New EU cyber strategy leaves key security gaps

New EU cyber strategy leaves key security gaps

Last month, the European Commission released a report on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”. GRI examines the strengths and weaknesses of this proposed strategy.

The strategy is based on three principles: building greater resistance against cyber vulnerabilities, deterring cyber attacks against member states and increasing cooperation at the European and international level. In order to meet these goals, the first reform proposed by the Commission is to transform the European Agency for Network and Information Security (ENISA) into a permanent, independent structure which would assist EU institutions and Member States in developing and implementing cybersecurity policies and cooperation.

New certification scheme

A strengthened ENISA would enable improved intelligence sharing and facilitate the organization of cybersecurity exercises on a European level, as well as providing member states with operational assistance in the event of cyber attacks. The Commission is also planning to double the Agency’s annual budget to 23 million euro, and increase its workforce.

The revision of ENISA is however not the only component of the Commission’s cybersecurity strategy. Further plans for a new European certification scheme are underway  to ensure the safety of several ICT products and services. Other proposed measures include the creation of a Cybersecurity Emergency Fund to support member states that have fallen victim to cyber attacks, and a European Cybersecurity Research and Competence Center aimed at training and recruiting experts in the field to complement efforts at the national level.

Finally, the European Commission aims to develop more effective law enforcement responses to cybercrime by focusing on detection and prosecution of offences such as fraud and counterfeiting of non-cash means of payment. It is now up to the European Parliament and Council to approve these initiatives, and determine their implementation.

Incentives for enhanced cybersecurity and a digital single market

There is a compelling economic incentive to put in place stronger mechanisms to combat cyber-related threats, as the European Commission estimates that approximately 80 percent of companies in the EU have been subject to cybersecurity attacks, for an estimated cost of 265 billion euro worth of damages every year, and that value is estimated to quadruple by 2019. In 2016 alone, more than 4,000 ransomware attacks  occurred on a daily basis across the EU, and the economic and financial impacts of such incidents have been increasing dramatically.

Moreover, the European Commission’s chief of security claims that a stronger EU cyber agency would help member states to protect themselves against election hacking, as well as other attacks targeting crypto-currencies and economic institutions. The increased focus on cybersecurity in the EU is creating significant growth for the cybersecurity market in the region, and the industry is expected to grow by as much as 7.2 percent by 2020 to a worth of $16 billion.

The creation of this new EU cybersecurity strategy can also be understood as a stepping stone in the Commission’s goal to create a so-called digital single market, in which the free flow of non-personal data is ensured, as opposed to the current system within which such information is stored and processed inside national borders. According to the European Commission, the free movement of such non-personal data could generate as much as 370 billion euro per year for the single market.

Limited coordination and information sharing

The EU’s new program to strengthen cyber security is undoubtedly a positive development for the creation of a unified strategy against cyber-related threats. Nevertheless, it does not entirely eliminate fragmentation between the Member States, and coordination and exchange of best practices at the EU level are still needed. The creation of a digital single market is yet to be actualized, and internal divisions with regards to cybersecurity amongst member states pose a limitation the strategy’s effectiveness.

For instance, it is still unclear whether the new strategy will actually result in enhanced information sharing between the member states. While the Commission has listed the sharing of cybersecurity information and best practices as one of its main goals, it remains an especially sensitive and difficult issue, given the existence of considerable constraints to the free flow of data and the relative lack of willingness on behalf of member states to adhere to such a scheme.

However, this needs to change if the European Union wants to transform its current efforts on cybersecurity into a truly effective, consolidated strategy. Indeed, as argued by Software Alliance’s Policy Director General, it is necessary for Europe to develop a united front against cyber-related threats by harmonizing its approach, as well as by cooperating and sharing information to the greatest extent possible.

About Author

Benedetta Di Matteo

Benedetta obtained a LLM degree in International Laws from Maastricht University, specializing in Public International Law and International Relations. Benedetta worked as an open source analyst for Horizon Intelligence, a Brussels-based political risk firm, focusing on political and security trends in Latin America. She also completed a traineeship at the Council of Europe's Economic Crime and Cooperation Division. Benedetta focuses on international security issues, including transnational crimes.