What are the current shortcomings of the EU legislative and policy landscape on cybersecurity? What should the new mandate of the European Network and Information Security Agency (ENISA) be? Should the cybersecurity review focus on regulating technologies, such as encrypted communications and blockchain? These are some of the questions that Hanover’s Digital Policy team* considers relevant to be addressed for Europe’s cyber preparedness.
Indeed, the major cybersecurity overhaul, which was announced on September 13 by Commission President, Jean-Claude Juncker, at the State of the Union address in Strasbourg, set a new course for Europe’s efforts in fighting cyber vulnerabilities, notably by coming up with a new non-binding cyber strategy and a revised mandate of the ENISA agency with new competences. These measures will complement the approaching application date of the cybersecurity directive (aka the Network and Information Security Directive, which was adopted in 2016 and which will enter into effect in May 2018). This directive is the first-ever EU legislation on cybersecurity, and its main goal is to set minimum capabilities at national level, to strengthen cooperation between Member countries and oblige critical operators (such as banks, airports, hospitals and power plants) and certain digital services, to report serious cyber incidents.
While the proposed initiative addresses a lot of relevant points, it still leaves some critical issues open.
Some progress made on harmonization but more can be done
More efforts on soft (non-legislative) measures, such as coordination, cooperation with industry and amongst Member countries, and exchange of best practices, are needed at EU level.
The improvements made in the last couple of years are undisputable. However, remaining challenges on fragmentation should be addressed by the Commission. For instance, Member countries will enjoy the freedom of identifying the operators they consider as ‘critical’ on their territory, which would bring operational uncertainty when countering cross-border incidents. In a recent survey Hanover Communications conducted with industry, academia, NGOs and public-sector stakeholders, respondents vastly agreed that this situation hampers incident management, stating that: “the cybersecurity directive remains too far from…
Click here to read more