A way out of the Brexit morass?
09 May 2019 – 14:15 | No Comment

Brexit-bound Britain will participate in this month’s European Parliament (EP) election, unless UK prime minister, Theresa May, and opposition leader, Jeremy Corbyn, manage to push the thrice-rejected EU withdrawal agreement through the House of Commons …

Read the full story »

Energy & Environment

Circular Economy

Climate Change


Home » Cyber Security

Europe’s new cybersecurity package

Submitted by on 12 Apr 2018 – 17:37

With its new cybersecurity package, the EU is taking the first step towards a higher level of resilience and preparedness. Commissioner for Digital Economy and Society Mariya Gabriel outlines the EU’s new plan

European Commission President Jean-Claude Juncker earlier this year said “cyber-attacks know no borders and no one is immune.”Cyber-attacks are a challenge for individuals, organisations and governments, and the EU as a whole. To deal with this threat we need to cooperate more – and better.

Member states are building up their institutions, and at the EU level, we have proposed a stronger Cybersecurity Agency. The existing one, the European Network Information Security Agency (ENISA), which is based in Greece,will get a new mandate, around 50 percent more staff and an increased budget. It will continue to be a knowledge hub, conducting studies and advising policy makers.

The agency already serves as the secretariat of the network of cybersecurity incident respond teams of the member states. In the future, it should do so with increased technical and analysis capabilities of its own, not least in order to provide independent input into more traditional situational awareness activities. The agency will continue its close cooperation with other EU-level bodies, such as the computer emergency response team of the EU institutions, bodies and agencies (CERT-EU), and the European Cybercrime Centre (EC3).

We are upgrading ENISA, because this is what is needed right now – strong actors at all levels, which exchange information and respond in a coordinated way. The Commission has formally recommended member states to work with the EU institutions to establish a framework for responding to large-scale cybersecurity incidents and crises that affect several member states. A Blueprint annexed to the recommendation already shows how the cooperation could happen in practice. Member states should work with the Cybersecurity Agency to test the Blueprint in the next pan-European cybersecurity exercise to see what other improvements are needed.

Of course, even stronger institutions will only be as good as the people they employ and the technologies they use. In the field of cybersecurity, we need more people of all kinds and backgrounds – students, researchers and IT professionals. We need to train them and they need to see a perspective for their development in Europe, and especially in the public sector. This is why we have also put forward the project to create a cooperation network of cybersecurity research and competence centres in Brussels and the member states.

They should be involved in coordinating research and technological development and setting up infrastructure. Secure communications, encryption, data analysis and network defence all require substantial investments. Even when summing up private, member states and EU investments, we are outspent by other global actors and therefore it is imperative to avoid all inefficiencies, gaps and overlaps. The European Commission will table the necessary proposals for setting this up in 2018 and we will start with preparatory actions, worth €50 million, as soon as possible.

We must also tackle the vulnerabilities in our systems and networks and devices. This is not only about fixing known software bugs or applying security by design principles to new products.

It is also about creating the right incentives and frameworks to steer investments and behaviour into the direction of more and more systematic security. This is why the European Commission has put forward a European cybersecurity certification framework.


The Cybersecurity Agency will have a central role but experts from EU member states and industry will be deeply involved in the development of new certification schemes while the Commission ensures the validity of certificates in all member states.

This is a process for deciding the rules for devices and services to get EU-wide certification. There is no decision on the types of devices and services for which the first such certificates will be developed.

It is also not a decision on whether certificates, issued under such schemes, would become mandatory for certain product types or in certain contexts. The intention of the proposal is very clear – such decisions should be considered in the future, by legislators, by regulators and by public procurers. The economic rationale is clear, because vendors will only need one conformity assessment and one certificate for the whole EU, simplifying cross-border marketing, and providing significant savings.

Even more importantly, anybody who needs to buy secure products in the Digital Single Market will be able to do so without the uncertainty and costs, caused by different rules.

Cybersecurity is not the only barrier on the road towards a true Digital Single Market, and as we address each barrier, we must do so with measures that reinforce each other and create synergies.

With its new cybersecurity package, the EU is taking first steps towards a higher level of resilience and preparedness. It does so in a way that is consistent with international trade and cooperation, and with the goal to help all stakeholders including citizens, companies and the EU member states.