How do we ensure the cybersecurity of the EU digital infrastructures and economy?

By Juhan Lepassaar, Executive Director of ENISA

How do we ensure the cybersecurity of the EU digital infrastructures and economy?

With the ongoing digitalisation of our society, the security of critical infrastructures that are connected to internet is now stirring the attention of all our EU economic sectors such as transport, energy, health, communications and public government services, etc.

As such infrastructures have become increasingly interdependent, ensuring their cybersecurity is now a key objective of the European Union (EU).

Although increased digitalisation improves the monitoring and delivery of services, it also comes with a significant risk of exposure to cyberattacks and cybersecurity incidents which can potentially jeopardise the security of supply chains and the privacy of consumers’ data.

This is why the European Commission intends to strengthen the European resilience of such infrastructures against physical, cyber and hybrid threats in accordance with the EU Security Union Strategy presented in July 2020. The EU Agency for Cybersecurity, ENISA plays an important role in implementing the strategy and is utilising its mandate fully to do so. The revision of the Network and Information Services (NIS) Directive which provides a mandate for the newly formed Cyber Crises Liaison Organisation Network (CyCLONe) was timely given the geopolitical context following the invasion of Ukraine.


ENISA’s mandate in relation to digital critical infrastructure security

The Cybersecurity Act (CSA) gave ENISA an extended mandate, which includes actions pertaining to the digital security goals to be reached in relation to critical infrastructures. ENISA engages with all the actors of the different sectors of the EU together with Member States and EU institutions and bodies to issue recommendations and ensure the highest level of trustworthiness in command, control and supervisory control systems used in all critical infrastructure networks.

Within this context, ENISA’s role is to support the EU with these new endeavours. ENISA is doing so by providing support at technical, operational and policy levels to EU national authorities mandated to ensure both national and cross-border security of essential services.


ENISA supports operational cooperation at EU level

Given the nature of cross-border incidents, ENISA works to strengthen cooperation among Member States and EU institutions, bodies and agencies. This can be through operational cooperation such creating situation awareness jointly or through capacity building activities such as joint cyber exercises. ENISA acts therefore as a lead management coordinator between technical actors and political decision-makers in the event of a large-scale cross-border cyber crisis.

ENISA also supports Member States with the organisation of cyber exercises such as Cyber Europe meant to test the cybersecurity levels, business continuity processes and crisis management capabilities of specific sectors. In 2022, the Cyber Europe exercise tested the resilience of the EU healthcare.


ENISA supports the development of EU certification schemes

ENISA stands as a central info hub for the European Commission contributing to and supporting the EU initiatives meant to implement the EU’s Cybersecurity Strategy in the Digital Decade and providing support upon request.

An example of this commitment is the task given to us to draft cybersecurity certification schemes. Under its mandate, the European Union Agency for Cybersecurity has been assigned the responsibility to develop cybersecurity certification candidate schemes. The purpose of the EU Cybersecurity Certification Framework under the CSA is to establish and maintain the trust and security on cybersecurity products, services and processes. Drawing up cybersecurity certification schemes at EU level aims at providing criteria to carry out conformity assessments to establish the degree of adherence of products, services and processes against specific requirements. The first scheme covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 and is the foundation of a European Cybersecurity certification framework with further schemes including on cloud services and 5G being prepared.


ENISA provides insights on Incident reporting and threat analysis

The Agency issues a yearly threat landscape report to identify trends. The ENISA Threat Landscape report is meant to give some essential insights into the evolution of threats. With more than 10 terabytes of data stolen monthly, ransomware remains the top threat alongside attacks against availability also called Distributed Denial of Service (DDoS) attacks. The analysis of threat actors and threat trends help support better preparedness across the EU and among relevant EU bodies and sectors.

With data on cyber incidents publicly available, ENISA collects and performs incident reporting analysis. Notification rules for cybersecurity incidents for operators of essential services in a wide range of critical sectors, such as energy, transport, finance and health were first introduced by the EU Directive on Security of Network and Information Systems (or NIS Directive) when it came into force in 2018 and will be extended further with the revision of the directive, known as NIS2.


ENISA supports the development and implementation of EU legislation

The NIS2 Directive adopted by the European Parliament and by the Council provides for stronger cybersecurity risk and incident management and will introduce mechanisms for effective cooperation among relevant authorities in each Member State. The new directive will also introduce reporting obligations across sectors.

Cybersecurity provisions are included in a number of different legislative initiatives focused on specific sectors. This is the case for the Digital Operational Resilience Act (DORA), the Electronic Identification and trust services for electronic transactions in the internal market (eIDAS) and the European Electronic Communications Code (EECC). ENISA is also involved in the preparation of the new regulation on the cybersecurity of EUIBAs.

A major role of ENISA is to support the implementation of Union cybersecurity policy and law. The Agency will therefore continue to engage with Member States to identify best practices to help them navigate the different legislation and implement the revised Directive. ENISA is at the forefront of offering state-of-the-art advice and counsel to create a trusted and cyber secure future for all.