MEPs have called for the EU institutions to put more money into their in-house cybersecurity units and, in a contentious move, also demanded they stop using products from “malicious” Russian firm Kaspersky Lab.
A broad majority of EU lawmakers backed the resolution on Wednesday (13 June), which sets the European Parliament’s approach to a European cyber defence policy, an area where EU institutions have been moving to step up their work.
The MEPs’ report is not legally binding—but its most controversial demand will spark fears that Brussels has set its sights on clamping down on foreign technology companies.
The most explosive measure is buried at the end of the report, where the Parliament asks EU bodies “to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices”.
In the first-ever such call from an EU institution, the MEPs want EU institutions “to ban the ones that have been confirmed as malicious, such as Kaspersky Lab”.
The resolution was approved with 476 votes in favour, 151 against, and 36 abstentions.
The Russian antivirus company has already faced backlash in a handful of EU countries. Last year, the UK cybersecurity agency warned government offices to stop using Kaspersky Lab products amid fear that it is under Russian government control. Lithuania also banned its software on computers that are used to manage critical infrastructure. The Dutch government announced last month that it will drop Kaspersky Lab products over security concerns.
President Donald Trump approved legislation last year banning US federal government offices from using the firm’s products.
Kaspersky Lab has denied allegations that the Russian government can manipulate its software.
The MEPs’ insistence on a product ban quickly created a spat with the firm. On Wednesday evening, several hours after the Parliament vote, the company hit back at the report.
CEO Eugene Kaspersky said the vote “welcomes cybercrime in Europe”. He announced that the company is stopping its work with EU police agency Europol on the No More Ransom project, a partnership between authorities and companies to detect ransomware.
Kaspersky said, “I do not wish to do anything to further encourage the balkanization of the internet, but I feel that the decision taken in Europe leaves me with no choice but to take definitive action. Kaspersky Lab has only ever tried to rid the world of cybercrime”.
A spokesperson for the firm said it would suspend its work with Europol “until we receive further official clarifications from the European Parliament”.
Hours before Kaspersky Lab’s announcement to leave the No More Ransom programme, Tine Hollevoet, a Europol spokeswoman, had described the partnership as “an initiative which aims to help victims of ransomware retrieve their encrypted data without having to pay the criminals”.
Hollevoet told EURACTIV that the agency receives cybersecurity advice from researchers at private companies, including Kaspersky Lab.
“This has benefited Europol in a number of non-sensitive areas,” she said.
EC3, Europol’s cybercrime unit, does not use Kaspersky Lab products.
Urmas Paet, the Liberal MEP and former Estonian foreign minister who authored the Parliament report, stood by the call for an EU institutional ban.
“These decisions must be taken seriously, they have not been taken out of the blue but instead have been drawn from various partners and intelligence sources. Considering the overall situation of EU-Russia relations, and Russia’s aggressive behaviour, we should not be taking risks that could cause serious damage to the EU,” Paet said in a statement after the Parliament vote.
Other European institutions have been less bothered by security concerns over Kaspersky Lab.
EU Digital Commissioner Mariya Gabriel wrote in response to a MEP’s question this April that there is “very limited use of Kaspersky Lab software in the Commission”.
She said that Commission analysts use a Kaspersky Lab antivirus “to analyse malware samples in a controlled off-line environment separated from the Commission networks and without any direct Internet connection”.
Gabriel added, “the Commission has no indication for any danger associated with this anti-virus engine”.
The Parliament report also called for the European Commission, Council and other EU offices to streamline and improve their cybersecurity and intelligence sharing work. It described EU countries as vulnerable to cybersecurity attacks “due mainly to the fragmentation of European defence strategies and capabilities”.