore, the Commission promotes the establishment of a “European Cyber Shield” that would allow for an increased degree of information exchange between stakeholders and will provide timely warnings on cybersecurity incidents to detect potential threats before they can cause damage (European Commission, 2020a).

The second pillar of the EUCSS focuses on building the operational capacity to prevent, deter and respond to cyber incidents. One of the major focal points to increase the operational capacity is to establish a Joint Cyber Unit (JCU) to speed up information sharing between different cybersecurity communities in the EU (Leyen, 2019). The JCU is an important step forward in completing the European cybersecurity crisis management framework (European Commission, 2020a).

Advancing a global and open cyberspace through increased cooperation is the third dimension of EU action. The Commission is especially emphasising the need to strengthen the rule-based international order by utilizing the EU’s international influence to promote European values across the globe and to ensure that the coming digital age bears a European signature (European Commission, 2020b).

While the EUCSS presents a comprehensive agenda that aims to tackle recurring cyber threats across all relevant public and private sectors within the Union, it also proposes various initiatives related to problems of defence and international security in cyberspace. The EUCSS takes stock of the fact that strategic cyber espionage campaigns, or military motivated cyber-attacks are introducing a new era in international relations, where the cyberspace is increasingly developing into a war zone (Autolitano, 2020).

Regarding international security and diplomacy, the document emphasises the need to strengthen the “Cyber Diplomacy Toolbox” (European Commission, 2020b). The toolbox was endorsed by the EU Foreign Affairs Council in 2017 and contains the main principles for a joint diplomatic response to malicious cyber activities (Paul, 2019). While the toolbox includes several preventive, cooperative, and stability measures, it also introduced a real game-changer: the new cyber sanctions regime (EUISS, 2017), that was already used to sanction several cyber-criminals in 2020. However, the EUCSS also emphasises the need to step up the EU’s cyber deterrence posture by strengthening the Cyber Security Toolbox about the countering of cyberattacks on critical infrastructure, democratic institutions and processes, and cyber-enabled theft of intellectual property (European Commission 2020a). Furthermore, the Commission is currently assessing the possibility to introduce qualified majority voting for listings under the EU’s sanction regimes against cyberattacks. To further these goals, the Commission will propose an update of the toolbox’s implementing guidelines, as well as integrating the toolbox in the EU crisis mechanism (European Commission 2020a).

The Commission is also aiming to boost EU cyber defence capabilities by introducing a number of new initiatives. Firstly, the EUCSS is trying to ensure that cybersecurity and cyber defence are integrated into a wider security and defence agenda by presenting a Cyber Defence Policy Framework (CDPF) review in the near future. Secondly, the strategic document highlights the importance of the upcoming “Military Vision and Strategy on Cyberspace as a Domain of Operation” by the EU Military Committee. The document will explore how cyberspace can create synergies regarding EU military operations. The third strategic goal is to enable more cooperation and interoperability at EU level in the area of defence. The EUCSS tries to foster cooperation between the Member States by setting up a Military CERT-Network to guide defence cooperation, and by making full use of the Permanent Structured Cooperation (PESCO) and the European Defence Fund (EDF) regarding cyber defence research, innovation, and capacity development (European Commission 2020a).

Furthermore, the EUCSS stresses the vitality of EU-NATO cooperation and proposes to further advance the interinstitutional cooperation, most notably in connection with cyber defence interoperability (European Commission 2020a).

The EUCSS is an ambitious strategy that tries to prepare the Union for the major cyber threats of the 21st century. While the strategy itself is considered “soft law” and is not legally binding, it introduces a number of initiatives that could be a real game-changer in cybersecurity. The Council of the European Union has already endorsed the EUCSS and has encouraged the Commission to establish a detailed implementation plan for the new strategy (Council of the European Union, 2021).


Written by Oliver NOYAN, Researcher at Finabel – European Army Interoperability Centre

Sources

Autolitana, Simona. (2020), ‘A Europe Fit for the Digital Age: The Quest for Cybersecurity Unpacked’ Istituto Affari Internationali Commentaries20, : 1-6. [online]. Available at: https://www.iai.it/en/pubblicazioni/europe-fit-digital-age-quest-cybersecurity-unpacked [Accessed: April 4, 2021]

Cerulus, Laurens. (2020), ‘EU bolsters defenses against cyberattacks: new strategy and laws aim to stop hacks of key assets and information’, Politico. [online] Available at: https://www.politico.eu/article/eu-bolsters-defenses-against-cyberattacks/?fbclid=IwAR3_Gi-I9ITIm3nER_EiCZcF82VmXI7qnBs89CZWdy6enQ577gOKr0MQe4g [Accessed: April 4, 2021]

Council of the European Union. (2021), ‘Cybersecurity: Council adopts conclusions on the EU’s cybersecurity strategy’, Press Release. [online] Available at: https://www.consilium.europa.eu/en/press/press-releases/2021/03/22/cybersecurity-council-adopts-conclusions-on-the-eu-s-cybersecurity-strategy/ [Accessed: April 4, 2021]

European Commission. (2019), ‘Speech by President-elect von der Leyen in the European Parliament Plenary on the occasion of the presentation of her College of Commissioners and their programme’, Press release. [online] Available at: https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_19_6408 [Accessed: April 4, 2021]

European Commission. (2020a), ‘Joint Communication to the European Parliament and the Council: The EU’s Cybersecurity Strategy for the Digital Decade’, JOIN (2020) 18 final. [online] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020JC0018&from=ga [Accessed: April 4, 2021]

European Commission. (2020b), ‘New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient’, Press Release. [online] Available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2391 [Accessed: April 4, 2021]

European Union Institute for Security Studies (EUISS). (2017), ‘The EU Cyber Diplomacy Toolbox: towards a cyber sanctions regime?’. [online] Available at: https://www.iss.europa.eu/sites/default/files/EUISSFiles/Brief%2024%20Cyber%20sanctions.pdf [Accessed: April 4, 2021]

Leyen, Ursula von der. (2019), ‘A Union that strives for more: My agenda for Europe’, Political Guidelines for the Next European Commission 2019-2024. [online] Available at: https://ec.europa.eu/info/sites/info/files/political-guidelines-next-commission_en_0.pdf [Accessed: April 4, 2021]

Paul, Ivan. (2019), ‘Responding to cyberattacks: Prospects for the EU Cyber Diplomacy Toolbox’, European Policy Centre. [online] Available at: https://www.epc.eu/en/Publications/Responding-to-cyberattacks-EU-Cyber-Diplomacy-Toolbox~218414 [Accessed: April 4, 2021]