via Shutterstock Sponsored Content Cybersecurity in Europe: key recommendations for the new cyber review

What are the current shortcomings of the EU legislative and policy landscape on cybersecurity? What should the new mandate of the European Network and Information Security Agency (ENISA) be? Should the cybersecurity review focus on regulating technologies, such as encrypted communications and blockchain? These are some of the questions that Hanover’s Digital Policy team* considers relevant to be addressed for Europe’s cyber preparedness.

Indeed, the major cybersecurity overhaul, which was announced on September 13 by Commission President, Jean-Claude Juncker, at the State of the Union address in Strasbourg, set a new course for Europe’s efforts in fighting cyber vulnerabilities, notably by coming up with a new non-binding cyber strategy and a revised mandate of the ENISA agency with new competences. These measures will complement the approaching application date of the cybersecurity directive (aka the Network and Information Security Directive, which was adopted in 2016 and which will enter into effect in May 2018). This directive is the first-ever EU legislation on cybersecurity, and its main goal is to set minimum capabilities at national level, to strengthen cooperation between member countries and oblige critical operators (such as banks, airports, hospitals and power plants) and certain digital services, to report serious cyber incidents.

While the proposed initiative addresses a lot of relevant points, it still leaves some critical issues open.

Some progress made on harmonization but more can be done

More efforts on soft (non-legislative) measures, such as coordination, cooperation with industry and amongst member countries, and exchange of best practices, are needed at EU level.

The improvements made in the last couple of years are undisputable. However, remaining challenges on fragmentation should be addressed by the Commission. For instance, member countries will enjoy the freedom of identifying the operators they consider as “critical” on their territory, which would bring operational uncertainty when countering cross-border incidents. In a recent survey Hanover Communications conducted with industry, academia, NGOs and public-sector stakeholders, respondents vastly agreed that this situation hampers incident management, stating that: “the cybersecurity directive remains too far from creating a true Single Market for cybersecurity”, and “implementation needs to take care not to allow fragmentation of requirements.”

Need for further technical coordination and information sharing

More efforts on soft (non-legislative) measures, such as coordination, cooperation with industry and amongst member countries, and exchange of best practices, are needed at EU level. These principles are referenced in the new cybersecurity strategy and some good work has been done in this regard through the activities of ENISA, Europol’s Cyber Crime Centre and the EU public-private partnership on cybersecurity, in helping complement the cybersecurity directive. Yet, member countries should be more open to information sharing. Our survey shows that all respondents “agree” with further information sharing amongst member countries, 35 percent of which even “strongly agree”.

A stronger European Network and Information Security Agency (ENISA)

With regard to the future role of ENISA, the Heraklion-based agency in charge of cyber preparedness, it is high time that this critical institution receives a strengthened mandate and further resources. And this is what just happened with the Commission’s legislative act on ENISA, which was published in the margin of President Juncker’s speech. The respondents to our survey overwhelmingly praise the work of the agency, by stating that “ENISA should be strengthened in providing more best practice-sharing, and more advice on cyber-strategies and policy implementation.”

Do not touch upon encrypted technologies

Weakening encryption would allow governments to easily decrypt communications through “brute force”, but would weaken security for everyone.

Encryption and global standard-setting should both be considered as key elements for the future EU workstreams on cybersecurity. Specifically, the issue of end-to-end encryption (a communication system where only the communicating users can read the messages) is put at threat by the recent calls of France, Germany and the U.K. to the Commission for legislation which would allow government access to such communications. In fact, 85 percent of the respondents to our survey would disapprove such a measure, arguing that: “weakening the integrity of encryption algorithms would allow governments to more easily decrypt communications through “brute force”, but would compromise security for everyone.”

Cybersecurity — a perpetual challenge

Over the past years, the EU has managed to create a minimum harmonization framework for cybersecurity and the new measures go in the right direction, as they add further competences to ENISA and present a revised cyber strategy. Despite these achievements, some outstanding issues need to be addressed, i.e. avoiding fragmentation, which would benefit to further operational efficiency, and preserving the integrity of encrypted communications, to avoid that backdoors for government access are used for malicious purposes. Europe’s cybersecurity strategy/cyber preparedness will only really be effective if these outstanding issues are also tackled.

* Hanover is an independent consulting firm with offices in London, Brussels, Dublin and Dubai that specializes in advising global brands, businesses and organizations on reputation, communications and public affairs. The Brussels’ Digital Policy team provides its blue-chip clients with tailored advice and advocacy support on EU policy issues related to cybersecurity, data protection, copyright & IPR, telecommunications, audio-visual and consumer policy.

Authors: