EU lawmakers demand strong security against cyber threats


MEPs have called for beefed-up EU security against cyber threats in a resolution on the bloc’s Cyber Security Strategy, known as EUCSS, for the digital decade.

“This parliament is working on the best cybersecurity legislation this continent has ever seen thus far,” Renew Europe MEP Bart Groothuis said.

The document stresses the need to tackle evolving hybrid threats by non-state actors that are becoming increasingly sophisticated and numerous.

“Cybersecurity is one of the major challenges we are currently facing in security policy,” Green MEP Rasmus Anderson said in the European Parliament debate on the resolution last week.

MEP’s also emphasised the need to address the geopolitical dimensions of cyber threats.

“The political conclusion must be that ransomware is not just a technical problem, […] it is also a foreign policy problem,” Groothuis stressed and added that “we have to hold Russia accountable for offering save havens to ransomware criminals.”

Cybersecurity vulnerabilities have been particularly exposed during the COVID–19 pandemic, as teleworking and social distance have increased the dependency on digital technologies and connectivity.

“The pandemic has accelerated the shift towards digitalization,” EEP MEP Seán Kelly said, added that “this comes with a significant rise in cybercrime, as criminals take advantage of the massive shift towards remote work.”

Lawmakers also called on the European Commission to introduce cybersecurity requirements for various software and stressed that the continued use of outdated software represents a major security risk that should be addressed in the proposal.

The EUCSS was published by the Commission in December 2020 with the aim of tackling evolving cybersecurity threats and proposed several new initiatives to foster resilience and situational awareness.

“The European Cyber Security Strategy stresses that technological sovereignty is key for building a more resilient union,” Budget Commissioner Johannes Hahn said.

One of the major proposals to tackle cyber threats and to enhance capabilities is the Revised Directive on Security of Network and Information Systems (NIS2) that is currently being negotiated by government ministers and the European Parliament.

EU-wide law on cybersecurity

The NIS directive came into force in 2016 and was aimed at increasing security of network and information systems across the EU. But given the unprecedented acceleration of digitalization during the COVID-pandemic, the Commission has decided to refresh it.

The revisions widen the scope of the directive to include more sectors and services that are deemed critical to the economy and society – such as digital services or manufacturers of critical products – in the list of important entities.

It also introduces more stringent supervision measures and includes means to support coordinated management of large-scale cybersecurity incidents as well as increased cooperation between member state authorities.

Commissioner Hahn stated that it is a “commitment to an open but trustworthy core internet in Europe.”

Industry groups have welcomed the move.

“There can be no doubt that a NIS update is needed. Especially in the light of the rise in number and sophistication and impact of cyber incidents, that we can see literally every day,” said Trevor Rudolph Vice President for Global Digital Policy & Regulation at Schneider Electric.

The proposal also includes a mandatory 24-hour notification period of major incidents to confirm “the legal obligation to making an agile response to incidents,” Hahn said.

However, this short reporting timeline does not sit well with industry representatives.

“I understand the reflexive nature of government authorities and legislators in wanting to get incident information as quickly as possible. However, 24 hours to report a major incident is a ridiculous requirement. If you are going to have to reply by 24 hours, the receiver of the information is not going to get anything of value,” complained Rudolph at the RSA Conference on Cybersecurity on Thursday (10 June).

[Edited by Benjamin Fox]

Subscribe to our newsletters