Europe Calling Actually, Europe is important

Since 1 January, France has taken over the rotating presidency of the Council of the EU. The Council brings together the ministers of the 27 EU Member States and is a co-legislative body with the Commission and Parliament. In particular, the Council of the EU is the European institution that influences the legislative agenda. The Presidency of this institution is called « rotating » because it changes every 6 months.

It is indeed quite complicated to understand. And often, it is also complex to navigate—between procedures and other trialogues. But that is how we chose to work as a union of 27 countries, each with its own ambitions, priorities, history, and culture. The model is consensus, and to achieve it, it is best to be open-minded and patient.

I have come to talk to you about European politics on inCyber because digital is political. Cybersecurity is the « protect and defend » part of digital: would it be healthy to excise it from political decision-making at European level? (For those at the back of the room, this is merely a rhetorical question.) To accompany our common understanding of the issues and actions, I will be bringing an « Europe Calling » here every month.

Increasing European harmonisation

The EU is becoming increasingly important in the field of cybersecurity and personal data protection. I don’t think it is necessary to dwell on the impact of the European General Data Protection Regulation: beyond the criticisms that can be levelled at it, the GDPR has given a serious boost to many cyber budgets.

Of course, the GDPR is only one facet of the European harmonisation effort. Since the first European cybersecurity text—the NIS Directive—came into force in 2016, a lot of water has flowed under the bridge. The same Directive was revised in 2020 and is expected to be finalised this year. A real mandate was created for ENISA (the European Union Agency for Cybersecurity), with the so-called Cybersecurity Act. We are in the process of publishing the first European cybersecurity certification scheme, which will cover cloud products. The list goes on with legislative projects on cyber resilience, e-Evidence, product security, semiconductors, etc.

Thanks to a common set of requirements and benchmarks, we are harmonising. The beauty of the gesture is secondary, as the objective is to create a minimum security level common to all Member States and to continue building the Single Market. The challenge—and the opportunity that goes with it—is to go beyond national borders and defragment the European market.

To illustrate this, let’s take the example of European certification. Imagine I have a « Cocoricloud » product and service offering, the Made in France cloud. Today, my customers are mainly French: even if I get the SecNumCloud label from the ANSSI by the sweat of my brow, it will hardly be understood beyond national borders. If I want to sell in Germany, I will have to sweat again to obtain an equivalent label from the BSI (the German ANSSI). And if I want to sell in Lithuania or Bulgaria, sweating will be useless, as there is no equivalent labelling scheme.

With a European certification of cloud products and services, I can achieve EU-wide understandability of the security guarantees offered by « Cocoricloud ». This is possible because the scheme includes various requirements—including some from the SecNumCloud standard—and makes them understandable and valid in each of the 27 Member States. I can thus certify « Cocoricloud » under the common European requirements of one single labelling scheme and then sell in Lithuania, Germany, and Bulgaria.

Europe’s cybersecurity must commence

Of course, on paper, all this is fantastic, easy, and bright. In practice, you discover every day the exquisite taste of what you have to swallow: the price of consensus. Now that I have nicely promoted the topic, why should we continue to promote more Europe in cybersecurity?

Because in cybersecurity, we are used to managing cross-functional issues, to considering risks and the corresponding countermeasures, and to reading complicated things (like binary code) in the original language. The European law-making process is all this. The problem is that there are too few voices from cybersecurity experts in the conversation of the 27 Member States.

Our participation in this conversation is the reason why the EC will release a new version of the NIS Directive, with security requirements focusing on, for example, the digital supply chain. Such participation contributed to the increasing importance given to the topics related to vulnerability management. The same applies to the creation of dedicated investment portfolios in European cyber nuggets. The list is actually quite long.

Recognising that Europe is important for cybersecurity means getting involved in building strategic autonomy, strengthening our resilience, and creating a society of 550 million people. We can dither endlessly on social networks about the merits of this or that alliance or about the precise meaning of this or that phrase, but the solution is simple: to build a place under the democratic sun, the political vision is based on a technological offer and its economic viability.