September 25, 2017

To equip Europe with the right tools to deal with cyber attacks, the European Commission and the High Representative are proposing a wide-ranging set of measures to build strong cyber security in the EU. This includes a proposal for an EU Cybersecurity Agency to assist Member States in dealing with cyber attacks, as well as a new European certification scheme to ensure that products and services in the digital world are safe to use.

Building on the existing European Agency for Network and Information Security (ENISA), the EU Cybersecurity Agency will be given a permanent mandate to assist Member States in effectively preventing and responding to cyber attacks. It will improve the EU’s preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of Information Sharing and Analyses Centres. It will help implement the Directive on the Security of Network and Information Systems, which contains reporting obligations to national authorities in case of serious incidents.

The Cybersecurity Agency will also help put in place and implement the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. The European cybersecurity certificates will ensure the trustworthiness of billions of devices, such as energy and transport networks, but also new consumer devices, such as connected cars. Cybersecurity certificates will be recognised across Member States.

The Commission is also proposing:

• European Cybersecurity Research and Competence Centre: a pilot is to be set up in the course of 2018. Working with Member States, it will help develop and roll out the tools and technology needed to keep up with an ever-changing threat and make sure the EU’s defences are as state-of-the-art as the weapons that cyber criminals use;
• Blueprint for how Europe and Member States can respond quickly: operationally and in unison when a large-scale cyber attack strikes. The proposed procedure is laid down in a Commission Recommendation, which asks Member States and EU institutions to establish an EU Cybersecurity Crisis Response Framework to make the Blueprint operational. It will regularly be tested in cyber and other crisis management exercises;
• More solidarity: in the future, the possibility of a new Cybersecurity Emergency Response Fund could be considered for those Member States that have responsibly implemented all the cybersecurity measures required under EU law. The Fund could provide emergency support to help Member States;
• Stronger cyber defence capabilities: Member States are encouraged to include cyber defence within the Framework of Permanent Structured Cooperation (PESCO) and the European Defence Fund to support cyber defence projects. The European Cybersecurity Research and Competence Centre could also be further developed with a cyber defence dimension. To address the skills gap in cyber defence, the EU will create a cyber defence training and education platform in 2018. The EU and NATO will together foster cyber defence research and innovation cooperation. Cooperation with NATO, including participation in parallel and coordinated exercises, will be deepened; and
• Enhanced international cooperation: the EU will strengthen its response to cyber attacks by implementing the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, supporting a strategic framework for conflict prevention and stability in cyberspace. This will be coupled with new cyber capacity building efforts to assist third countries to address cyber threats.

The Commission is also proposing to boost deterrence through new measures contained in a Directive to combat fraud and the counterfeiting of non-cash means of payment. The proposed Directive will strengthen the ability of law enforcement authorities to tackle this form of crime by expanding the scope of the offences related to information systems to all payment transactions, including transactions through virtual currencies. The law will also introduce common rules on the level of penalties and clarify the scope of Member States’ jurisdiction in such offences.

To step up effective investigation and prosecution of cyber-enabled crime, the Commission will also present proposals to facilitate cross-border access to electronic evidence in the beginning of 2018. In addition, by October, the Commission will present its reflections on the role of encryption in criminal investigations. To read the Commission’s press release in full and for links to all relevant documents, click here.