EC Proposes Pan-European Cyber-Agency

EC Proposes Pan-European Cyber-Agency

The European Commission has issued a new set of cybersecurity policy proposals, including the designation of a pan-European agency with a mandate to address cyberthreats and attacks.  

The proposal comes hot on the heels of European Commission president Jean-Claude Juncker's State of the European Union speech, where he backed the idea of setting up a “European cybersecurity agency.”  Juncker noted that Europe needed defense in a world where the EU faced 4,000 ransomware attacks per day last year.

"Cyberattacks know no borders and no one is immune,” he said. “This is why, today, the commission is proposing new tools, including a European cybersecurity agency, to help defend us against such attacks.  Cyber-attacks are sometimes more dangerous for the stability of democracies and economies than guns and tanks.”

He did not mention the European Union Agency for Network and Information Security (ENISA), an EU agency based in Greece that was set up in 2004, but a Commission official later confirmed that he meant an expansion of its role to become the focal point for cyber-activities for the 28-country bloc.

The official told the EU Observer that ENISA "will be reinforced so that it can assist EU countries which face cyberattacks and prepare them with annual cyber-exercises,” dovetailing with the EU proposal.

As it stands, ENISA is a small agency with a low budget and number of staff compared to other EU agencies. It also has a fixed-term mandate, the EU noted. Under the proposal, ENISA would be granted a permanent mandate and thus be put on a stable footing for the future (but still subject to regular review). ENISA’s role would be greatly expanded, clarified and specifically designated as the EU agency for cybersecurity and as the central reference point in the EU cybersecurity ecosystem.

This would also acknowledge ENISA’s recently delineated responsibilities under the NIS Directive, which establishes security requirements as legal obligations for the key economic actors, notably operators providing essential services and suppliers of some digital services.

ENISA’s role would also be expanded to include oversight over security certification for ICT and internet of things (IoT) products and services.

“ICT cybersecurity certification becomes particularly relevant in view of the increased use of technologies which require a high level of cybersecurity, such as connected and automated cars, electronic health or industrial automation control systems (IACS),” the EU noted in the lengthy proposal. It added, “The establishment of a certification system would require the setting-up of an appropriate governance system at EU level, including thorough expertise provided by an independent EU agency. In this respect, the present proposal identifies ENISA as the natural EU-level body competent on cybersecurity matters which should take up such role to bring together, and coordinate the work of, national competent bodies in the field of certification.”

The security community welcomed the news.

"Recent incidents have confirmed that not only do we have an increasing dependency on digital alternatives of physical processes to access a service or buy goods, but there is a significant impact that can occur when these virtual digital processes fail,” said Greg Day, vice president and chief security officer for EMEA at Palo Alto Networks, in a media statement. “Recent ransomware attacks have highlighted many unintended consequences when the technologies underpinning our digital existence fail or are suddenly inaccessible. As our society and economy digitizes more ways of life more pervasively, cybersecurity must continue to adapt and evolve at the same pace to embrace the opportunities that technology enables.”

He added, “In recent years, the EU has undertaken several substantive cybersecurity-related activities, including finalizing the NIS Directive and GDPR. Initial review of the documents uncover a clear intent to build upon those efforts. Some plans in the strategy, such as increasing cybersecurity-related training, stepping up law enforcement activities, and accelerating cyberthreat information sharing, are essential steps. We look forward to reviewing the strategy and other documents in detail and determining how we can support and contribute to Europe’s digital innovation plans and cybersecurity goals.”

Source: Information Security Magazine