European cybersecurity for the Digital Decade
The EU published its Cybersecurity Strategy in December 2020 as part of its Digital Decade, with the first implementation report published the following summer. Continuing threats inspired the release of a new Cybersecurity Regulation in March 2022.
The main aims of the European Cybersecurity Strategy are broken down into three areas of action for the EU: resilience, technological sovereignty and leadership; operational capacity to prevent, deter and respond; and cooperation to advance a global and open cyberspace. The strategy was designed to “ensure a global and open internet with strong safeguards where there are risks to security and the fundamental rights of people in Europe”.
Key measures mentioned within the implementation report on the strategy issued in summer 2021 emphasised the importance of finalising the NIS2 Directive, regulation and a directive on digital operational resilience, and the need to establish a network of security operations centres (SOCs) for early detection of signals of cyberattacks, which was described as “more pressing than ever”. The report also noted, “given the increase of cyberattacks conducted by state or state-sponsored actors”, that responsible governmental behaviour must be promoted through the United Nations and other bodies.
Ransomware attacks such as the one suffered by the HSE in Ireland have become a primary concern for cybersecurity organisations across Europe, and indeed the globe. Ransomware typically infects computer systems so that users cannot fully use them or the data stored within, encrypts target files and displays notifications, requesting payment before the data can be unlocked. Cybercriminals involved in such attacks often request their ransom payments in virtual currencies, i.e., cryptocurrency, due to the difficulty in tracking these payments.
The European Union Agency for Cybersecurity (ENISA), in its ENISA Threat Landscape 2021 report, stated that “the frequency and the complexity of ransomware attacks increased by more than 150 per cent in 2020”, meaning that ransomware can now be defined as “one of the greatest threats that organisations face today regardless of the sector to which they belong”, which in turn means that combatting ransomware attacks is now “a prime item in agendas for meetings on strategy among global leaders”.
Agreement has since been reached between the European Council and Parliament on the NIS2 Directive, which will adapt the previous NIS Directive to suit current cybersecurity needs by increasing resilience and incident response capacities in both the public and private sectors across the European Union. The original NIS Directive set out the national cybersecurity capability requirements of member states and a cooperation agenda regarding the exchange of information amongst the same EU countries. Member states were also obligated to promote a culture of security across sectors very relevant for the EU that rely on ICTs such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.
The NIS2 Directive has been designed in part to deal with the the looming threat of ransomware attacks. The Directive will push towards the introduction of stricter supervisory measures and more stringent enforcement requirements, including harmonised sanctions across the EU. The updated directive envisages then that a framework for better cooperation and information sharing between different authorities and member states would be established to create a European vulnerability database. This is a key difference from the original Directive, which did not envisage a common and shared framework for the union-wide tackling of cyber incidents such as the ransomware attacks.
The scope of the Directive has also been broadened, with more organisations now required to take cybersecurity risk management measures and national authorities now required to act under more stringent supervisory measures. The network of SOCs appears to be progressing, with Atos opening its next generation SOC in March 2022 and the European Security Agency awarding the contract for its cyber-SOC, expected to be operational from 2024, to contractor Leonardo.
The Commission, in March 2022, proposed its new Cybersecurity Regulation in order to establish common cybersecurity measures across EU institutions, bodies, offices, and agencies. The regulation will put in place a framework for governance, risk management and control, create a new inter-institutional Cybersecurity Board and extend the mandate of the Computer Emergency Response Team (CERT-EU) as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider. The CERT-EU will be renamed the Cybersecurity Centre. Under the regulation, all EU organisations will be required to have frameworks of governance and risk management for cybersecurity, a baseline of cybersecurity measures, regular assessments, plans for cybersecurity improvements, and they will need to share information with CERT-EU in a timely manner.
Commissioner for Budget and Administration Johannes Hahn called the regulation “a milestone in the EU cybersecurity and information security landscape” and said that they are “based on reinforced cooperation and mutual support among EU institutions, bodies, offices and agencies and on a coordinated preparedness and response”.