The European Commission presented its ‘Cyberspace’ package in the margins of the Strasbourg plenary session on Tuesday 18 April. It provides, among other things, for the creation of a European ‘Cyber Shield’ to detect threats and the setting up of a European Cybersecurity Skills Academy to address the shortage of skilled workers in the sector.
“We presented our European Cybersecurity Strategy in 2020. Today, this law provides us with the final element of this strategy”, commented the Executive Vice-President for a Digital Europe, Margrethe Vestager.
In detail, the EU’s Cybersolidarity Act – under which the future cyber shield falls – should be used to “detect, prepare for and respond to” cyber attacks and other threats. This cyber shield will be based on an infrastructure of security operations centres (SOCs) that will be responsible for detecting and countering cyber threats by using artificial intelligence, supercomputing and advanced data analysis.
Each of the future operations centres should cover at least three EU Member States. The alerts that they would issue would enable the relevant authorities and entities to react more quickly. They should be operational from the start of 2024, the European Commission said.
“We must have this capacity to react, which will rely on the competences of the Member States. Some of them already have security centres, but we will also have a European layer to connect it all together. In terms of governance, it is a bit like the ‘Galileo of cyberspace’. We have learned to share infrastructure, to pool it and to manage it”, summarised Commissioner for the Internal Market Thierry Breton.
Establishment of a cyber security reserve
In addition, the ‘Cybersolidarity Act’ provides for the establishment of an emergency response mechanism in the field of cybersecurity. This mechanism would be based on three pillars. The first would consist of preparatory measures, including testing entities that operate in highly critical sectors – such as health, transport or energy – to establish their degree of vulnerability.
The second pillar would be financial support for mutual assistance between Member States in the event that an incident takes place. In terms of funding, the European Commission foresees €1.1 billion for the future legislation, two-thirds of which would come from EU funds under the Digital Europe Programme.
Finally, the third pillar would be the creation of an EU Cybersecurity Reserve, which would be tasked to intervene, at the request of a Member State, EU institution, body or agency, in the event of a major or large-scale cyber security incident. This pool would be resourced with trusted suppliers under a contract.
“We had thought of a cyber army, but it is very complicated. So we have opted for a cyber reserve with individuals who are certified providers. We want to have several thousand people ready, in the long term, to intervene in case of need”, commented Mr Breton.
€10 million for the European Cyber Security Skills Academy
Before it is possible to reach the figure put forward by Mr Breton, the problem of the lack of skilled labour in the sector will have to be resolved. To address this, the European Commission is going to rely on the creation of a European cybersecurity skills academy.
“Confronted with growing threats, the EU faces a digital skills gap: nearly 260,000 cybersecurity professionals will be needed”, said Vestager.
This academy, initially hosted on the European Commission's platform for e-skills and digital jobs, should initially allow citizens who are interested in the cybersecurity sector to find a single entry point that brings together existing training and certification opportunities within the EU.
In terms of companies and other stakeholders, it would be possible to offer training and certification. During a second phase, the academy should be able to serve as a common space for academics, training providers and companies in the sector so as to help them coordinate teaching programmes and funding.
A budget of €10 million will be allocated to the creation of the future academy. “This will help us to get started and to close the current gap over the coming years”, said European Commission Vice-President Margarítis Schinás.
The ‘Strategic Compass’ as a safeguard
Finally, the Commission has also proposed a targeted amendment to the cybersecurity regulation. This amendment aims to enable the future adoption of European certification schemes for highly critical and sensitive services that are offered by cybersecurity service providers. The European Commission believes that certification of these services, ranging from incident response and penetration testing to security audits and consultancy, should help companies to “prevent, counter and recover” from incidents.
It remains to be seen whether Member States will play along and cooperate since, according to the European Commission, “a great deal of unwillingness to share on the part of Member States“ has been noted in the past. “This was the responsibility of Member States, but the ‘Strategic Compass’ (see EUROPE 13145/8) is now in place. Member States have agreed that cyberspace must be defended at EU level. A consensus has been reached. In the cyberspace sector, no one can defend themselves on their own; every entry point to the internal market is a risk point”, concluded Mr Breton.
See the proposal on the Cybersolidarity Act: https://aeur.eu/f/6d9
See the document on the European Skills Academy: https://aeur.eu/f/6da
See the proposed amendment to the cybersecurity regulation: https://aeur.eu/f/6db (Original version in French by Thomas Mangin)