Coordination, awareness and expertise: these are the three key words that emerge from the information document published on Tuesday 19 March by the EU Court of Auditors on cybersecurity. It covers network and information security, cybercrime, cyber defence and misinformation.
This document differs from the Court's usual audits in that it is limited to a documentary review of publicly available information (about 100 sources). In particular, it identifies ten key challenges grouped into four themes: the policy and legislative framework, financing and expenditure, strengthening cyber-resilience, and the effectiveness of the response to cyber incidents.
Low and fragmented investments
One of the main conclusions of this report is that cybersecurity investments are considered too low and too fragmented by auditors. At the moment, it is impossible to know exactly how much money has been allocated to cybersecurity, the institution concludes. What is certain, however, is that the expenditure of some Member States is a tenth of that of the United States, or even less. The EU budget, on the other hand, includes about ten instruments that contribute in some way to cybersecurity, without it being clear exactly what funds are being used and for what purposes.
"The EU and its Member States need to know how much they are investing collectively", said Baudilio Tomé Muguruza, the Member of the Court of Auditors responsible for the information document, at a press conference. It emphasises that the Court does not advocate bringing together the current instruments into a single mechanism, but rather to have a clear view of the expenditure in order to identify the gaps to be filled.
The key word: coordination
Other challenges identified include those related to the legislative framework, whose transposition is not sufficiently assessed and which is still incomplete. "Despite efforts to enhance coherence, the legislative framework for cybersecurity remains incomplete. Its fragmentation and shortcomings prevent the achievement of key strategic objectives and result in inefficiency", the information document notes.
For example, it points out that Member States are developing policies on software vulnerability reporting "at different rates", in the absence of a comprehensive legal framework at EU level to ensure a coordinated approach. The information note also recommends further "assessment" of progress in cybersecurity.
With regard to responses to cyber incidents, the Court notes that early detection and response, protection of critical infrastructure and societal functions, as well as improved information exchange and coordination between the public and private sectors are priority challenges. We should also note an invitation to develop cybersecurity skills and awareness in all sectors and at all levels of society.
The report is available at: https://bit.ly/2TZnmK8. (Original version in French by Sophie Petitjean)