What is the impact of cybersecurity incidents?
Cybersecurity incidents cause major economic damage of hundreds of billions of euros each year to European businesses and the economy at large.Such incidents undermine trust in the digital society. Theft of commercial trade secrets, business information and personal data breaches, disruption of services and of infrastructure result in economic losses of hundreds of billions of euros each year.
According to a recent survey, at least 80% of companies in Europe have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015, compared to 2014.
What is the Commission already doing to strengthen cybersecurity?
Since the adoption of the EU Cybersecurity Strategyin 2013, the European Commission has stepped up its efforts to better protect Europeans online. It has adopted a set of legislative proposals, in particular on network and information security, earmarked more than €600 million of EU investment for research and innovation in cybersecurity projects during the 2014-2020 period, and fostered cybersecurity cooperation within the EU and with partners on the global stage.
But more work is needed to address the increasing number and complexity of cyber-threats. This is why the Commission proposes today a series of measures to reinforce cooperation to secure Europe's digital economy and society, and to help develop innovative and secure technologies, products and services throughout the EU.
More information on EU cybersecurity initiatives can be found in this factsheet.
What does the Commission plan to do now?
The Commission has proposed an action plan to further strengthen Europe’s cyber resilience and its cybersecurity industry. This includes measures to:
- Step up cooperationacross Europe: the Commission encourages Member States to make the most of the cooperation mechanisms under the forthcomingNetwork and Information Security (NIS) Directive and to improve the way in which they work together to prepare for a large-scale cyber-incident. This includes more work on education, training and cybersecurity exercises (such as ENISA's CyberEurope exercises).
- Support the emerging single market for cybersecurity products and services in the EU:for example, the Commission will explore the possibility of creating a framework for certification of relevant ICT products and services, complemented by a voluntary and light weight labelling scheme for the security of ICT products; the Commission suggests also possible measures to scale up cybersecurity investment in Europe and to support SMEs active in the market.
- Establish a contractual public-private partnership (PPP) with industry to nurture cybersecurity industrial capabilities and innovation in the EU.
I. Stepping up cooperation and improving capacities
Why does the Commission need to propose more steps on cybersecurity cooperation?
However, the threat level is constantly evolving and handling a large-scale cyber incident involving several Member States simultaneously will be challenging. EU level cooperation is therefore essential for dealing with both a possible large-scale cyber-attack in several Member States and smaller-scale but potentially more frequent cyber incidents. A blueprint for a coordinated reaction, based on cross-border exchange of information, will be needed to address such incidents in the most efficient way. We have to integrate cybersecurity into existing crisis management mechanisms and procedures. It also requires better cooperation and more rapid information-sharing mechanismsbetween sectors and among Member States to respond to, and contain, such incidents.
How do these plans link to the NIS Directive?
The forthcoming NIS Directive establishes two coordination mechanisms:
- the Cooperation Group which supports strategic cooperation and exchange of relevant information related to cyber incidents among Member States, and
- the Network of Computer Security Incident Response Teams (so-called CSIRT network) which promotes swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.
Given the nature and multitude of cyber threats, the Commission encourages Member States to make the most of these mechanisms as well as to enhance cross-border cooperation related to preparedness for a large-scale cyber incident.
How does the Commission propose to enhance cooperation during a pan EU cyber attack?
In the first half of 2017, the Commission will present a "blueprint", which outlines a coordinated approach to crisis cooperation in case of a large-scale cyber incident. The plan should include a role for EU-level bodies such as the EU Agency for Network and Information Security (ENISA), the EU Computer Emergency Response Team (CERT-EU) and the European Cybercrime Centre (EC3) at Europol, and use tools developed in the context of the network of Computer Security Incident Response Teams. The approach presented in this blueprint should then be regularly tested in crisis management exercises.
Why do we need an information hub to support the exchange of information between the EU bodies and Member States?
Currently knowledge and expertise on cybersecurity is available in a dispersed and unstructured way. To support the NIS cooperation mechanisms, the aim of an information hub is to pool this information and make it more easily available on request to all Member States who need it. This hub would become a central resource allowing the EU institutions and Member States to exchange information as and when appropriate. The Commission, supported by ENISA, CERT-EU and with the expertise of its Joint Research Centre, will facilitate the creation and ensure the ongoing sustainability of the hub.
What does the Commission propose to do about cybersecurity training?
According to different estimates the demand for the cybersecurity workforce will rise to 6 million globally by 2019, with a projected shortfall of 1 - 1.5 million workers.
Europeans need to have the right skills and training both to prevent cybersecurity incidents and to deal with them when they arise. A lot is happening in this area already but it is also necessary, for example, to develop civil-military cooperation and look at ways in which both areas can learn from each other on training and exercise, so as to increase resilience and incident-response capabilities. The Commission, in cooperation with Member States, the European External Action Service, ENISA and other relevant EU bodies will establish a cybersecurity education, exercise and training platform to help in this process.
Why is the Commission looking into additional rules and/or guidance on cyber risk preparedness for critical sectors?
A severe cyber incident in one sector or in one Member State may directly or indirectly have an effect on – or propagate to – other sectors, or across borders. A necessary pre-requisite for addressing cross-sectoral risks is the ability of each individual sector to identify, prepare for and respond to cyber incidents. This is why the Commission will assess the risk resulting from cyber incidents in highly interdependent sectors within and across national borders, in particular on the sectors covered by the NIS Directive such as energy, transport, health or banking. Following this assessment, the Commission will consider if there is a need for further specific rules and/or guidance on cyber risk-preparedness for such critical sectors.
Why does the Commission want to encourage checks of key public network infrastructures?
Public authorities have a role to play in verifying the integrity of key public network infrastructures such as telecoms or energy smart grids, to detect issues, inform the party responsible for these networks and, if needed, provide assistance in fixing known vulnerabilities.
National regulatory authorities could use the capacities of CSIRTs to conduct regular scans of public network infrastructures. Based on this, they could encourage operators to remedy gaps or address vulnerabilities that such scans could identify. This activity could substantially contribute to the security of key internet infrastructures.
The Commission will therefore examine the necessary legal and organisational conditions in order to allow national regulatory authorities – in cooperation with national cybersecurity authorities – to request CSIRTs to conduct regular vulnerability checks of public network infrastructures.
What will be the role of ENISA? Will its mandate be changed?
Since its establishment in 2004 ENISA has been contributing to the overall goal of ensuring a high level of network and information security in the EU.
The Agency works closely together with Members States, EU institutions and the private sector to address, respond to and especially to prevent NIS problems. This includes, among the others, managing pan-European cybersecurity exercises, providing key information on NIS issues, such as the yearly cyber threat landscape report, and training.
The Commission is required to evaluate ENISA by 20 June 2018 in order to assess the possible need to extend or review its mandate, which currently expires in 2020. In view of the current cybersecurity landscape, in particular the increasing number and complexity of cyber-threats and the forthcoming adoption of the Network and Information Security Directive, the Commission aims to advance the evaluation and, subject to its results, present a proposal as soon as possible. The Commission is working to launch the evaluation by the end of this year.
II. The need for a cybersecurity single market
Why is the European Commission proposing market measures related to cybersecurity?
Europe needs high-quality, affordable and interoperable cybersecurity products and solutions. However, the supply of ICT security products and services within the single market remains very fragmented geographically. On the one hand, this makes it difficult for European companies to compete on the national, European and global level; on the other, it reduces the choice of viable and usable cybersecurity technologies that citizens and businesses have access to. No single EU country alone can overcome this fragmentation to help the industry achieve the economies of scale on a European level.
Why would it be relevant to have an EU certification framework for ICT security products?
Certification plays an important role in increasing trust and security in products and services. National initiatives are emerging to set high-level cybersecurity requirements for ICT components on traditional infrastructure, including certification requirements. While these show that the importance of certification is recognised, these bear the risk of creating fragmentation in the single market and of creating interoperability issues. Only in a few Member States are there effective security certification schemes for ICT products. An ICT vendor might therefore need to undergo several certification processes in order to sell in several Member States. It is possible that an ICT product or service designed to fulfil cybersecurity requirements in one Member State would not be considered to fulfil similar requirements in another. This is why the Commission will consider options for an EU ICT security certification framework.
Why would it be relevant to have an EU labelling scheme for ICT security products?
Labelling might be a useful tool to help users understand the level of cybersecurity of commercial products and increase their competitiveness in the single market and globally. National initiatives have started to emerge in this respect. Therefore, in addition to certification, the Commission will also explore the creation of a European, commercially oriented, voluntary and lightweight labelling scheme for the security of ICT products.
Why do we need more investment in cybersecurity in the EU?
The cybersecurity sector depends a lot on innovative SMEs, and the problems affecting investment in this area weigh heavily on the capacity to develop the European cybersecurity industry. The innovative SMEs in the field are often unable to scale up their operations because of a lack of easily available funding to support them in the early phases of development. Companies also have limited access to venture capital in Europe and their available budget for marketing to improve their visibility, or to deal with different sets of standardisation and compliance requirements, is inadequate. 75% of respondents to the recent public consultation on cybersecurity felt they lacked sufficient access to financial resources to finance cybersecurity projects and initiatives.
What does the Commission intend to do?
In order to ease access to finance and support the emergence of globally competitive cybersecurity clusters and centres of excellence, the Commission will:
- improve awareness among the cybersecurity community of financing opportunities at European, national and regional level (related to both horizontal instruments and specific calls) by using existing instruments and channels e.g. the Enterprise Europe Network.
- explore with the European Investment Bank (EIB) and the European Investment Fund (EIF) ways of easing access to finance. This can be in the form of equity and quasi-equity investments, loans, guarantees to projects or counter-guarantees to intermediaries, e.g. through the European Fund for Strategic Investment.
- look into developing with interested Member States and regions a Cybersecurity Smart Specialisation Platform to help coordinate and plan cybersecurity strategies and set up a strategic collaboration of interested parties in regional ecosystems.
III. Cybersecurity Public Private Partnership
Why does the EU need a Public-Private Partnership on cybersecurity?
Establishing a Public-Private Partnership (PPP) on cybersecurity in the area of technologies and solutions for online network security is one of the 16 initiatives put forward in the Commission's Digital Single Market strategy. Specific gaps persist in the fast-moving area of technologies and solutions for online network security and a more joined-up approach can help step up the supply of more secure solutions by industry in Europe and stimulate their take-up by enterprises, public authorities, and citizens.
The Commission's experience with the existing digital Public-Private Partnerships shows that they enable the partners to develop a long-term, strategic approach to research and innovation and reduce uncertainties by allowing for long-term commitments. The cybersecurity PPP will gather industrial and public resources to deliver excellence in research and innovation and maximise the use of available funds through greater coordination with Member States and regions. The goal is to help Europe's cybersecurity industry take advantage of the booming global cybersecurity market (estimated at $65.9 billion in 2013 and expected to grow to $80-120 billion by 2018 - source).
The PPP on cybersecurity will:
- build trust among Member States and industrial actors by fostering cooperation on early-stage research;
- align the demand and supply sectors for cybersecurity products and services by allowing the industry to understand better the requirements of end-users and customers of cybersecurity solutions (e.g. energy, health, transport, finance).
- develop common, sector-neutral and replicable building blocks such as encrypted storage and processing or secured communication. These should help ensure compatibility of solutions across borders, while allowing flexibility for products to be further adapted to the needs of specific markets or customers.
Who will be in the Partnership?
The PPP is a partnership between the European Commission and cybersecurity market players, represented by the European Cyber Security Organisation (ECSO). This partnership will also include members from national, regional and local public administrations, research centres and academia.
The European Cyber Security Organisation (ECSO) was launched on 13 June in Brussels. ECSO is a fully self-financed non-for-profit association (ASBL) under Belgian law. It is industry-led, with members including large European companies, SMEs and startups, research centres, universities, clusters and associations as well as local, regional and national administrations from the EU and European Economic Area (EEA) and the European Free Trade Association (EFTA) and Horizon 2020 associated countries. The founding members are the European Organisation of Security, Alliance pour la Confiance Numérique, Guardtime acting for the Estonian Association of ICT, and Teletrust. The partnership agreement is signed today in Strasbourg. Further information about the association will be made available at http://www.ecs-org.eu/.
When will the PPP be operational?
The contract between the European Union represented by the European Commission and ECSO representing the cybersecurity industry will be signed on 5 July in Strasbourg. The PPP will then begin its activities; the first calls for proposals related to the PPP under Horizon 2020 are envisaged in the first quarter of 2017.
How much money is being invested?
The EU will invest €450 million in calls for proposal related to this partnership, under its research and innovation programme Horizon 2020(Leadership in Enabling and Industrial Technologies (LEIT-ICT) and Societal Challenge Secure Societies - SC7).
Cybersecurity market players, represented by ECSO, are expected to invest three times more. The Commission expects the industry to complement the public funding with a strong leverage from private investment, including the financing of related research and innovation and market activities.
How will the PPP on cybersecurity work?
The PPP will advise the European Commission on cybersecurity parts of the future Work Programmes under Horizon 2020. The PPP will also be a platform for discussions between the supply and demand sides of cybersecurity products and solutions. This will help stakeholders to develop a common set of requirements for different sectors. Projects related to the PPP will be awarded through calls for proposals, which follow the rules and regulations ofHorizon 2020. These calls will be described in the Horizon 2020 Work Programme, which is agreed by the Commission and Member States. As a general rule, these calls are open to all eligible and interested parties – companies, universities, research organisations established in the EU and Horizon 2020 associated countries.
What will this partnership do?
The industry has prepared a Strategic Research and Innovation Agenda, which identifies the following technical priorities:
- Assurance and security / privacy by design
- Identity, access and trust management (e.g. identity and access management, trust management)
- Data security (e.g. data protection techniques, privacy-aware big data analytics, secure data processing, secure storage; user empowerment, operations on encrypted data)
- Protection of the ICT Infrastructure (cyber threats management, network security, system security, cloud security, trusted hardware/end point security/mobile security)
- Cybersecurity services (e.g. auditing, compliance and certification, risk management, cybersecurity operation, security training services)
It also mentions a number of non-technical areas where action is needed:
- Education, training, skills development
- Fostering innovation in cybersecurity:
- Standardisation, regulation and certification
- Societal aspects
- Development of a cybersecurity ecosystem
- Defining the cybersecurity value chain
- Boosting SMEs
- Bottom-up track for cybersecurity innovation
The Commission will take this input into consideration when defining the next Horizon 2020 Work Programmes.
Has the Commission consulted stakeholders while creating the PPP?
The Commission launched a public consultationon 18 December 2015 to seek views on the forthcoming cybersecurity PPP. The consultation collected the views and expectations of enterprises, public organisations and citizens with respect to innovation in cybersecurity and the functioning of the European single market in the field of cybersecurity products and services. It was accompanied by a roadmap for a public-private partnership on cybersecurity.
The Commission and the ENISA organised various workshops with stakeholders. See the background on the consultation process.