February 18, 2021 By Koen Van Impe 5 min read

For enterprises operating in Europe, the European Commission’s December 2020 EU Cybersecurity Strategy may dictate how you go about improving cyber resilience.

The 2020 EU Cybersecurity Strategy underlines the important role of cybersecurity for a growing EU economy and reinforcing user confidence in digital tools. The publication goes beyond cybersecurity policy and compliance aspects to cover three key areas: resilience and technological sovereignty; the ability to prevent, deter and respond to attacks; and increased teamwork.

Two recent documents, one which is part of the new EU Cybersecurity Strategy and one that is a proposal for a revised Directive on Security of Network and Information Systems (NIS2), will greatly influence the way groups doing business in Europe or working with European governments or entities can work.

Read on to learn what’s new, where the future of cybersecurity in the EU is headed and how businesses can prepare for these changes now.

Cyber Resilience Starts With the NIS2 Directive

One of the most noteworthy parts of this proposal is to reform the EU’s existing NIS Directive. This directive, adopted in 2016, sets a range of security benchmarks that apply to operators of essential services and digital service providers. The commission highlighted a few shortcomings in this directive:

  • A too-limited scope in terms of sectors covered and an ineffective oversight and enforcement regime;
  • Major differences in rollout that created burdens for groups running in more than one member state;
  • Uneven cyber resilience across member states and sectors and a lack of sharing information.

This reform is not a surprise in itself. The NIS Directive has reform built in, with regular review. The surprise is that the proposal includes the option to work toward a new directive, instead of amending or changing the existing one. This requires more effort but will likely be more efficient and effective. In addition, the scope is extended with new sectors. Public administration, postal and courier services, manufacturing and food production and more will now be subject to this directive.

Prevention, detection and response are key throughout. Under the directive, EU entities must have risk management with a list of security elements. Those include security policies, incident handling and the use of cryptography and encryption. Other key aspects are streamlined reporting, more stringent oversight, common vulnerability disclosure, a European vulnerability registry and addressing risks in supply chain and vendor partnerships.

Cyber Resilience Challenges for 5G and IoT

To address the growing attack surface of 5G mobile networks, the commission plans to implement the EU 5G Toolbox. Although many member states are on track, a lot of work still needs to be done. In particular, member states have a long way to go to reduce how much they depend on high-risk suppliers. The growth of these networks will also very much contribute to a further expansion of the Internet of things (IoT). More IoT devices mean a higher risk of attacks.

Companies that make connected products should keep an eye on this. The commission expects to put in place a regulation that requires them to have a duty of care to address software vulnerabilities. This includes keeping up with security updates as well as ensuring deletion of personal data at the end of life.

A New Approach to DNS

One of the key players to strengthen the EU’s overall presence in the digital world will be the Cybersecurity Industrial, Technology and Research Competence Centre and Network of Coordination Centres (CCCN). Its goal is to use industry and academic input to place the EU at the forefront of cybersecurity. One element of this plan is an alternative European service for accessing the internet, called DNS4EU.

In addition, the commission proposes a backup plan to counter attacks on the global domain name system (DNS) root system, with a focus on the two EU DNS root server operators. Keep an eye on how this is run, given that DNS, by nature, already relies on a distributed and redundant model. In addition, both EU root server operators support anycast and are widely distributed, including servers outside Europe.

European Cyber Shield

With all these changes, one could overlook the basics of cybersecurity: early detection and swift responses to attacks. Nowadays, organizations have come to rely on security operations centers (SOCs) to handle this task. Unfortunately, many of these centers operate as islands. They do not always have the means to work together or share information. To support this teamwork, the commission will improve those that already exist or establish new ones. Its goal is to build a network of SOCs that act as watchtowers and can pick up early signals of cyberattacks.

Prevention and Response: Introducing the Joint Cyber Unit

While the network of SOCs provides situational awareness for authorities, there is still a gap when it comes to how to jointly respond to these threats. To resolve this weakness and improve cyber resilience, the commission called for a joint cyber unit to share threat information and respond to incidents. This unit is not a standalone body, but more a safeguard where groups can use one another’s support and expertise. Its goal is to ensure preparedness, provide situational awareness via information sharing and reinforce response and recovery across groups.

Developing such a body, or a collaboration platform, will not happen overnight. A lot of hurdles remain to be overcome, not the least of which is making sure the skills and mandates of all groups involved are respected. The Computer Emergency Response Team for the EU, The European Union Agency for Cybersecurity (ENISA) and the European Union Agency for Law Enforcement Cooperation (Europol) have a lot of work ahead of them as they come together on this project.

Tackling Crime for Greater Cyber Resilience

Doubtless, this unit will play a major role in the fight against cybercrime. But it is not the only ace the commission can play. ENISA and Europol already work together. The Commission wants to see this continue. It laid out an action plan to enhance the digital capacity of law enforcement by foreseeing the skills and tools they’ll need. Europol will play a crucial role in this plan.

Also noteworthy is the commission’s plan to create and provide lawful access to an accurate database of domain name registration data. This database can be a valuable instrument in the fight against cybercrime.

Where Diplomacy and Defense Meet Cyber Crime

Cyber threats are not limited to crime. Some threat actors target member states or the EU as a whole. To this end, the cyber diplomacy toolbox for the EU can be used to prevent and discourage these actions. In its EU Cybersecurity Strategy, the commission supports the creation of teamwork mechanisms and diplomatic responses. This diplomacy toolbox is also to be integrated into crisis mechanisms to counter disinformation and foreign interference.

Helping Groups Work Together

The commission also envisions improvements in the field of diplomacy through teamwork between nations. The EU will expand its dialogue with third-world countries and regional and international organizations. It will also create an informal EU Cyber Diplomacy Network. This third pillar also includes the following:

  • Guidance on the application of human rights and fundamental freedoms online;
  • Better protection of children against sexual abuse and exploitation;
  • Setting objectives in international standardization processes.

What’s Next for Cyber Resilience?

The commission will implement this EU Cybersecurity Strategy in the coming months. From there, it will monitor progress based on reports from member entities, such as ENISA. Because the rollout involves public-private and cross-border cooperation, there will be plenty of chances to work in groups more and thereby increase overall cyber resilience in Europe.

There’s still time to get ready for the reformation of the NIS Directive. Be aware, though. Although it has to go through legal approval rounds before being put into national laws, and slight changes can still occur, the bulk of the proposal will likely remain as written. As such, you can take action now to get ready. Try the following:

  • First, verify if your organization is part of the extended scope;
  • Next, gear up your detection and notification processes;
  • Review the security of your supply chain and vendor relationships;
  • Lastly, ensure your risk management includes the basic principles of the directive.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today