One week before the European Commission is expected to present a slew of new cyber security proposals, Vice-President Andrus Ansip said that the new measures will not take away too much power from EU countries’ national authorities.
“We respect the sovereignty of our member states but we know that maybe in 50% of member states those national CERTs are not so able to protect networks,” Ansip said on Tuesday (5 September), referring to CERTs, or national units that respond to cyber security incidents.
An EU law that is set to go into effect next year requires member states to set up these units. The Commission is now pushing for national governments to work together, even more, to share information and help to stop attacks. But only a handful of EU countries have well-staffed response services.
“We know also that 5-6 CERTs have operational capabilities 24/7. In some situations there is a need to have operational capabilities on the level of the European Union,” Ansip added.
“But of course it’s up to member states either to ask for support coming from Brussels or somewhere else or not. We don’t want to push member states who are asking for this support and of course we will respect fully the sovereignty of our member states,” he said.
Ansip was speaking at a conference in Brussels that was organised by CERT-EU, the in-house cybersecurity office that responds to security breaches affecting the EU institutions.
He and newly appointed Digital Commissioner Mariya Gabriel are expected to present a legislative proposal next week that will give ENISA, the Athens-based EU cyber security agency, a bigger role in policing cyber security threats. They will also propose a new EU-wide certification scheme to measure the security level of technology products. On top of those legislative proposals, Ansip and Gabriel will also publish a wide-ranging cyber security strategy for the bloc.
The overhaul of ENISA is controversial because the agency’s management staff has been fighting for the EU executive to increase its budget for years, but has so far not succeeded.
Some EU countries are wary of giving too much power to EU institutions to intervene in cyber security issues. The Commission is also prodding member states to work more with each other to prevent attacks and respond to security breaches. But several member states are cautious about cooperating more closely with authorities in other EU countries if they do not trust them with sensitive information about security vulnerabilities.
National governments are likely to question the need for any new proposals that could force them to share more information with EU bodies or other member states.
“For everything the Commission proposes that increases centralisation or cooperation between member states, it must demonstrate clearly why that provides added value and a higher level of protection,” said one source who is close to the upcoming cybersecurity proposals.
In addition to encouraging member states to work closely together to monitor threats, the European Commission is also earmarking more funds for cyber security work. ENISA is not the only EU cyber security office that could receive a budget boost.
Ansip said he wants to give CERT-EU more resources to work on preventing and responding to hacking attacks.
“We plan to put CERT-EU on a stronger legal and administrative basis, providing for stable resources in the future. This is the right signal, at the right time,” he told conference attendees.
Five EU institutions—the Commission, the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions—negotiate the funding and provide staff for CERT-EU. Their agreement is expected to be updated this month and will likely give the office more money, EURACTIV has learned.
Ansip wants EU institutions to increase the amount of money they spend on cyber security to compete with other parts of the world. The United States spends several multiples of what EU member states invest in cyber security technologies, he added.
“It’s absolutely clear that in the European Union when talking about the next multiannual financial framework [the multi-year EU budget], we have to pay much more attention to cyber security issues,” Ansip said.