Europe strengthens its cybersecurity

The year 2020 has been rich in terms of EU announcements related to digital transformation. In February-March 2020, at a time when the Covid-19 crisis was dominating people’s minds, the Commission published three communications: Shaping Europe’s digital future (COM/2020/0067), A European strategy for data (COM/2020/0066), and White Paper on Artificial Intelligence – A European approach to excellence and trust (COM/2020/0065). A few days later, on 10 March, A New Industrial Strategy for Europe (COM/2020/102) set out the broad lines of an ambition summarised by Thierry Breton: “Managing the green and digital transitions and avoiding external dependencies in a new geopolitical context requires radical change – and it needs to start now.” Since then, the European Parliament has published three non-binding reports on artificial intelligence (20 October 2020) and issued guidelines for the military and non-military use of AI, in particular in areas such as armed forces, justice, and health (20 January 2021). These documents have added to the body of work on digital Europe. Unfortunately, the COVID-19 crisis has changed the centre of gravity of priorities. In recent days, a certain recovery has been observed, with the publication of several structuring documents that have a direct impact on the cybersecurity strategy.

The creation of the Cyber Security Competence Centre

The approval of the Cybersecurity Competence Centre Regulation by the EU Council on 20 April 2021 should be followed by the final adoption of the text by the European Parliament.

The Cyber Security Competence Centre will be based in Bucharest. It will bring together the key European stakeholders—including companies, academic and research organisations, and other relevant civil society associations—to form a cybersecurity competence community to strengthen and disseminate cybersecurity expertise across the EU. It aims to strengthen the security of the Internet and other critical information systems and networks by pooling investment in cybersecurity research, technology, and industrial development. The European Cybersecurity Industrial, Technology and Research Competence Centre will work in cooperation with a network of national coordination centres designated by the Member States. It will in particular allocate cybersecurity-related funding from the Horizon Europe and Digital Europe programmes (see below). The Centre will be established for the period from the entry into force of the Regulation until 31 December 2029. It will then be dismantled…unless its mandate is extended following an evaluation and possible legislative proposal from the Commission. The activities of the new European Cybersecurity Industrial, Technology and Research Competence Centre will complement the tasks of ENISA.

The Digital Europe Programme

Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 sets out the financial envelope for the ‘Digital Europe Programme’ for the period 2021-2027. The programme comprises five Specific Objectives corresponding to key policy areas:

• High Performance Computing;
• Artificial Intelligence;
• Cybersecurity and Trust;
• Advanced Digital Skills;
• Deployment and Best Use of Digital Capacity and Interoperability.

European Digital Innovation Hubs should serve as access points for the latest digital capacities, including HPC, AI, cybersecurity, as well as for other existing innovative technologies such as key enabling technologies, available also in fablabs or citylabs.

According to the Regulation, “Cybersecurity is a challenge for the entire Union that cannot be addressed only by national initiatives. Europe’s cybersecurity capacity should be reinforced to endow Europe with the necessary capacities to protect its citizens, public administrations and businesses from cyber threats. In addition, consumers should be protected when using connected products that can be hacked and can compromise their safety. Such protection should be achieved together with Member States and the private sector by developing projects to reinforce Europe’s capacities in cybersecurity, by ensuring coordination between those projects and by ensuring the wide deployment of the latest cybersecurity solutions across the economy, including dual-use projects, services, competences and applications, as well as by aggregating competences in this field to ensure critical mass and excellence.“

In this spirit, the Specific Objective “Cybersecurity and Trust” aims to:

– support the building-up and procurement of advanced cybersecurity equipment, tools and data infrastructures, together with Member States, in order to achieve a high common level of cybersecurity at European level, in full compliance with data protection legislation and fundamental rights, while ensuring the strategic autonomy of the Union;

– support the building-up and best use of European knowledge, capacity and skills related to cybersecurity and the sharing and mainstreaming of best practices;

– ensure a wide deployment of effective state-of-the-art cybersecurity solutions across the European economy, paying special attention to public authorities and SMEs;

– reinforce capabilities within Member States and private sector to help them comply with Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (NIS Directive), including through measures supporting the uptake of cybersecurity best practices;

– improve resilience against cyberattacks, contribute towards increasing risk-awareness and knowledge of cybersecurity processes, support public and private organisations in achieving basics levels of cybersecurity, for example by deploying end-to-end encryption of data and software updates;

– enhance cooperation between the civil and defence spheres with regard to dual-use projects, services, competences and applications in cybersecurity, in accordance with a Regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (the ‘Cybersecurity Competence Centre Regulation’).

The financial envelope for the implementation of the Programme for the period from 1 January 2021 to 31 December 2027 is EUR 7 588 000 000 in current prices, of which EUR 1 649 566 000 for the Specific Objective “Cybersecurity and Trust”.

The EU’s commitment is essential but cannot replace the strong obligation of each Member State to strengthen its own cybersecurity strategy. The exponential increase in cyberattacks over the past year has led some observers to “discover” what the FIC has been announcing since 2007: “Cybercrime is the crime of the 21st century”. To fight against this phenomenon, the idea of a European “shield” has been put forward. In fact, we should rather implement the “Roman turtle”, with each State having its own shield and the EU promoting uniformity and coherence of the whole.