European flags wave at the European Commission headquarters in Brussels, on October 12, 2012.

European flags wave at the European Commission headquarters in Brussels, on October 12, 2012. Geert Vanden Wijngaert/AP

Here's Where Europe Has Made Big Changes in Cyber Security

The more than two dozen nations that make up the European Union are making surprising new progress in the cyber domain.

It is close to two years to the day that the European Union published its first-ever Cybersecurity Strategy. The document included such high-flying mouthfuls such as “achieving cyber resilience,” “drastically reducing cyber crime,” and developing coherent cyberdefense and international cybersecurity policies. What has happened since?

A fair amount, as it turns out—though it is good to keep in mind that EU institutions generally stumble forward instead of marching in unison thanks to their highly fragmented mandates. The Cybersecurity Strategy set the direction for the three main legs of EU cyber policy: the Directorate General for Home Affairs (cybercrime), the European Council and European External Action Service (common foreign and defense policy), and the Directorate General for Economic Affairs (network and information security). As these three legs not only often fundamentally disagree with each other, but also are of different lengths—each has vastly different competencies according to the EU treaties, with Home Affairs the least integrated and Economic Affairs the most—it is a minor miracle that anything has happened at all.

Every leg can claim to be on solid footing. In foreign policy, the European Council, which represents the governments of EU member states is about to adopt a new Cyber Diplomacy Strategy—probably one of the first times this word has ever been used in an official context. The details of the strategy are still confidential, but it will include a commitment to supporting norms of responsible state behavior in cyberspace, Internet freedom and human rights, cyber capacity building as well as participating in Internet governance. The EU has made substantial progress on the capacity building front in the last twelve months. In collaboration with the Council of Europe, which is pushing for the adoption of the Budapest Convention on Cybercrime, the EU is starting to implement its first projects in Africa and in the Balkans. Internet governance—which will be a particularly decisive issue in 2015—will also be part of the European External Action Service mandate, although squabbles regarding the Internet Corporation for Assigned Names and Numbers’s new top-level domain policy (in particular dot-wine) have created strife among a few members of the Council. To date, the EU has also established five bilateral discussion groups with certain countries and has deepened cooperation with NATO on a range of cyber issues. These discussions have been assisted by the operational expansion of the European Cybercrime Centre, which facilitates law enforcement cooperation and is increasingly becoming a useful tool in cyber diplomacy.

(RelatedGlobal Cyber Defense Demand Will Exceed Capability for Years To Come)

The European Defense Agency (EDA), responsible for funding research into common defense requirements, has expanded upon previously extremely limited efforts to build both national and whole-of-the-union cyberdefense capabilities. This includes supporting research in areas outside of its core field, for instance supporting capabilities for common crisis response. It was revealing that the first major exercise of the new Integrated Political Crisis Response (ICPR) instrument, which itself fulfilled a long-standing demand to field a single EU point of contact for major crisis events, piggy-backed off a long-standing EU cyber crisis management exercise known as Cyber Europe in December 2014, and was supported by the EDA.

The EU crisis management capabilities are also being given a considerable boost by the planned Network and Information Security (NIS) Directive. The NIS Directive is not only much more ambitious than any other part of the Cybersecurity Strategy—it is further reaching then many similar national legislative proposals, including the ill-fated Cyber Information Sharing and Protection Act (CISPA) in the United States. In addition to a number of rather specific requirements for governments such as mandating the creation and minimum capabilities of national Computer Emergency Response Teams, the NIS directive makes significant demands on the private sector. Most remarkably, it states that all “market operators” will be forced to disclose serious cyber incidents on their systems to both their national regulator as well as to the European Network and Information Security Agency. The directive leaves the term “market operator” ill defined, making it unclear who needs to abide by the reporting requirement. While it would certainly include critical infrastructure operators and internet service providers, it could possibly also include social media companies such as Facebook or similar digital services companies. The exact definition of what constitutes a “market operator” is still a stumbling point, but the extensive lobbying on this issue will most likely not trip up the directive, which is expected to be enacted largely unchanged later this year. The most recent version of the directive seems to imply that the term has been replaced by the phrase “national critical infrastructure”, which indeed would refer to a much tighter group of affected companies.

The EU Cybersecurity Strategy was intended to be comprehensive, and address both external as well as internal cyber challenges. Although the EU is still far away from projecting anything akin to “cyber power,” there is little doubt that significant progress has been made in its promotion of a cyber foreign policy, as a report pointed out in August 2014. The strategy’s most significant contribution is undoubtedly the NIS Directive. When enacted later this year, it will represent one of the most comprehensive pieces of cyber legislation anywhere in the Organization for Economic Cooperation and Development. While the EU treaties tightly limit how effective an EU cyber foreign policy can really ever be, developments such as the NIS Directive and the revised General Data Protection Regulation will represent significant developments in Europe’s cybersecurity, as well a potential challenge for the private sector. It shows that even stumbling forward can really get Europe quite far, even though some businesses might contend that it’s stumbling in the wrong direction.

This post appears courtesy of CFR.org.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.