The pandemic, which moved citizens’ lives into the digital sphere, saw a rise in security breaches within European businesses and institutions. Cyber attacks against key European sectors doubled in 2020. Significant malicious attacks against key sectors doubled in Europe – up to 304 incidents compared to 146 in 2019 – according to the European Union’s Cybersecurity Agency (Enisa). Cyber attacks on hospitals and healthcare networks rose by 47%.
In Sep 2022, EU Commission presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. The Act, announced by President Ursula von der Leyen in September 2021 during her State of the European Union address, and building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, will ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU: in addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use.
Margaritis Schinas, Vice-President for Promoting our European Way of Life, said: “The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products. Today, we are completing this ecosystem through an Act that brings security in everyone’s home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”
Thierry Breton, Commissioner for the Internal Market, said: “When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most of hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
With ransomware attacks hitting an organisation every 11 seconds around the globe and the estimated global annual cost of cybercrime reaching €5.5 trillion in 2021 (Cybersecurity Ventures as quoted in Joint Research Centre report (2020): “Cybersecurity – Our Digital Anchor, a European perspective”), ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is more important than ever. With the growth in smart and connected products, a cybersecurity incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening.
The measures proposed today are based on the New Legislative Framework for EU product legislation and will lay down:
(a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;
(b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
(c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
(d) rules on market surveillance and enforcement.
The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market. As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection
The Cyber Security Strategy for the European Union, which was released in February 2013 and endorsed by the Council in June 2013, emphasises, “Cyber security efforts in the EU also involve the cyber defence dimension.” Consequently, the European Council adopted a “Cyber Defence Policy Framework” in November 2014, highlighting five priorities:
- Supporting the development of Member States’ cyber defence capabilities related to CSDP;
- Enhancing the protection of CSDP communication networks used by EU entities;
- Promotion of civil-military cooperation and synergies with wider EU cyber policies, relevant EU institutions and agencies as well as with the private sector;
- Improve training, education and exercises opportunities;
- Enhancing cooperation with relevant international partners.
ENISA, the EU’s cybersecurity agency, was made a permanent agency in 2019 and given more money and responsibility for cooperation and coordination of EU member states. The EU passed a directive in December 2020 that required companies to address cybersecurity risks in their supply chains and supplier relationships and member states to conduct risk assessments.
In January, Brussels ran cyber war games featuring a fictitious Finnish energy company in order to test the resilience and preparedness of cybersecurity in Europe, part of a planned six-week exercise.
Among the European Commission’s proposals is an EU-wide “cyber shield” of security operations centres that use artificial intelligence and machine learning as an early-warning system for cyberattacks and a joint unit to share information and collectively respond to threats.
Cuber Warfare
Europe is also under growing cyber-warfare threat, as systems of three oil and transport companies in Europe and Africa were brought down on February 2, 2022. Europe was beginning to feel the war in Ukraine and the impact of tensions on the Russian border. This is in spite of new EU cybersecurity strategy presented by the European Commission where critical infrastructures, such as hospitals, energy grids and railways, were highlighted as a priority, but it also highlighted the risk to everyday homes and offices.
Cyberspace is understood as the fifth domain of warfare equally critical to military operations as land, sea, air, and space. Success of military operations in the physical domains is increasingly dependent on the availability of, and access to, cyberspace. The armed forces are reliant on cyberspace both as a user and as a domain to achieve defence and security missions.
Since 2008, the European Defence Agency (EDA) has been producing a Capability Development Plan (CDP) to answer the question, “how will Europe retain and develop the capabilities needed to react to the threats that may arise in the coming decades? It looks at future security scenarios and makes recommendations about the capabilities European militaries will need to react to different possible developments. Cyber security is also one of the priority actions underlined by the EDA’s Capability Development Plan. The European Defence Agency (EDA) is an intergovernmental agency of the Council of the European Union.
The updated EU Capability Development Plan (CDP) endorsed by the EDA Steering Board in June 2018 reconfirmed cyber defence as a priority for capability development in the EU. The CDP recognises the need for defensive cyber operations in any operational context, based on sophisticated current and predictive cyberspace situational awareness. This includes the ability to combine large amounts of data and intelligence from numerous sources in support of rapid decision making and increased automation of the data gathering, analysis and decision-support process. In November 2018, the European Council adopted an updated version of the EU cyber defence policy framework (CDPF).
The Agency is active in the fields of cyber defence capability development and in Research & Technology (R&T). In accordance with the 2014 Capability Development Plan Revision the focus lies on: Supporting member states in building a skilled military cyber defence workforce and Ensuring the availability of proactive and reactive cyber defence technology.
IDST Monthly Access Membership Required
You must be a IDST Monthly Access member to access this content.