European governments have drafted a declaration to reinforce the EU’s cybersecurity capacities, including establishing a new fund and increasing EU funding to support national efforts.
The joint call will be adopted on Wednesday (9 March) in an informal meeting of telecommunications ministers organised by the French Presidency in Nevers. The schedule of the summit was reshuffled entirely to address the Ukrainian conflict.
“The recent cyberattacks which targeted Ukraine in a context of rising geopolitical tensions have shown how important the cyber dimension is in today’s conflicts,” reads the draft, seen by EURACTIV.
“While recognising the importance for the EU to strongly support Ukraine’s cyber resilience, the possible spillover effect of such cyber-attacks to European networks also highlights the need for the EU to move forward with an ambitious and comprehensive plan for its cybersecurity.”
The EU ministers undersigned a list of actions to face these upcoming challenges, including a call on the European Commission to establish a new Emergency Response Fund for Cybersecurity intended to prepare the EU to face large-scale cyberattacks.
The national governments also want additional EU funding to help member states scale up their cybersecurity capacities by helping create a market for trusted cybersecurity service providers for cybersecurity audits and incident response.
The funding should reinforce the resilience of at-risk operators, those that would be a primary target in case of conflict, while also favouring the development of a cybersecurity ecosystem.
“Encouraging the development of such EU providers should be a priority of the EU industrial policy in the cybersecurity field,” the declaration added.
The document also urges the relevant European authorities such as the European Commission, the national telecom regulators, the European Union Agency for Cybersecurity (ENISA) and the Network & Information Security (NIS) Cooperation Group to come up with a series of recommendations on how to reinforce the resilience of Europe’s digital infrastructure.
The telecom infrastructure was the subject of an input paper circulated by the French Presidency ahead of the discussion, also seen by EURACTIV. The input paper points to Europe’s infrastructure dependency, from global internet connections to submarine cables, owned mainly by American and Chinese companies.
The document argued for increasing the resilience of European networks via the diversification of backbone infrastructure, including with the recently launched initiative for secure satellite communications.
The French paper highlighted the risks related to the increasing use of cloud computing in 5G, as the new generation of networks are by default no longer managed physically but virtually with software that allows a more efficient allocation of resources.
At the same time, this virtualisation of the network opened up the door for more vulnerability points.
Telecom operators have been lamenting that, while they are ultimately responsible for the functioning of the network, the software providers do not face legal liability. As a result, software providers might not share the same sense of urgency in ensuring network resilience.
France tried to include software vendors in the revised Network and Information Security Directive (NIS2) scope, but the proposal was pushed back by other member states. The joint statement also calls for a swift adoption of NIS2, which the negotiators aim to adopt next month.
“There’s a need for a holistic approach,” Slovenian digital minister Mark Boris Andrijanič told EURACTIV. “No single piece should be left out simply because there’s a huge interdependency between all of our systems, being the hardware ones or the software ones.”
In addition, the declaration pointed to the Cyber Resilience Act, an upcoming piece of EU legislation designed to establish common cybersecurity standards for connected devices and services, currently expected for the third quarter of 2023.
Telecom providers hope software vendors will have to comply with these new requirements. However, it is still not clear whether the Cyber Resilience Act will only cover commercial Internet of Things devices or also business-to-business.
Moreover, member states are expected to restate the urgency of setting up the new Cybersecurity Competence Centre, soon to be opened in Romania, and reinforcing mutual assistance via the existing cooperation mechanisms.
“Finally, [member states] reiterate our firm commitment to keep the Ukrainian digital infrastructure and telecommunications networks functional while bolstering the cyber resilience of Ukraine with both, short and long term assistance,” the declaration concluded.
The EU governments are due to announce a new high-tech support package for the Ukrainian government at the end of the summit.
[Edited by Nathalie Weatherald]