The National Cybersecurity Strategy of the European Union

by November 7, 2019

Cybersecurity Strategy

In today’s world where the internet and digital landscape is continuously increasing, it also leads to a considerable growth in cyber threats. In order to safeguard its critical infrastructure against new, emerging global cyber threats, EU Members States need flexible and dynamic national cybersecurity strategies to fulfil its requirements.

The European Commission proposed the Network and Information Security Directive (NIS Directive) in 2013, designed to enhance the EU Member States’ national cybersecurity capabilities, improving the cooperation between the Member States, the public and the private sector, while also requiring companies in critical sectors to report major incidents to national authorities and to adopt risk management practices.

The European Parliament and the Council, in December 2015, reached an agreement on the Commission’s proposal. And in July 2016, the Parliament adopted the final Directive that entered into force in August 2016. Currently, all countries in the EU have a National Cybersecurity Strategy (NCSS) as a key policy feature, which assists them in addressing risks that have the potential to weaken the achievement of economic and social benefits from cyberspace.

Supporting the efforts of EU Member States, ENISA has been providing guidelines on how to develop, deploy and update NCSS, assessing existing strategies and outlining good practices since 2012. ENISA (the European Union Agency for Network and Information Security) is a centre of expertise for cybersecurity in Europe. It helps the EU and its countries to be better equipped and prepared to evade, detect and retort to information security issues.


Five Strategic Priorities

As cybersecurity is increasingly regarded as a horizontal and strategic national issue affecting all levels of society, the NCSS is a tool to improve the security and resilience of national infrastructures and services.

The EU’s cybersecurity strategy is expressed as five strategic priorities.


Achieving Cyber Resilience

The national cyber strategy proposes greater cooperation between public authorities and the private sector to counter cross-border cyber threats and contribute to a coordinated response in an emergency. It also identifies gaps that are still present across the EU in terms of national capabilities, coordination in cases of incidents spanning across borders, and private sector involvement and preparedness. Thus, to address these gaps, the strategy proposes the NIS Directive, along with a new regulation to extend the mandate of the ENISA.


Reducing Cyber Crime

The strategy compels those Member States that have not yet approved the Council of Europe’s Budapest Convention on Cybercrime to ratify and implement its provisions as early as possible. Also, the Commission will support the Member States in combating cybercrime and will work closely with the European Cybercrime Centre (EC3) within Europol and Eurojust to line up new policy approaches. So, it will support EC3 as the European focal point in the fight against cybercrime.


Developing Cyber Defense Capabilities Related to the Common Security and Defence Policy (CSDP)

To strengthen the cyber resilience of information systems that can support Member States’ defence and national security interests, the strategy suggests common cyber defence policy development that should focus on detection, response, and recovery from sophisticated cyber threats. Furthermore, to make sure efficient defence capabilities, recognize areas for cooperation and thwart the duplication of efforts, an EU cyber defence policy framework, cyber defence training and exercises, and dialogue and coordination between international partners, including NATO, will be developed and promoted.


Developing the Industrial and Technological Resources for Cybersecurity

As many of the global leaders providing innovative ICT products and services are located outside the EU, the strategy proposes that the Commission will foster a Europe-wide market demand for highly secure products that provide incentives for the private sector to ensure a high level of cybersecurity. It also stated that the Commission will support the development of security standards, with focusing on supply chain security, in support of the ongoing standardisation work of the European Standardisation Organisations.

Moreover, the Commission will launch a public-private platform on NIS solutions to develop incentives for the adoption of secure ICT solutions, and will develop technical guidelines and recommendations for the adoption of NIS standards and good practices in the public and private sectors, as well as use the Horizon 2020 Framework Programme for Research Innovation to accelerate R&D investments to fight against cybercrime.


Establishing a Coherent International Cyberspace Policy for EU and Promote Core EU Values

The national strategy recommends that the Commission, the High Representative, and the Member States will work towards a coherent EU International cyberspace policy to increase engagement with key international partners and organisations, along with civil society and the private sector. To address global cyber challenges, the EU will consult with organisations that are active in this field such as the Council of Europe, OECD, UN, OSCE, NATO, AU, ASEAN, and OAS. At the bilateral level, cooperation with the US will be further developed, notably in the context of the EU-US Working Group on Cyber-Security and Cyber-Crime.

To promote cyberspace as an area of freedom and fundamental rights, the strategy noted that the EU should encourage corporate social responsibility and introduce international initiatives to enhance global coordination in this field.