The EU’s Cybersecurity Strategy for the Next Decade

On December 16, 2020, the European Commission released the EU’s cybersecurity strategy for the next decade (see press release here and report here). 

The EU’s cybersecurity strategy puts forward concrete proposals for regulatory, investment and policy initiatives in the following three areas: 

  1. Resilience, technological sovereignty and leadership – the European Commission proposes to: 
    • reform the Network and Information Systems Directive (Directive (EU) 2016/1148) to increase the level of cyber resilience of all relevant sectors, public and private, that are important for the economy and society; 
    • build a network of Security Operations Centers across the EU; 
    • work with EU Member States to deploy a new means to transmit confidential information using an ultra-secure form of encryption built with European technology to shield against cyberattacks; 
    • work with EU Member States to ensure that the risks relating to 5G and future generations of networks are mitigated adequately and in a coordinated way; 
    • adopt new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the EU internal market, in particular by establishing a new duty of care for connected device manufacturers; 
    • develop a contingency plan, supported by EU funding, for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system; 
    • financially support cyber-secure digital transformation to foster leadership in digital technologies and cybersecurity across the digital supply chain (including data and cloud, next generation processor technologies, ultra-secure connectivity and 6G networks); and 
    • develop cybersecurity awareness and guidance. 
  1. Building operational capacity to prevent, deter and respond– the European Commission proposes to: 
    • establish a Joint Cyber Unit to serve as a virtual and physical cooperation platform for the different cybersecurity communities in the EU, with a focus on operational and technical coordination against major cross border cyber incidents and threats; 
    • improve the capacity of law enforcement to investigate cybercrime, fully respecting fundamental rights; 
    • strengthen the cyber diplomacy toolbox to ensure a joint EU diplomatic response to malicious cyber activities; and 
    • review of the Cyber Defence Policy Framework to enhance further coordination and cooperation between EU actors, as well as with and between Member States. 
  1. Advancing a global and open cyberspace through increased cooperation– the European Commission proposes to: 
    • step up its engagement in, and leadership on international standardization processes, and enhance its representation in international and European standardization bodies as well as other standard development organizations; 
    • advance responsible state behavior in cyberspace in international fora and strengthen and expand cyber dialogues with third countries; and 
    • develop an EU External Cyber Capacity Building Agenda to ensure coherent measures to strengthen cyber resilience, capacities to investigate and prosecute cybercrime, and address cyber threats. 

In parallel to the abovementioned EU cybersecurity initiatives, EU Member States are also proposing national measures to combat cyber threats. For example, the German government adopted on December 16, 2020, the draft IT Security Act 2.0 (still pending approval). This act will set new standards for defending against cyber-attacks and is expected to significantly impact IoT services. 

This appeared first in Covington’s internal blog –