The EU has been identified as a “prime target” by malicious global cyber attackers and the bloc needs to reinforce its capabilities to defend itself amid this new threat landscape, the European Commission has said.
Unveiling a raft of new measures to bolster cybersecurity in the EU on Wednesday (16 December), Commission Vice-President Margaritis Schinas said that there are many ill-intentioned actors in the cyber domain who wish to inflict harm on the bloc.
“There are many entities, state and non-state actors, that simply want to see Europe fail,” the Greek official said.
“And there are many strategic competitors on key areas of our policies and of our industries that use these avenues to explore our vulnerabilities and succeed in obtaining a competitive advantage. There is no doubt that we are a prime target,” Schinas added.
The chief spokersperson-turned-Commissioner also referenced the recent cyberattack on the European Medicines Agency based in Amsterdam, in which sensitive information on a COVID-19 vaccine was accessed.
“We understand pretty well what’s going on at the global level in cyberspace,” Internal Market Commissioner Thierry Breton added. “We are a very important global power, both economically and industrially.”
NIS 2 and new sanctions regime
The Commission unveiled a new strategy to combat cyberattacks, including a revision of the Security of Network and Information Systems Directive (NIS 2), adding new sectors to the scope of minimum cybersecurity requirements as well as attempting to further harmonise sanctions regimes for cyber attacks across EU member states.
More generally, the Commission is looking to expand the scope of the 2008 European Critical Infrastructure directive with the introduction of a Critical Entities Resilience (CER) Directive, which now would earmark ten sectors as ‘critical,’ including energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space.
Under the revised NIS Directive, certain ‘essential and important entities’ across critical public and private sectors such as hospitals, energy grids, railways, data centres, public administrations, research labs and manufacturing of critical medical devices and medicines, will be obliged to adopt appropriate cybersecurity risk management measures as well as new reporting obligations.
Failure to do so could result in fines of a maximum of €10m or up to 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
“These sanctions are for major entities or critical entities,” Breton said on Wednesday (16 December), adding that member state authorities will be responsible for imposing any necessary sanctions.
“What is important is that the directive has teeth, so for the first time, NIS introduces this enforcement element with the possibility of important sanctions,” Schinas added.
Moreover, in order to further assert a sense of cybersecurity accountability, complementary punitive measures also include “a suspension of certification or authorisation concerning part or all the services provided by an essential entity,” should that entity fail to meet new benchmarks, in addition to a possible “temporary ban from the exercise of managerial functions by a natural person,” should they have been found to be negligent in their cybersecurity commitments.
Joint cyber unit, cyber diplomacy and 5G
In terms of plans to establish a ‘Joint Cyber Unit’, which would aim to strengthen cooperation between EU bodies and member state authorities in a bid to counter cyber-attacks, Breton revealed that it is likely the Commission will present a proposal in February next year.
In further collaborative efforts across the EU, the Commission has also proposed a network of Security Operations Centres, or the so-called EU ‘cyber shield,’ powered by artificial intelligence technology, which would have the capability to detect early cybersecurity signs.
With regards to global diplomatic efforts, under the EU’s cyber diplomacy toolbox, a new ‘EU Cyber Diplomacy Network’ is foreseen, in which the bloc will engage with third-countries as a means to ‘promote its vision of cyberspace.’
Earlier this year, the EU had executed provisions outlined in its cyber diplomacy toolbox, in imposing restrictive measures against six individuals and three entities responsible for the ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’ attacks.
As a means to reinforce the clout of this instrument, the bloc would seek to adopt a more robust approach to cyber attack attributions against third-country agents.
Elsewhere, 5G security was also covered as part on Wednesday’s announcements, with the Commission once again pressing EU nations to adopt measures outlined in January’s 5G toolbox, when member states were tasked with assessing the risk profile of telecom providers, with a view to applying restrictions for those vendors considered to be high-risk.
In a report on the implementation of these recommendations, the Commission noted that despite nearly all EU nations estimating that they will complete national implementation processes by mid-2021, “some Member States being more advanced in certain areas than in others.”
[edited by Sam Morgan]