Ansip plans new EU cybersecurity centre

Andrus Ansip said he wants to create a new EU "centre of excellence" to deal with cybersecurity certification of technology products. [European Union]

EU digital chief Andrus Ansip wants to set up a new office to certify the cybersecurity level of technology products — which would make them more competitive globally — as part of an overhaul of the bloc’s rules in September.

A network of new cybersecurity centres spread across the Union would be “even better” than only one centre, the European Commission vice-president said on Thursday (20 July).

The so-called centre of excellence would focus on promoting cybersecurity technology and technical skills.

“European products and cybersecurity products are not able, only some of them are able, to compete in the world market. We have to pay much more attention to this,” Ansip said.

Ansip will announce several new measures on cybersecurity certification in September, including a system to grade products based on their security features. He did not specify whether the system will be voluntary or legally binding—like the mandatory EU labelling method that grades products based on how energy efficient they are.

Commission plans cybersecurity rules for internet-connected machines

The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signalling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet.

During a trip to Estonia earlier this month, Ansip visited NATO’s cybersecurity centre based in Tallinn. “More centres of excellence needed,” he tweeted on 13 July.

Ansip said an EU cybersecurity centre would focus on products, separating its work from the NATO office’s focus on defence and legal issues.

NATO’s centre organises cybersecurity and defence exercises to test its members’ ability to react to attacks. It also gathers research on cybersecurity that feeds into NATO’s work. Last year, the EU brokered an agreement to step up cooperation between the bloc’s institutions and the alliance, including by exchanging information on cybersecurity attacks and threats.

In addition to the certification system, Ansip’s announcements in September will include an updated EU cybersecurity strategy and a new legal basis for ENISA, the bloc’s Athens-based cybersecurity agency. ENISA’s directors have argued for a budget increase so they can hire more staff members and better coordinate how national cybersecurity authorities share information, especially if an urgent attack hits on a weekend or during the night.

EU cybersecurity agency seeks funds and power to police attacks

The EU cybersecurity agency ENISA will get a makeover in September when the European Commission renews its mandate and presents a batch of new cybersecurity measures. The director of the Athens-based agency has been asking for a bigger budget to deal with the rise in attacks on internet-connected devices.

Even though the new EU centre working on cybersecurity would not be a formal EU agency, it could create competition for ENISA.

Steve Purser, ENISA’s director of operations, told EURACTIV in a recent interview there is already a lot of competition between EU offices tasked with managing cybersecurity. EASA, the EU aviation agency, recently created its own new unit to deal with cybersecurity in aerospace.

“When it comes to collaborating with each other in an effective way, it does make sense to have hundreds of people at the European level, but not hundreds of organisations,” Purser said.

Ansip said the updated EU cybersecurity strategy should bolster the bloc’s ability to respond to attacks.

When the WannaCry ransomware attack affected companies across Europe in May, “there were a lot of member states who asked for some help from the European Union,” Ansip said.

EU police agency Europol and CERT-EU, the network of national cybersecurity authorities, helped to coordinate the response to WannaCry, Ansip added.

Most EU countries don’t have the manpower or resources to stop cybersecurity breaches once they’re attacked. “Just in five EU member states we have 24/7 capabilities when we are talking about national CERTs,” Ansip said, referring to the countries’ cybersecurity agencies.

MEPs push cyber security rules as 'political message' before EU overhaul

MEPs are pressuring the European Commission to propose new cyber crime rules on hacking vulnerabilities, encryption and information sharing between EU countries, ahead of a legal overhaul planned for September.