There has been significant progress in cyber security-related legislation in the EU in the past two years, Carl-Christian Buhr stated, deputy head of cabinet for Mariya Gabriel, European commissioner for digital economy and society.
“Since European Commission president Jean-Claude Juncker set the stage in his state of the union address in 2017, a lot has happened, including the transposition of the directive on security of network and information systems (NIS Directive) into law in member states,” Buhr told the CyberSec Brussels Leaders’ Foresight 2019 event.
Although scheduled to leave the EU on 29 March 2019, the UK is among the member states to have completed the process, with the introduction of the Network and Information Systems Regulations 2018 on 10 May last year, with most other EU member states having done the same since then.
“This is an essential piece of legislation, although it took several years to negotiate,” said Buhr, observing that perhaps the directive was ahead of its time, before its importance was fully understood, resulting in a longer negotiation process than it would have needed had it been proposed this year.
He said the NIS Directive brings a common baseline across member states when it comes to the authorities that exist, the responsibilities these public authorities have in the area of cyber security and the cooperation they have across the EU.
“In addition, it places requirements on essential service providers to run their systems in a more secure way and to exchange information,” said Buhr. “This is an important part because it provides the first glimpse of how we have tried to build the economic incentives into making all of us more secure, because we want to remove the ‘bad incentive’ that everybody had to be quiet about the challenges they faced and to be quiet about the breaches they may have suffered, out of fear of damaging their reputation.
“If there is a requirement for everybody to share information [about challenges and breaches], then the incentive to keep quiet is at least weakened, if not removed, which is the ultimate intention. The result will be that everybody is more secure because the peers of whoever is attacked first will benefit.”
Buhr said this approach has been used successfully across the EU, inside and among institutions, to warn peers along the lines of similar approaches within industry sectors such as the financial, aviation and other sectors that have started building exchange mechanisms so they can all become more secure.
Some member states have even gone beyond the base requirements of the NIS Directive by defining additional sectors as being “essential”, such as the public sector.
“In the light of the European elections that are coming up in 2019, this is not a bad idea because the public sector has an important role to play in the security of elections, which is one of the most important services that we run in our democracies,” said Buhr.
Member states could build on that further, he added. “And we encourage them to do so, even though we do not usually encourage ‘gold plating’ by adding bells and whistles to requirements to create an uneven field. But this is a special case, where each additional step can increase security.”
Buhr described this as a “good and important” development because it means improvements can be made much more quickly than waiting for the EC to make changes to the directive first.
“Building on these authorities that exist in member states, we have then also proposed that they work more closely together when it comes to actual crises to put some order into the exchange of information when something like WannaCry or NotPetya strikes,” he said.
According to Buhr, in the past two years, EU member states have made good progress in creating a cyber security crisis response framework that can be built upon further.
The Cyber Security Act, also proposed in 2017, will become law very soon, he noted. “It is likely to be enforced in May 2019, creating a stable, permanent mandate for the cyber security agency of the European Union, Enisa,” he said.
“Equally importantly, it will create a European cyber security certification framework for the first time, again bringing economic incentives into our work by increasing incentives for companies to certify their products for the EU in a one-stop-shop way, making it easier, faster and cheaper.”
The certification process, which is due to come into force in May 2019, will also make it easier for companies to market their products across the EU rather choosing to invest in certifications for individual member states, and at the same time it will make it easier for organisations to compare products.
Buhr said all the stakeholders are working to ensure the certification process is up and running immediately to tackle issues, such as 5G security.
“5G security is one of the main areas for which we have created the certification framework because this is a tool or instrument to use when you need it, and that is what we want to do as soon as the certification process comes into force,” he said.
In addition, said Buhr, the Cyber Security Act proposes the creation of a cyber security competency centre network in the EU to pool resources and ensure there is no duplication of effort.
“This is about implementing all the funds at EU level for cyber security, with more than €2.5bn expected to be allocated in the 2021-2027 budget,” he said, adding that there is a lot of support for pooling resources for better coordination to make sure everyone is pulling in the same direction.