Európska rada
Rada Európskej únie

Reform of cyber security in Europe

Infografika – EU cyber security

How and why to improve cyber security in the EU?

The European Union aims to strengthen its cyber security rules in order to tackle the increasing threat posed by cyber attacks as well as to take advantage of the opportunities of the new digital age. 

To this end, on 13 September 2017, the European Commission proposed a cyber security reform package. 

This reform aims to build on the measures put in place by the cyber security strategy and its main pillar, the directive on security of network and information systems (NIS directive)

The proposal sets out new initiatives such as: 

  • building a stronger EU cyber security agency
  • introducing an EU-wide cyber security certification scheme
  • swiftly implementing the NIS directive

During the European Council held on 22-23 June 2017, EU leaders called for the full implementation of the digital single market strategy and mentioned cyber security as one of its main elements. 

Why do we need it?

Faced with ever-increasing cyber security challenges, the EU needs to improve awareness of and response to cyber-attacks aimed at member states or EU institutions. 

The 'internet of things' is already a reality, with tens of billions of connected digital devices expected in the EU by 2020. 

At the same time, today's ICT systems can be seriously affected by security incidents, such as technical failures and viruses. These kinds of incidents, often called network and information systems (NIS) incidents, are becoming more frequent and difficult to deal with.

Threats and opportunities of cyber security

  • Security incidents across all industries rose by 38% in 2015
  • 80% of European companies experienced at least one cyber security incident in 2015
  • 86% of Europeans believe the risk of cyber crimes is increasing

Source: European Commission

Many businesses and governments across the EU rely on digital networks and infrastructure to provide their essential services. This means that when NIS incidents occur, they can have a huge impact by compromising services and stopping businesses from working properly. 

In addition, an NIS incident in one country can have an effect in others and even across the whole EU. Security incidents also undermine consumer confidence in online payment systems and ICT networks.

Despite the growing threat, awareness and knowledge of cyber security is still insufficient:

  • 51% of European citizens feel uninformed on cyber threats
  • 69% of companies have no basic understanding of their exposure to cyber risks. 

In detail 

On 22-23 June 2017, the European Council welcomed the European Commission's intention to review the cyber security strategy and to propose further action before the end of the year. 

New EU cyber security agency 

The Commission proposed to build a stronger EU cyber security agency on the structures of the existing European Union Agency for Network and Information Security (ENISA). The new agency's role would be to help member states, EU institutions and businesses deal with cyber attacks. 

Cyber security certification scheme

To enable the growth of the EU cyber security market, the European Commission also proposed EU-wide certification schemes for ICT products, services and processes. They would take the form of rules, technical requirements and procedures. 

Their role would be to reduce market fragmentation and remove regulatory barriers while also building trust. For instance, the certification schemes would be recognised in all member states, making it easier for businesses to trade across borders. 

NIS directive on the priority list

Member states have until May 2018 to transpose the cyber security strategy into national law and up to December 2018 to identify operators of essential services.

The Council adopted the EU-wide cyber security rules in May 2016. They entered into force in August 2016.

The network and information security (NIS) directive was introduced to increase cooperation between member states on the vital issue of cyber security. It laid down security obligations for operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services).

According to the NIS directive, each EU country will also be required to designate one or more national authorities and to establish a strategy for dealing with cyber threats.

Securing the digital single market

Cyber security can enable innovation and help focus on data as the new 'oil of the economy'. Securing Europe's digital future can also mean:

  • tackling the threats to online platforms and enabling them to make a positive contribution to society
  • supporting small and medium-sized enterprises to be competitive in the digital economy 
  • investing in the use of artificial intelligence and supercomputers in areas such as medical treatments and energy efficiency.

From supporting competence to fighting fraud

The European's Commission proposal to strengthen EU's cyber security includes additional initiatives:

  • a blueprint for how to respond to large scale cyber attacks
  • an European Cybersecurity Research and Competence Centre joined by a network of similar centres at member state level
  • a more effective criminal law response to cyber crime through a new directive to fight fraud and counterfeiting of non-cash payments
  • strengthening global stability through international cooperation.