On Wednesday 16 December, the European Commission presented a series of proposals on cybersecurity relating to both the digital dimension and home and foreign affairs. In particular, it proposes a move to qualified majority voting (rather than unanimity) for the sanctions regime against cyberattacks.
“This package starts by acknowledging that our tools date back to a completely different era. It underlines the need to adapt and modernise and to improve our capacity, preparedness and resilience”, Vice-President Margaritis Schinas said at a press conference.
In concrete terms, the Commission publishes a general communication setting out the main areas of work. It also presents two pieces of legislation: a revision of Directive 2016/1148 on the security of network and information systems (NIS) and a revision of Directive 2008/114 on critical entities resilience (CER) (see other news). It also submits a second progress report on the security of 5G infrastructure, in particular on the implementation of the toolkit which recommends a risk-based approach and encourages a “multi-vendor” approach (see EUROPE 12414/7, 12222/23).
This package should be completed “in February 2021” with a proposal establishing a common cybersecurity unit, according to the timetable set out by Commissioner Thierry Breton.
NIS: new “important” entities
The European Consumer Organisation (BEUC) welcomed this new package of measures, particularly its digital component. It welcomes the fact that the European Commission envisages, in its general strategy, “possible new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the Internal Market”. The document suggests that the future proposal “could include a new duty of care for connected device manufacturers”.
The consumer lobby also welcomes the revision of the Directive on the Security of Networks and Infrastructures (NIS), which has only been in force for 2 years. The proposal eliminates the distinction between essential service operators and digital service providers. Instead, it creates a new category—“critical” economic and social entities—and includes government agencies. The proposal reinforces the security requirements imposed on public and private sector companies. It also provides for fines of up to 2% of the total annual worldwide turnover (and a maximum of €10 million) of the undertaking to which the essential or significant entity belongs.
On the 5G report, the Commission takes a cautious approach, noting that the July conclusions remain valid (see EUROPE 12535/3). “As regards high-risk suppliers, as of November 2020, measures aimed at applying restrictions based on the risk profile of suppliers have been adopted, proposed or planned in nearly all Member States, taking into account the approach recommended in the Toolbox. Only a small minority of Member States have yet to define clear plans to implement these measures”, it notes. It should be recalled that the exclusion of Huawei is under way, notably in Finland, Sweden and the United Kingdom.
[NIS 2: http://bit.ly/3qWbgzf and 5G report: http://bit.ly/2Kd790Z ]
Reinforce actions in the international framework
The European Commission also intends to strengthen its action at the international level. To this end, the strategy puts forward 20 proposals for action, without announcing a clear timetable.
The Commission proposes to strengthen the EU cyberdiplomacy toolbox adopted in June 2017 (see EUROPE 11811/27) “prevent, discourage, deter and respond to malicious cyber activities”, again highlighting the possibility of introducing qualified majority voting for sanctions as part of the regime against cyberattacks. This scheme dates from May 2019 (see EUROPE 12257/9) and currently applies to eight persons and four entities.
The High Representative of the Union for Foreign Affairs and Security Policy, Josep Borrell, also intends to present updated guidelines for the implementation of this toolbox. “The EU should further integrate the cyber diplomacy toolbox in EU crisis mechanisms, seek synergies with efforts to counter hybrid threats, disinformation and foreign interference”, the strategy says.
Mr Borrell will also put forward a proposal for the EU to define more precisely its cyber deterrence posture. It also intends to encourage and facilitate the creation of a Member State Working Group on Cyber-Intelligence within the EU Intelligence and Situation Centre (INTCEN) in order to “advance strategic intelligence cooperation on cyber threats and activities” and to ensure greater cooperation on cyber defence, in particular between European Military Computer Emergency Response Teams (CERT Network). Addressing the media, Mr Borrell expressed the wish that the rapid reaction teams for cyberattacks, developed in the framework of a permanent structured cooperation project, should become fully operational.
The EU also wants to revise its cyberdefence policy framework and facilitate the development of an ‘Military Vision and Strategy on Cyberspace as a Domain of Operations’ for CSDP military missions and operations, according to the strategy.
As usual, the Commission is counting on increased cooperation at international level. It therefore proposes to assist, including through civilian CSDP missions, in increasing cyberresistance and the capacity of partners to investigate and prosecute cybercrimes. The EU should also create an informal cyberdiplomacy network, through its delegations, to promote the European vision of cyberspace, exchange information and regularly coordinate developments in cyberspace.
The Commission also intends to lead discussions on international norms and standards. This is expected to be done through diplomatic relations and multilateral cooperation, the development of confidence-building measures, strengthening partnerships through exchanges with civil society, academia and the private sector.
See strategy: http://bit.ly/3qXxz7L (Original version in French by Sophie Petitjean and Camille-Cerise Gessant)