In December 2020, the High Representative of the European Union for Foreign Affairs and Security Policy, Josep Borell, presented a new EU Cybersecurity Strategy which was amongst the myriad of proposals put forth to make “Europe fit for the digital age.” The strategy is progressive in nature and generally indicates that the EU is stepping up its game regarding Information Technology (IT) and cybersecurity. Despite these efforts, the question about the success of the implementation of these policies by the EU persists.
In 2016, the initial Network and Information Security Directive, also known as the NIS Directive, came into force, giving member states guidelines on how to incorporate IT and cybersecurity standards in their own national legislation. This was the first official EU- wide legislation on IT and cybersecurity. The EU did not stop there. Particularly since the beginning of the Covid-19 pandemic, the EU has prioritized securing cyberspace as the globe has adjusted to a more digital world. Under the EU’s New Digital Strategy, many more relevant policies and legislation have been formed. In 2019, the EU Cybersecurity Act came into force, giving the EU Agency for Cybersecurity more resources, and responsibilities to assist EU member states in implementing relevant national cyber security measures. Furthermore, an updated version of the NIS Directive, the NIS2 Directive, alongside a new Critical Entities Resilience (CER) Directive will soon come into force. As one can discern, the EU has continued to uphold its reputation in drafting comprehensive legislation even within the domain of IT and cybersecurity.
However, despite numerous developments in EU IT and cybersecurity, significant limitations still exist. The case of ‘Ghostwriter,’ for example, a malicious cyber campaign that experts suspect is connected to Russian hackers, demonstrates that the EU today is in no way unaffected by cyber-attacks. Malicious attacks of this nature caused by the campaign have affected not only EU institutions and politicians, but also national governments of EU member states. Even though cases like ‘Ghostwriter’ hit the headlines, we can assume that the EU is targeted by many more malicious cyber activities on a daily basis. Therefore, effective cybersecurity and IT security implementation in every EU member state is crucial, but unfortunately this is also where the EU appears to falls short.
Not every member state has taken IT and cybersecurity as seriously as initially intended. By giving each member state leveraged freedom in deciding who will be affected by the NIS Directive, there was an attempt to initiate a diverse implementation of IT and cybersecurity regulations among EU member states. For example, in Austria, about 400 companies were affected by the NIS Directive, whereas in Finland the number was ten times as large, at about 4000. Additionally, auditing requirements have varied among member states. Germany, for example, requires affected businesses of the NIS Directive to pass an annual auditing process on IT and cybersecurity requirements. Controversially, in many other EU member states, the set goal is merely to receive a certain IT-security certification for the company. This often does not include strict auditing processes that might detect potential weaknesses to cyber-threats, and even though the EU plans to address the issues mentioned with the upcoming NIS2 Directive, experts still fear that the provisions of this Directive might still be too vague.
However, time is running out for the EU. The Russian invasion of Ukraine has forced the Union to come to terms with its vulnerabilities and to speed up the process of implementing an effective cybersecurity policy and strategy because the tensions with Russia no longer leave room for mistakes. Just after the war in Ukraine started in late February, the Council of the European Union decided to form a “Strategic Compass for Security and Defence,” in which one of the main priorities was to expand the EU Defence Policy, including a strengthened EU Cybersecurity Tool Box and EU Cyber Joint Unit. Additionally, both the President and Vice President of the European Commission have stressed the need for the EU to become more resilient in cybersecurity matters.
The EU is not alone in struggling to form policy around cyberspace, which highlights how complicated the regulation of this domain is. Just recently, the United States (US) suffered a major blow from the cybersecurity attack on the company SolarWinds, in which malicious cyber activity through a SolarWinds software update went unknown for months, and affected various US agencies, politicians, and large enterprises. As a response to this, the current Biden administration released a “New Executive Order on Improving the Nation’s Cybersecurity,” to prevent further cases like SolarWinds. Important measures that are also mentioned in this Executive Order would be to promote more communication and interaction on cybersecurity matters between the government, its agencies, and the private and public sector. Additionally, US Congress has just passed the Strengthening American Cybersecurity Act of 2022, which requires companies and institutions affected by various malicious cyber activities to report them within 72 hours of an attack.
Clearly, the implementation of cybersecurity standards is complex. Furthermore, the unpredictable and unexpected nature of cyber threats is still something politicians and legislators cannot seem to fully grasp and tackle. As observed, the EU has indeed enhanced in IT and cybersecurity matters but it has only accomplished this out of necessity. The advancement of technology and the internet has clearly changed our lives for the better, however, this also means that relevant cybersecurity measures must be implemented to reduce the threats of cyberspace. So, with all the complexities of securing cyberspace, can we still be hopeful for the future? The answer is yes. New domains like cyberspace require some time for adjustment. Even though the internet is hard to control, it has brought the EU and the rest of the world many great opportunities and has connected us in ways we could have never imagined.
Written by Lara Siebrecht; Edited by Stefan Bartl
Photo Credit to Shutterstock