The European Commission has presented plans for a new cybersecurity strategy for the EU. The plans include a reform of the Network and Information Systems directive in order to expand the critical services covered by tighter security obligations. The Commission also calls for greater coordination among the EU states and more international cooperation. The strategy for securing 5G networks is expected to be in place by Q2 2021.
The NIS directive, the EU's first major cybersecurity legislation passed in 2016, required each EU state to set up national cybersecurity bodies such as a CSIRT and coordinating agency and work with large providers of vital infrastructure, such as telecom, banking and energy networks, to anticipate potential security risks and coordinate responses to attacks. Barely two years after its implementation, the Commission sees a need for a 'NIS 2' to meet the growing number of security threats. The proposed directive would cover more vital services (such as food and pharmaceuticals), strengthen the security requirements and supervision, address also supply chain security, increase cross-border coordination especially for large-scale threats, and tighten sanctions for violations of the directive to a minimum 2 percent of turnover.
To strengthen the legal basis for increased scrutiny of critical providers, the Commission also wants a new Critical Entities Resilience (CER) Directive. This expands the 2008 European Critical Infrastructure directive to cover the ten sectors energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Under the proposed directive, the EU states would each have to adopt a national strategy for ensuring the resilience of the critical entities and carry out regular risk assessments.
The two directives have been sent to Parliament and the Council for consideration. If approved, the EU states would have 18 months to implement the changes in national law.
In addition to increased information gathering and sharing under the above two directives, the Commission proposes a network of Security Operations Centres across the EU to strengthen cross-border cooperation. Powered by artificial intelligence, this would constitute a "cybersecurity shield" for the EU, able to detect signs of a cyberattack and share the information with all stakeholders before damage occurs. Additional measures would include dedicated support to small and medium-sized businesses through digital innovation hubs, as well as increased efforts to upskill the workforce, attract and retain cybersecurity talent and invest in research.
Additional EU coordination is planned through the Joint Cyber Unit, which will bring together law enforcement efforts in cyber-security across the member states. The Commission called for similar cooperation among defense forces, building on the work of the European Defence Agency, and said it would work on expanding its cyber-diplomacy tools to enhance security at the international level. This includes working with third countries, regional and international organisations as well as industry bodies, led by an 'EU Cyber Diplomacy Network' to promote Europe's vision of cyberspace.
Financing for the new plans is expected to come from the recently approved Digital Europe Programme, which sets aside EUR 7.5 billion for digital projects in the next seven-year EU budget, and the new EU R&D programme Horizon Europe. In total, the Commission expects to mobilise up to EUR 4.5 billion of combined investment, including contributions from the member states and industry, for the cybersecurity plan, including the earlier agreement for a Cybersecurity Competence Centre and network of coordination centres.
As part of the announcement, the Commission also released a new report on implementing the 5G security tool box. It found the EU countries are making good progress with the plans since the last update in July and called for the process to be completed by Q2 2021.
