A cybersecurity strategy for a strong and sovereign digital Europe
Security is a basic human need and a protected fundamental right of European citizens. As the EU edges closer to its digital future, security must not be taken for granted. In our interconnected digital world, security and safety threats are becoming more complex, while the fine lines that separate the physical from the digital world are becoming more blurred. Cyber- attacks bridge the threats between these two worlds; the examples of cyberattacks crippling energy infrastructures, restricting access to bank deposits, taking down entire sections of the Internet or hacking into IoT devices like the smart lights we use in our homes, highlight that harm and insecurity can spillover from the digital to the physical world. The massive data leak in the Cambridge Analytica case ignited a privacy awakening and emphasised how personal data can be misused to manipulate users. In the aftermath of Cambridge Analytica, and as Europe strives to build a better, safer and more inclusive digital society, strong cybersecurity standards are needed to ensure the protection of digital human rights.
Digital transformation brings Europe a myriad of opportunities for innovation and prosperity, however it also exposes vulnerabilities in systems and networks.
Cyber- attacks are now more prevalent, swift and untraceable than ever before. As we now build the ground for new technologies in Europe, we aim at developing solutions to benefit and improve citizens’ lives. Trust is a decisive factor for the uptake of new technologies, and a strong cybersecurity framework will be the key to inspiring trust in users.
The COVID-19 pandemic accentuated our reliance on digital technologies and elevated the need for Europe to guarantee security in both the digital and the physical environments. The increasing immersion of digital technologies in Europe’s supply chains, critical infrastructures and the lives of citizens raises cybersecurity to a matter of strategic importance. Europe’s ambition to compete for global leadership in the development of exponential technologies such as AI and the IoT adds another layer to the intricacies of building a strong data economy permeated by a culture of cybersecurity-by-design.
The new cybersecurity certification framework under the Cybersecurity Act is important in establishing this culture of cybersecurity-by-design, with security fitted into products and services from inception. This voluntary certification framework sets three assurance levels aligned with cyber risks and classifies the depth of evaluation to obtain certification. Two certification schemes are already in preparation while priorities for further schemes are expected to be defined later this year. The certification framework addresses products, services and processes, including traditional ICT products, information services such as cloud storage, consumer IoT devices, and the connected devices that manufacturers use in medical devices and vehicles. The voluntary nature of the framework is periodically assessed and the Commission may decide upon making certain schemes mandatory.
This framework is aimed at enhancing trust and security in the Digital Single Market for both citizens and vendors, who stand to benefit from the competitive advantage of providing more secure digital solutions in Europe.
Combined with a reinforced mandate for ENISA, this framework is an opportunity to reach a higher degree of harmonisation in the Single Market.
The Commission’s proposal for a Joint Cyber Unit increases internal coordination to prevent and deter cyberattacks by instituting a mutual assistance mechanism. A clear process, objectives and timeline are expected by the end of the year. The EU has underlined the strengthening of its cyber resilience by emphasising cyber-defence as part of the Common Security and Defence Policy, while Member States are collaborating under PESCO to establish four cyber projects, including Rapid Response Teams to detect and deter cyberattacks. This year, the EU also adopted a joint toolbox of mitigating measures to address the security risks related to 5G, which is poised to become the breeding ground for developing and deploying exponential technologies in Europe at scale.
Resilience and coordination are needed at the international level. The interconnectedness of the digital ecosystem means that cyberattacks that happen outside the EU have a major impact on security within the Union. The EU has a comprehensive cyber diplomacy toolbox aimed at preventing, deterring and responding to malicious behaviour in cyberspace. An autonomous cyber-sanctions regime within this toolbox was used for the first time in late July this year, imposing travel bans and assets freezes against six individuals as well as assets freezes against three entities involved in cyberattacks known as WannaCry, NotPetya and Operation Cloud Hopper targeted against companies located in the EU.
Citizens, businesses and governments cannot expect to be protected at the national level alone. The digital ecosystem is global, and so are the risks that it carries for security and safety in the cyberspace. Our goal is to develop high-quality, safe and secure techno- logical solutions in Europe while protecting the digital human rights of citizens, and creating a prosperous and inclusive digital society founded on open innovation and trust. Our ambition to become technologically sovereign and lead in the race for purpose-driven innovation based on our common European values requires both a culture and an enforceable cybersecurity framework that protects citizens, businesses and governments, while enabling safe and secure innovation.