The Commission and the High Representative of the Union for Foreign Affairs and Security Policy have presented a new EU Cybersecurity Strategy to bolster Europe’s collective resilience against cyber threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools.

The new Strategy also allows the EU to step up leadership on international norms and standards in cyberspace, and to strengthen co-operation with partners around the world to promote a global, open, stable and secure cyberspace, grounded in the rule of law, human rights, fundamental freedoms and democratic values.

The Commission has also published legislative proposals to address both cyber and physical resilience of critical entities and networks: (i) a revised Security of Network and Information Systems Directive (2016/1148/EU) (NIS 2 Directive); and (ii) a new Directive on the resilience of critical entities. Both Directives cover a wide range of sectors and aim to address current and future online and offline risks, from cyber attacks to crime or natural disasters, in a coherent and complementary way.

Cybersecurity Strategy

The Commission says that the new Cybersecurity Strategy aims to safeguard a global and open internet, while at the same time offering safeguards, not only to ensure security but also to protect European values and the fundamental rights of everyone. Building upon the achievements of the past months and years, it contains concrete proposals for regulatory, investment and policy initiatives, in three areas:

1. i) resilience, technological sovereignty and leadership: the NIS 2 Directive would increase the level of cyber resilience of critical public and private sectors: hospitals, energy grids, railways, but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines, as well as other critical infrastructure and services; a new network of Security Operations Centres across the EU would form a “cybersecurity shield”, able to detect signs of a cyber attack early enough to take action before damage occurs;
2. ii) building operational capacity to prevent, deter and respond: a new Joint Cyber Unit would strengthen co-operation between EU bodies and Member State authorities responsible for preventing, deterring and responding to cyber attacks, including civilian, law enforcement, diplomatic and cyber defence communities; a strengthened EU Cyber Diplomacy Toolbox would prevent, discourage, deter and respond effectively against malicious cyber activities, notably those affecting critical infrastructure, supply chains, democratic institutions and processes; the EU would also aim to further enhance cyber defence co-operation and develop state-of-the-art cyber defence capabilities, building on the work of the European Defence Agency; and

• iii) advancing a global and open cyberspace through increased co-operation: working with international partners would strengthen the rules-based global order, promote international security and stability in cyberspace, and protect human rights and fundamental freedoms online.

Proposed legislation

To respond to the growing threats due to digitalisation and interconnectedness, the proposed NIS 2 Directive would cover medium and large entities from more sectors based on their criticality to the economy and society. It would strengthen security requirements imposed on companies, address security of supply chains and supplier relationships, streamline reporting obligations, introduce more stringent supervisory measures for national authorities and stricter enforcement requirements, and harmonise sanctions regimes across Member States.

The proposed Critical Entities Resilience (CER) Directive expands both the scope and depth of the 2008 European Critical Infrastructure Directive. It now covers ten sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Member States would each adopt a national strategy for ensuring the resilience of critical entities and carry out regular risk assessments.

Next steps

The European Commission and the High Representative say they are committed to implementing the new Cybersecurity Strategy in the coming months. They will regularly report on the progress made and keep the European Parliament, the Council of the European Union, and stakeholders fully informed and engaged in all relevant actions.

It is now for the European Parliament and the Council to examine and adopt the proposed NIS 2 Directive and the Critical Entities Resilience Directive. Once the proposals are agreed and consequently adopted, Member States would then have to transpose them within 18 months of their entry into force.

The Commission will periodically review the NIS 2 Directive and the Critical Entities Resilience Directive and report on their functioning. To read the Commission’s press release in full, click here.