3/30/2021 European Union’s new cybersecurity strategy - Lexology

Register now for your free, tailored, daily legal newsfeed service.
Questions? Please contact customerservices@lexology.com
Register

European Union’s new cybersecurity strategy

European Union, Romania February 9 2021
1. Background
Cybersecurity is at the forefront of the European Union (“EU”)’s efforts to build a resilient, green and
digital Europe. In this respect, on December 16, 2020, the European Commission and the High
Representative of the Union for Foreign Affairs and Security Policy presented the European Union’s new
Cybersecurity Strategy for the Digital Decade1 (the “EU Cybersecurity Strategy”).
The EU Cybersecurity Strategy is an ambitious document aimed at ensuring secure and reliable digital
tools and connectivity throughout Europe, being part of the broader EU digital strategy that aims to
transform Europe in a global leader for digital economy.
We live in a world where vital sectors such as transport, energy and health, telecommunications, finance,
security, democratic processes, space and defence rely more and more on increasingly interconnected
network and information systems. In the near future, there will be an exponential increase in the number of
interconnected devices throughout all the industries.
In order to help reduce the vulnerabilities presented by such interconnected devices, the EU started setting
the stage, by creating the conditions for the integration of cybersecurity into all digital investments
(particularly when it comes to technologies like Artificial Intelligence, encryption and quantum
computing).
2. The structure of the Cybersecurity Strategy
The new EU Cybersecurity Strategy is divided into three parts: (i) resilience, technological sovereignty and
leadership, (ii) building operational capacity to prevent, deter and respond and (iii) advancing a global and
open cyberspace.
2.1. Resilience, technological sovereignty and leadership
This part of the Cybersecurity Strategy focuses on the EU’s critical infrastructure and essential services. In
the EU’s view both the private and public sectors must be able to have a choice amongst the most secure
infrastructures and services.
2.1.1. Reforming NIS Directive
According to the European Commission, the Directive on security of network and information systems
(“NIS Directive”) is at the core of the Single Market for cybersecurity. However, there is a need to
increase the level of cyber resilience of all relevant sectors, including energy, transport, health and the
financial sector, that are fundamental for the economy and society. Moreover, reviewing NIS Directive will
help reduce the inconsistencies across the internal market, and it will provide specific rules for strategically
important sectors, so that to become more cyber resilient.

https://www.lexology.com/library/detail.aspx?g=ad1630cc-5172-4600-9a53-985fb6c845db 1/4
3/30/2021 European Union’s new cybersecurity strategy - Lexology

2.1.2. The role of ISACs, CSIRTs and SOCs

In the race to become more cyber resilient, an important role will be played by the Information Sharing and
Analysis Centres (“ISACs”), Computer Security Incident Response Teams (“CSIRTs”) and Security
Operations Centres (“SOCs”). These centres are set up by the public and private sector to tackle
cybersecurity threats, by disseminating relevant information, identifying real-time anomalies or detecting
the activity of malicious executables. Taking into account the importance of such centres, the European
Commission is willing to spend over EUR 300 million to build a network of SOCs that would create
collective knowledge and share best practices on fighting cyber threats.
2.1.3. Securing both the communication infrastructure and the next generation of broadband mobile
networks
The Commission plans to work together with Member States to build a secure quantum communication
infrastructure (“QCI”) for Europe, that will ensure the security of communications of public authorities.
The QCI will be composed both of fibre communications networks and of linked satellites covering the EU
and EU overseas territories.
In March 2019, the Commission equally started working on 5G technology and the need to have secure
next generation of broadband mobile networks, by publishing a Recommendation on the Cybersecurity of
5G networks (“EU Recommendation”) In October 2019 this was followed by the EU coordinated risk
assessment of the cybersecurity of 5G networks and in January 2020, by the Cybersecurity of 5G networks
EU Toolbox of risk mitigating measures (“EU 5G Toolbox”), a common set of measures meant to mitigate
the main cybersecurity risks of 5G networks.
In October 2020, the European Council called on the EU and the Member States “to make full use of the
5G cybersecurity toolbox” and “to apply the relevant restrictions on high-risk suppliers for key assets
defined as critical and sensitive in the EU coordinated risk assessments, based on common objective
criteria”.
In December 2020, the European Commission has published a report on the impact of the EU
Recommendation, showing that Member States had made significant progress in implementing the EU 5G
Toolbox, albeit with some variations and remaining gaps. However, the European Commission has
encouraged Member States to continue implementing the main recommendations of the 5G Toolbox by the
second quarter of 2021.
2.1.4. Keeping IoT and Internet secured
The European Commission will adopt the first Union Rolling Work Programme, as required by Article 47
of the Regulation 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information
and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013
(Cybersecurity Act) in the first quarter of 2021. The Rolling Work Programme has the role to identify
strategic priorities for future European cybersecurity certification schemes.
The European Commission is also considering enacting new horizontal rules for bolstering connected
product cybersecurity, such as a duty for software manufacturers to address software vulnerabilities (for
example, by continuing to provide software updates and to erase personal and sensitive data at the end of
the lifecycle of the software product). Cybersecurity will be strengthened also in motor vehicles and some
wireless products.
The European Commission will also be creating a contingency plan for extreme scenarios affecting the
integrity and availability of the global DNS root system.
2.1.5. The importance of the technology supply chain
EU’s ambitions are to propel its Industry Strategy2 and leadership in digital technologies and cybersecurity
across the digital supply chain (including data and cloud, next generation processor technologies, ultra-
secure connectivity and 6G networks), in line with its values and priorities.
https://www.lexology.com/library/detail.aspx?g=ad1630cc-5172-4600-9a53-985fb6c845db 2/4
3/30/2021 European Union’s new cybersecurity strategy - Lexology

An important role will be played by the proposed Cybersecurity Industrial, Technology and Research
Competence Centre and Network of Coordination Centres (“CCCN”) that will be located in Bucharest,
Romania. The CCCN, alongside the industry and the academic communities, will help developing the
EU’s technological sovereignty in cybersecurity, building capacity to secure sensitive infrastructures.
2.1.6. Developing cyber skills
EU plans to massively invest in upgrading the digital skills of its workforce, especially by raising
cybersecurity awareness among children, young people, and small and medium companies.
2.2. Building operational capacity to prevent, deter and respond to cyberthreats
A Joint Cyber Unit is envisioned as part of building the EU’s operational capacity for fighting
cybersecurity threats,. The European Commission will work with the Member States and relevant EU
institutions and agencies to build the Joint Cyber Unit not as a standalone body, but as a virtual and
physical platform coordinating the different cybersecurity communities (private and public) in the EU
against major cross border incidents and threats.
The objectives of the Joint Cyber Unit would be to:
prepare the cybersecurity communities to face threats;
provide shared situational awareness;
reinforce coordinated response and recovery.

The steps for defining, preparing, deploying and expanding the Joint Cyber Unit must be presented by the
European Commission by February 2021.
However, building resilience capacity is not sufficient to remove cybersecurity threats. The European
Commission also plans to strengthen the response capacity of enforcement authorities, by providing them
with the necessary skills and tools. One of the stringent problems the European Commission will work on
is providing access to electronic evidence for criminal investigations in different jurisdictions. In this
regard, the European Commission has prepared a package of proposals regarding e-evidence, which it
hopes will be adopted swiftly by the European Parliament and by the Council.
Cybersecurity resilience also entails diplomatic response. In May 2019, the EU introduced its legal
framework for targeted restrictive measures against cyber-attacks. To date, eight individuals and four
entities involved in or responsible for cyber-attacks were listed. The EU is committed to further increase its
efforts to strengthen the cooperation with international partners in order to develop cooperative diplomatic
responses.
Not only diplomatic, but strengthened military response is planned. The Cyber Defence Policy Framework
(“CDPF”) will be reviewed, and Member States together with the EU are encouraged to develop state-of-
the-art cyber defence capabilities through different EU policies and instruments.
2.3. Advancing a global and open cyberspace
The overarching goal of the EU is promoting a model of cyberspace rooted in in the rule of law, human
rights, fundamental freedoms and democratic values.
In order to promote these values, the EU will have to:
increase its engagement in the standardisation process, including by increasing its representation in
European and international standard development entities;
to take a proactive role in advancing Member States’ positions in international fora, as well as
developing an EU position, on the application of international law in cyberspace;
continue to promote and protect human rights and fundamental freedoms online;

https://www.lexology.com/library/detail.aspx?g=ad1630cc-5172-4600-9a53-985fb6c845db 3/4
3/30/2021 European Union’s new cybersecurity strategy - Lexology

strengthen and expand its dialogue on cyberspace with third countries, enhance EU-NATO
cooperation on cyber defence;
defend the multi-stakeholder Internet governance;
develop an EU External Cyber Capacity Building Agenda and an EU Cyber Capacity Building
Board whose scope would be to support its partners to increase their cyber resilience and capacities
to investigate and prosecute cybercrime.

3. Cybersecurity in European institutions

This part of the Cybersecurity Strategy takes stock of the current situation of cybersecurity in relation to
EU institutions. Progress is reported on protection of EU classified information as well as sensitive non-
classified information. However, there is still a limited interoperability of classified information systems,
which prevents entities to seamlessly transfer information. Moreover, the level of awareness of cyber risks
needs to be raised within EU institutions.
Therefore, a Regulation on Information Security in the EU institutions bodies and agencies and a
Regulation on Common Cybersecurity Rules for EU institutions, bodies and agencies are proposed as
strategic initiatives.
4. Conclusions
The EU Cybersecurity Strategy sets ambitious goals, both in terms of new regulations, as well as in terms
of international cooperation. Nevertheless, as long as cybercrime remains extremely profitable for
perpetrators (with an annual estimated cost of cybercrime to the global economy in 2020 of €5.5 trillion,
double that of 2015), the safety of critical infrastructures and goods of ordinary citizens and companies
will continue to be threatened. Thus, EU will need to step up efforts in order to be able to counteract the
cyber-attacks of the future

MPR Partners | Maravela, Popescu & Asociații - Flavia Ștefura and Cristina Crețu

https://www.lexology.com/library/detail.aspx?g=ad1630cc-5172-4600-9a53-985fb6c845db 4/4