EU Cybersecurity – the Good, the Bad, and the Ugly

With a single click you can open infinite (virtual) doors.  What you find on the other side of that door however may not always be so harmless. While technology offers a plethora of opportunities and its use can be innocent and entertaining, there are also ever-mounting concerns which arose with the digital revolution – including, the disastrous impact of cybercrimes on individuals, businesses, and governments. Whether you are aware of it or not, the likelihood is that you have been a victim of a cyber-attack. As a matter of fact, there is an average of 97 cybercrime victims every hour which equates to one victim every 37 seconds. The Cyber Security Breaches Survey also found 39% of UK businesses identified a cyber-hack in 2022. A figure which, in reality, is most likely to be more substantial as a high number of hacks go unnoticed. European states also continue to be key targets for cyberattacks as there are vast opportunities to exploit their internet infrastructure and their online payment systems, which are intrinsic to the functioning of daily activities. Simply said, cybercrimes are exponentially rising, governments are increasingly rolling out regulations, and ignorance is not an option.

That said, on 26th June, the Council presidency and European Parliament reached a provisional agreement on a regulation aimed at ensuring a high common level of cybersecurity across the EU institutions, bodies, offices, and agencies. While the agreement still needs to be finalised and formally adopted, the announcement once again reveals that the EU is on a pathway to greater cyber resilience.

Here is everything you need to know about the policy debate on cybersecurity, what businesses need to be aware of to safeguard their business activities and assets, as well as how they can stay on top of the policy developments and influence policymakers’ agenda.

Where it all began:

While security policies have traditionally been bound by physical evidence, the growth of technology has transformed the cyber-security policy landscape. Since these modern threats are not subject to national borders, the policy landscape is continuously evolving to develop sophisticated, comprehensive, and EU wide policy solutions.

As the cybersecurity landscape is complex and ever-changing, it is important to design effective policies, which correspond to the needs of businesses and consumers. With the exponential rise of technology, there is an omnipresence of new threats. As such, while it is essential proposed legislations are fit for purpose, private entities must also stay up to date with these legislative renewals to guarantee coherence and trust in online services and providers. To keep up with technology and the threats it presents, cybersecurity policies require continuous updates, which can be problematic because most companies are not sufficiently equipped or aware of the policy changes taking place.

The EU cybersecurity regulatory landscape:

Brussels has been at the forefront of the digital revolution. Indeed, while security was originally a state matter, the Commission’s innovative policy entrepreneurship triggered the emergence of multiple proposals in the field of cyber-security.

Announced in 2016, the Commission presented new rules accompanying the NIS2 Directive reform – an EU wide legislation on cybersecurity. Importantly, this Directive holistically addressed the development of cybersecurity incidents in the public and private spheres. While the Commission explained NIS2 would strengthen Europe’s resilience against cyber-attacks, it also laid down important security requirements for essential services providers. Therefore, businesses working in the energy, transport, health, or financial sectors and providing online, or cloud services would be required to adapt their activities to the newest NIS2 rules. This symbolised a shift in the EU’s cybersecurity landscape as businesses were placed at the forefront in guaranteeing online security across the EU. To put this into perspective, the impact assessment accompanying the directive, stated that businesses subject to the NIS2 regulations would have to increase approximately 22% of their online security funds as a result.

In a bid to continue Europe’s path towards achieving online security, the Commission introduced the EU Cybersecurity Act, which entered into force in 2019, increasing the role of the EU Agency for cybersecurity (ENISA) which supports coordination of the EU Member States in case of a wide-scale cybersecurity emergency. Of relevance to businesses operating in the space, the 2019 Act introduced a European cybersecurity certification framework for internet providers, services, and processes. These developments had a huge consequence on companies located in the EU as their products required certification and thus greater compliance in accordance with the EU’s latest scheme.

At the end of 2020, the EU presented its Cybersecurity Strategy, a broad strategy which aims to strengthen Europe’s collective capabilities while addressing the rapid cyber threat landscape, and improve Europe’s dominance in the cyber-sphere. The strategy aims to improve the reliability of products and services which businesses and individuals rely on across the EU, including online banking services, healthcare apps, public administration systems and many more. The strategy also included Digital Innovation Hubs to support SMEs, while also luring more cybersecurity experts to join Europe in becoming a dominant cybersecurity actor.

As Europe continue to roll out cybersecurity policies, witnessed in the latest Digital Services Act Package or the Cyber Solidarity Act, businesses are going to be increasingly regulated. Also in the pipelines is the Commission’s project on the European Cyber Shield proposed under the Cyber Solidarity Act. This is a pan-European infrastructure made up of transborder security services across Member States, who will detect and provide well-timed warning on cyber-attacks using artificial intelligence (AI). Discussions on the proposed Regulation on the EU Cyber Solidarity Act, as well as the targeted amendment to the Cybersecurity Act, are at infancy stages, with the European Parliament and the Council about to commence their scrutiny.

Legislation is constantly evolving to keep up with the advancement of new technologies which, in turn, will accelerate the need to be able to tackle new threats posed by cybersecurity. With so much in the pipeline, this is a pivotal time for organisations in this space to showcase their innovative solutions, provide expertise and engage with policymakers to shape legislation that is fit-for-purpose.

At Whitehouse Communications, our team of experts are driven to help clients navigate the complicated worlds of tech and communication policy. Your issues are our issues. We want to help your organisation deliver significant policy and regulatory changes. Whether you’re working in the UK or the EU – get in touch with us to discuss how we can help.