On Tuesday 19 September, the European Commission officially presented its cyber security strategy. This strategy aims to strengthen the mandate of the European Union Agency for Network and Information Security (ENISA), coordinate the response of member states, prepare sector professionals and certify resilient products.
These measures, for which details were provided in our previous newsletter (see EUROPE 11861) – were adopted last week in Strasbourg, as part of the speech on the state of the union by European Commission President, Jean-Claude Juncker. Their presentation therefore provided an opportunity for Vice President Andrus Ansip (Single Digital Market) and Commissioners Julian King (Security Union) and Mariya Gabriel (Digital Society and Economy) to present their respective priorities to the press. They all highlighted the urgency of providing a joint response to cyber threats: in 2016 alone, the EU registered more than 4,000 attacks by Ransomware and 80% of European businesses experienced a cyber security related incident.
Rules for cyber currencies
Commissioner Julian King highlighted the draft directive for tackling fraud and payment counterfeiting, excluding cash. He also pointed out that these currencies are an important source of income for organised-crime and useful to other criminal activities such as terrorism, drug-trafficking and the trafficking in human beings. The proposal expands the scope of the current Council framework decision 2001/413/ JHA to virtual currencies and stipulates criminal charges against fraud through payment systems, other than cash. Other changes include extending the legal competency of the member states to these offences, introducing common rules on deciding sentencing (from two to five years for the most serious offences) and guaranteeing the rights of cybercrime victims.
Certification and qualifications
Commissioner Mariya Gabriel highlighted the changes to the way in which the European network Information Security Agency operates. She indicated that the draft proposal would provide a long-term agency mandate, increase the number of its personnel by half and increase the number of missions it carries out, particularly by way of the annual pan-European cyber security exercises it organises, in addition to creating information exchange and analysis centres. It should be pointed out that this same draft regulation suggests the implementation of a European certification framework, “to guarantee that products and services respond to all the cyber security requirements applicable”. This voluntary system will be developed together with industry and the member states on the basis of three European priorities: increased security of critical or high-risk applications; cyber security for digital products/networks/systems used by the private and public sectors to defend themselves against attacks; the use of security methods “during conceptualisation” for frequently used objects.
At the same time, the Commission will launch a pilot project in 2018 to develop a European cyber security research and skills centre.
Coordinated response mechanism
The third and final legislative initiative presented as part of the new strategy involves: a draft recommendation to guarantee a rapid response from the EU and member states in the event of a large-scale cyber-attack. This recommendation is at the same time calling on the member states and EU institutions to develop an EU framework for responding to cyber security crises, as well as an action plan complete with concrete measures. This action plan will then be regularly put to the test as part of crisis management exercises in the cyber security domain and other areas.
The communication accompanying the strategy goes even further by looking at the possibility of creating an intervention fund for cyber security emergencies. This fund could help the member states that have responsibly applied the raft of cyber security measures included in EU legislation, as well as the victims of cyber-attacks.
Reactions
In a press release, the DIGITALEUROPE organisation welcomed the draft regulation on the free flow of non-personal data in the EU. It explained that, “Ending forced localisation of non-personal data is a clear improvement to the functioning of the EU Single Market, which is currently too fragmented for the digital economy”. DIGITALEUROPE is now calling on the co-legislators to remain focused on the positive economic and societal impacts of the proposal and to establish clear limits on justified data localisation measures, which are essential to public security.
The response from the European Parliament was rather positive and German MEP Jan Philipp Albrecht (Greens/EFA) pointed out that citizens’ trust in the single digital market is increasing with “net security”. The MEP added, “We need clear rules and information security standards for equipment and software manufacturers. Commercial software providers will have to be entirely responsible for security shortcomings in their products and provide updates as soon as possible. The European directive on product responsibility must also apply to software”. The Executive Director of the ENISA, Professor Udo Helmbrecht, also welcomed these proposals strengthening his agency’s mandate. These initiatives will improve the single market and enhance the European digital industry, he emphasised in a press release. To see the documents please see: https://ec.europa.eu/digital-single-market/en/policies/cybersecurity #usefullinks (Original version in French by Sophie Petitjean and Solenn Paulic)