Closing the gaps in EU cybersecurity: Let’s get it right

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

US cybercrime centre. [Reuters]

An unhelpful patchwork exists in Europe when it comes to cyber protections, writes Thomas Boué. But EU member states would be ill-advised to extend the scope of the proposed Network and Information Security (NIS) Directive beyond critical infrastructure, he says.

Thomas Boué is Director of Government Affairs for the EMEA region at BSA | The Software Alliance, an advocacy organisation for the global software industry.

Bolstering cybersecurity is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we communicate, create, and solve problems, it has also introduced new risks which must be managed.

In Brussels next week, Member States will meet in Coreper as they continue to work toward consensus on a Network and Information Security (NIS) Directive aimed at harmonising cybersecurity laws across Europe. That is no small feat when negotiating among 28 countries. A report released this week by BSA charts just how big a task they have before them.

The BSA EU Cybersecurity Dashboard is a first-ever analysis of national cybersecurity laws and policies in the EU. It finds that an unhelpful patchwork exists in Europe when it comes to cyber protections. While some countries have strong cybersecurity legal frameworks — the UK, Germany and Estonia, for example; others still have much work to do. But the report makes clear that considerable discrepancies exist between Member States’ laws and operational capabilities, resulting in gaps and fragmentation that could put the entire Single Market at risk.

Encouragingly, the report finds that most EU Member States recognise cybersecurity should be a national priority, with a particular focus on ensuring the cyber resilience of critical infrastructure. Critical networks and infrastructure — transport, energy, banking — are where disruption would do the most harm. BSA has argued for some time that the NIS Directive should build a foundation of cybersecurity readiness in Europe by focusing on critical infrastructure, since that’s what needs protecting most.

MEP Andreas Schwab, the European Parliament rapporteur on the NIS Directive who joined BSA at the release of the EU Cybersecurity Dashboard in Brussels earlier this week, agrees. At the launch debate on Tuesday, he called for a Directive that provides a “comprehensive minimum harmonisation approach,” starting with critical infrastructure.

Among the gaps the report highlights is a lack of cooperation between governments and the private sector on cybersecurity. This issue was similarly called out by US President Obama at a cybersecurity summit held in California last month where he signed an executive order aimed at encouraging better information sharing between the public and private sectors in the US when it comes to cyber-attacks.

Likewise in Europe, most infrastructure is owned by the private sector, making public-private cooperation essential – yet only five EU Member States have an established framework for public-private partnerships on cybersecurity. The more communication and coordination taking place between EU governments and the private sector, the more resilient Europe will be in the face of evolving cybersecurity threats.

The EU Cybersecurity Dashboard outlines the fundamental elements of a strong legal cybersecurity framework — from establishing strong legal foundations, to engendering trust and working in partnership, to promoting cybersecurity education. These building blocks provide valuable insight for national governments who will ultimately implement cybersecurity rules and policies.

The report also provides guidance on what not to do, as some governments around the world are unfortunately using cybersecurity as justification for protectionist rules that reduce choice and undermine cyber protections. That includes avoiding country-specific cybersecurity standards, obligations to disclose sensitive information such as source code or encryption keys, data localisation requirements, or preferences for indigenous providers among other unhelpful policies.

For the Member States, as they attempt to complete work on the NIS Directive before negotiations begin with the Parliament later this spring, the BSA EU Cybersecurity Dashboard could help focus their efforts on achieving a baseline level of cybersecurity preparedness across a diverse and very uneven landscape.

The NIS directive is the first-ever EU cybersecurity legislation. Its primary aim is to strengthen public sector agencies and improve pan-European coordination on cybersecurity incidents. A targeted, proportional and risk-based approach, focusing first on protecting the critical infrastructure that is essential for Member States’ economic and national security, public health and safety, is therefore the best way to achieve this. Extending the scope of the NIS Directive beyond critical infrastructure risks undermining the aim of the Directive to preserve the security of infrastructure and systems that are essential to our economy and society.

The full report, along with detailed summaries of the findings for all 28 EU Member States, is available at As national governments update their frameworks and as we collect new information, we intend to update the EU Cybersecurity Dashboard online to show progress across the relevant areas. We invite you to review the results and contact us with information regarding updates and changes.

Subscribe to our newsletters