EUROPE: EU publishes new cybersecurity approach

By Jalil Karim

With daily announcements of major hacks and cybercrime generating concern about serious attacks on essential services and producing hundreds of billions in revenue for organised crime, it is not surprising that Europe regards this issue as one of the top three existential threats it faces, just above immigration and below climate change.

The Commission is taking this threat seriously in announcing a comprehensive series of measures to tackle the issue.

On 13 September 2017, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy released a Joint Communication titled “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” (the “Communication“). This Communication outlines an approach for the EU to better safeguard and be more proactive, both on a national and international level, against the dramatic rise in cyber related threats.

The approach is based on three principles:

  1. Building greater resilience and strategic autonomy
  2. Deterring cyber attacks
  3. Developing international cooperation


  1. Building greater resilience and strategic autonomy

 The Communication advocates for more robust and effective structures to (i) promote cybersecurity and (ii) respond to cyber-attacks by calling for:

  • Strengthening the role of the European Union Agency for Network and Information Security (ENISA) – The Communication calls for a permanent mandate for ENISA which would include supporting the implementation of the NIS Directive and having a strong advisory role on policy development and implementation.
  • An EU cybersecurity certification framework (the “Framework“) – The introduction of the voluntary Framework is designed to provide: (i) businesses with clear and consistent standards to meet across the EU; and (ii) consumers with confidence about product security.
  • A push for a “security by design” approach and calls for a defined “duty of care” principle to reduce product and software vulnerabilities.
  • The full implementation of the Directive on the Security of Network and Information Systems (the “NIS Directive“). The Commission also mentioned that they would provide best practice from Member States relevant on the implementation of the NIS Directive and guidance how it should operate in practice.
  • The implementation of a “Blueprint” by Member States to provide an effective (and regularly tested) process for an operational response in the event of a large scale cyber incident.
  • Increased competence in cyber security across the EU by:
    • establishing a network of cybersecurity competence centres to promote and stimulate the development of technology and at a national and EU level;
    • improving cybersecurity education from primary and secondary school to professionals in the fields of engineering, business management and law to meet the rapidly growing demand for this expertise; and
    • promoting cybersecurity awareness among individuals as well as businesses, including setting up a one-stop shop for advice and guidance on all things cyber.
  1. Creating an effective cyber deterrence

The Communication looks to create a deterrence for would-be cybercriminals by:

  • Encouraging the move towards IPv6 across all Member States.
  • Presenting a proposed directive to update the rules and increase enforcement with regard to internet fraud.
  • A potential addition to the Budapest Convention on Cybercrime to allow cross-border access to electronic evidence.
  1. Strengthening international cooperation on cybersecurity

Finally, the Communication looks at global cybersecurity and how the EU can work in an international capacity by (i) developing its relationship with NATO on cybersecurity (ii) establishing a strategic framework for conflict prevention and stability in cyberspace and (iii) building capacity through a dedicated EU Cyber Capacity Building Network to assist third countries.