Vice-President of the European Commission responsible for the Digital Agenda
EU Cybersecurity Strategy
Panel on Building Cyber Resilience, World Economic Forum
Davos, 24 January 2013
Last year, the World Economic Forum was a wake-up call for many of us:
The WEF affirmed that in the next 10 years there is a 10% likelihood of a major Critical Information Infrastructure breakdown with possible economic damages of over $250 billion. Incidents and attacks are on the rise.
The big message was that cybersecurity is a matter that cannot be left to the technical people. It is a matter for board levels.
The WEF Principles and Guidelines on Partnering for Cyber Resilience that a number of leaders have signed are a very important step in that direction. They are evidence that we can work together, as public and private sector leaders, to raise awareness and build resilience.
This year we need to move to the next stage. We need to establish strategies to cope with the risks of cyber incidents and the best way to respond.
But we also need to transform the risk story into a growth story.
The big opportunities of the digital economy will not be realised if people are worried about security and do not trust networks and systems.
There are specific challenges that we need to address in that context. Cybersecurity is a global problem which requires a global response.
Awareness is not enough. What is required is investment and action. The public sector to provide incentives to companies to invest more in security and to be transparent regarding threats and incidents.
For example, according to Eurostat, by January 2012 only 26% of enterprises in the EU had a formally defined ICT security policy with a plan for regular review.
The Cybersecurity Strategy for the EU, which I plan to present in the coming days with Commissioner Malmström and High Representative Ashton, will propose a comprehensive vision on cybersecurity and would address both the EU and the international dimension.
The Strategy will focus on the need to improve the overall resilience of network and information systems, including by stimulating the competitiveness of the ICT industry as well as user demand for security functionalities in ICT products and services.
Those initiatives will be complemented by actions stepping up the fight against cybercrime, by initiatives aiming at strengthening the external EU cyber security policy and exploring synergies between the civilian and the military dimension.
To strengthen cyber resilience and network and information security, the Strategy will be accompanied by a proposal for a Directive on Network and Information Security (NIS) across the EU, to ensure the smooth functioning of the internal market.
The proposal requires the Member States to be appropriately equipped. The Member States' NIS competent authorities would also be required to cooperate with each other at EU level. The European Network and Information Security Agency (ENISA) is to support this process by providing its technical expertise and advice.
The Commission will also propose to extend the obligations to adopt NIS risk management measures and to report significant incidents to national authorities, to new sectors which are vital for our economy and society (energy, transport, banking, healthcare, key Internet companies).
The Strategy will also include actions aimed at developing an integrated market for secure ICT solutions and foster R&D investments.
After a series of consultations, I have become convinced that the matter of cybersecurity is too important to be left to the goodwill of companies.