“Digitalisation and cyber are two sides of the same coin,” said the President of the European Commission, Ursula von der Leyen, while presenting her political priorities in July 2019. Data show that the EU has long been a primary target for cybercriminals and President von der Leyen signalled European Union’s intention to beef up its cybersecurity defence.
The risks faced by European citizens and companies became even more evident during the COVID-19 crisis when more than 40% of EU workers reportedly shifted to telework and cybercriminals took advantage of increased security vulnerabilities to launch even more cyberattacks. According to INTERPOL, in one single case a company reported some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs, all related to COVID-19, only between January and April 2020.
European Institutions and agencies have also been affected and the European Medicines Agency (EMA) was recently subject to a cyberattack when hackers accessed some documents relating to the regulatory submission for COVID-19 vaccine candidates.
Against this background and only a few days after a major data breach was publicly reported in the United States, the European Commission presented a new Cybersecurity Strategy aimed at building a cyber shield in Europe. This will bolster “Europe’s collective resilience against cyber threats” and ensure “that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools.” Together with the strategy, the European Commission proposed an update to the first EU-wide cybersecurity law, Directive on measures for a high common level of cybersecurity across the Union, repealing the NIS Directive and now referred to as NIS-2. With this proposal, the European Commission is addressing several weaknesses identified in the original NIS Directive that prevented it from unlocking its full potential, such as improving further the resilience and incident response capabilities of public and private entities. Lastly, as part of this new “cybersecurity package,” the European Commission presented a new proposal on the protection of critical entities.
The European Commission will now start implementing the Strategy while the European Parliament and the EU Member States will negotiate the new legislative proposals. This is what you would need to keep an eye on in the coming months:
- Supervision and enforcement rules get tougher. For example, in the case of the NIS-2, incident reporting notifications to the regulator have to be made no later than 24 hours after becoming aware of an incident. Additionally, non-compliance with the Directive could lead to administrative fines of 10 000 000 EUR or up to 2% of the total global annual turnover of the company.
- Extension of scope. More sectors and services, now defined as essential and important entities, are included in the scope of the draft NIS-2 Directive. Essential entities now include 10 sectors, including medicines manufacturers and vaccine makers, digital infrastructure providers, energy, transport, banking and financial market infrastructures. The so-called important entities include among others providers of online marketplaces, providers of online search engines and now also providers of social networking platforms.
- It is all about cybersecurity certification. Member States may require essential and important entities to certify certain ICT products, services and processes under specific European cybersecurity certification schemes, such as the future cloud cybersecurity certification scheme (expected by mid-2021).
- New rules for IoT. The European Commission will present new regulatory measures to secure IoT devices, potentially including a new duty of care for manufacturers to address software vulnerabilities.
- Watch out cloud computing service providers. In fact, these providers are now brought under a new overarching category called essential entities and will be subjected to more stringent rules.
- Close public-private cooperation to build an effective EU cyber shield. A new network of AI-enabled Security Operations Centres will provide warning on cybersecurity incidents to authorities and all interested stakeholders, including a still-to-be-established Joint Cyber Unit.
The choice of the legal instrument for the NIS-2 Directive, which will give Member States discretion in the implementation of the new rules at national level, may continue to lead to a lack of harmonisation, resulting as in the past in an inconsistent identification of the operators of essential services by the Member States. And we will have to wait and see if this inconsistency in national implementation can help Europe effectively build its “cyber shield.”