The European cybersecurity strategy

Over the last few years, we have seen a continuous degradation of the global cybersecurity scenario. Due to the dizzying expansion of the “attack surface” of IT systems due to digitization processes and the ever-increasing technical and organizational capacities of cybercriminals, the number of IT system violations has increased exponentially.  

One of the most worrying aspects is the fact that the IT structures of the public sector and “critical” systems (energy, telecoms, healthcare etc.) are increasingly falling victim to such attacks. As a consequence, awareness of the need for high-level initiatives has grown centrally. An ever-increasing number of countries (the US first and foremost, but also India, Australia and many others) have decided to change their plans and initiatives to fight, contain and respond to IT threats by developing national cybersecurity strategies. 

These strategies consist of an action plan designed to improve the IT security and resilience of national services and infrastructure. It is a top-down approach to security, which establishes a series of national priorities and goals to be attained in a given period of time.   

Europe has also confirmed this trend by proposing a supranational strategy with the launch of a common IT defense approach for all member states: the EU Cybersecurity Strategy 2020. 

It bears remembering that the EU had already proposed a Cybersecurity Strategy in 2013, with the goal of increasing and strengthening online security and the fundamental freedoms of European citizens. This pioneering project led to a limited, although significant, number of initiatives. The one with the greatest impact was the NIS Directive, which came into force in summer 2016 and was implemented by the member states after two years. The lightning-fast evolution of digital technology (and IT threats) has already required adaptation of this directive, with the European Commission launching a public consultation in 2020, the results of which we will cover in the second half of this article.  

This led to the NIS2 Directive project, which reached the European Parliament in December 2020.  

What, then, are the salient points of Cybersecurity Strategy 2020?

In 2013 a European Cybersecurity Strategy was proposed, which led to the entry into force of the NIS Directive in 2016 and its transposition into national law by the EU member states within a few years.  

In 2019, Regulation 2019/881, known as the Cybersecurity Act, was approved; its goal was to evolve and strengthen the European ENISA agency and implement a program of certifications dedicated to IT security for products and services. Another important element which has drawn the attention of the European institutions is protection of the new wireless networks. Numerous initiatives were indeed launched to strengthen the security of the future 5G structures, through the “5G Security Toolbox” initiative for example.  

Finally, in December 2020:  

• The proposed NIS2 Directive was presented to the European parliament.  

• Within the scope of the launch of the European Recovery Plan, the new European Cybersecurity Strategy¹ was announced, the main elements of which are illustrated below.

The new European strategic initiative differs significantly from other similar or previous proposals. It is a project which is both visionary, as we should expect from a plan relating to the digital future of over 440 million European citizens, and dense in terms of very concrete operational and technological initiatives. 

In summary, we can describe the strategy as being composed of three pillars: 

1. Increasing resilience, leadership and the technological superiority of the EU

The first pillar has the goal of “armor-plating” the basic cyber-infrastructure at the European level. This clearly means incentivizing (or requiring) member states to take action to improve the resilience of their companies and critical infrastructure. The chosen tool was evidently the NIS Directive.   

Another fundamental element to protect, as is well known by those who work in the network security field, is the DNS resolution mechanism. To this end, the strategy provides for the progressive adoption both of more advanced protocols and of a resolution mechanism entirely based in Europe. Moreover, the adoption of all existing security best practices will be mandatory, and a European recovery system will be created, in case the global DNS infrastructure collapses.  

Still within the scope of increasing the resilience of communications, a multi-year program will also be launched to create a communications system based on quantum technology (created and financed only by European industry), in order to allow the transmission of critical information between European public bodies with the highest levels of security.  

A series of incentives will then be made available to allow companies to bring their products into line with future European security certification schemes. This plan (integrated within the scope of the Cybersecurity Act) has the goal of progressively increasing the native level of security for European-made products. To this end, we cannot fail to highlight the consistency of the principles of “security-by-design” and “security-by-default” with the principles of “privacy by design and by default” introduced by the GDPR.  

Finally, the chapter dedicated to research and development, with the assignment of funds for an EC Cybersecurity research program, with the stated goal of attracting the best talent in Europe, in order to contribute to the advancement of knowledge in this sector. This investment in research is also aimed at solving the problem of a lack of specialized skills in the security field, a problem which is not limited to Europe. 

2. Constructing an effective capacity to prevent, deter and react to IT attacks

Another key aspect is increasing the ability to detect attacks, which will be attained by constructing a series of Security Operations Centers (SOC) throughout Europe. These SOCs will have similar functions to the equivalent structures used by public and private companies, but will operate at an inter-European level.  

Defense from IT attacks will unfold from here with various operational structures, and cover and connect to the military and space exploration sectors as well. It initially provides for a Joint Cyber Unit, which will form a virtual and physical cooperation platform for the different information security communities in the EU, dedicated to operational and technical coordination against external IT threats and incidents. This unit will have the goal of guaranteeing the preparation of the IT security units, facilitating sharing of information and enabling a common and coordinated response and recovery from attacks.  

Other declared goals are the creation of a common working group for cyber intelligence, supporting the fight against computer crime (increasing synergy between ENISA, Europol – with its EC3 cyber unit – JRC, CSIRT and the agencies of the member states), reinforcing and further promoting the Budapest Convention on Cybercrime. No less importantly, increasing the IT security of one of the most sophisticated pieces of infrastructure, composed of the satellite network, launch and communication bases of the European Space Agency. Finally, developing a European cyber defense military strategy, in coordination with the European Defence Agency. 

3. Creating an open and secure “cyberspace” 

The third, but no less important, pillar of the European strategy is the defense of the more vulnerable sections of the population, with a program to support fundamental freedoms and human rights on the Internet, specifically dedicated to the protection of minors.

The European Union is making concerted efforts and planning significant investment in order to raise the general level of IT security, in an attempt to offer technologically competitive solutions to digital security. The economic and security future of the EU will depend on the ability to fight IT crime together and reinforce Europe’s resilience to IT attacks in a collaborative manner. This will open up the road to deeper cooperation at a global level in order to meet these goals.