EU Cyber Strategy

• Ireland

• Privacy, data protection and cybersecurity

04-02-2021

In December, the EU Commission published a new EU Cybersecurity Strategy (the “Strategy”) to enhance “collective resilience against cyber threats and ensure citizens and businesses across the EU can fully benefit from trustworthy and reliable services and digital tools”.

The EU Commission noted that increases in cyber-attacks during the coronavirus pandemic highlighted the importance of protecting hospitals, research centres and other infrastructure from attack.

This Strategy aims to elevate the EU as a leader in international standards in cyberspace and strengthen worldwide co-operation “to promote a global, open, stable and secure cyberspace grounded in the rule of law, human rights, fundamental freedoms and democratic values”.

The Commission has simultaneously made proposals through the revised NIS Directive (“NIS 2”) and a new Directive on the resilience of critical entities (“Critical Entities Resilience Directive”) which cover a wide range of sectors and aim to address “current and future online and offline risks from cyberattacks to crime or natural disasters”.

The Strategy

The EU Commission states that the Strategy aims to provide safeguards to not only ensure security but also protect European values and fundamental rights through three key areas:

1. Resilience, technological sovereignty and leadership – the Commission’s proposals to reform rules on security of network and information systems through NIS 2 to increase cyber resilience of critical public and private sectors such as hospitals, energy grids, railways but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines among others to ensure these infrastructures/services remain protected. Additionally, the Commission proposes to launch a ‘cybersecurity shield’ via a network of Security Operations Centres across the EU powered by artificial intelligence (AI) to detect and take action against cyberattack before damage occurs.

2. Building operational capacity to prevent, deter and respond – the Commission is preparing a Joint Cyber Unit to strengthen cooperation between EU bodies and Member State authorities to prevent, deter and respond to cyber-attacks. This is particularly relevant for attacks affecting critical infrastructure, supply chains and democratic institutions and processes.

3. Advancing a global and open cyberspace through increased cooperation – the EU will work with international partners and seek to advance international norms and standards that reflect EU core values. The EU also aims to form an EU Cyber Diplomacy Network around the world to promote its vision of cyberspace.

Cyber and physical resilience

The proposed NIS 2 will cover medium and large entities from more sectors based on their criticality for the economy and society by strengthening security requirements, address security of supply chains and supplier relationships, streamlining reporting requirements, introducing stricter enforcement and supervisory measures and harmonising sanctions across Member States.

The proposed Critical Entities Resilience Directive expands the scope of the previous directive covering ten sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Under the proposals, Member States would implement national strategies for ensuring resilience and carry out regular risk assessments.

Next steps

The EU Commission stated its commitment to implementing this Strategy in the coming months, noting it is now for the European Parliament and the Council and subsequently Members States to transpose the Directives within 18 months of their entry into force.

We are continuing to monitor progress in this area and will provide further updates as more information becomes available.