EU works to develop robust cybersecurity policies

by Rex Wempen
Published: Apr 14, 2023
Last updated: Jan 9, 2025

Originally published at Europe in Review on April, 2023

The Russian invasion of Ukraine is rapidly changing how the European Union (EU) sets cybersecurity policies as the bloc moves to combat an increasing risk of attack against its critical infrastructure.

European Commission and industry leaders said during a cybersecurity conference on March 23 in Brussels that Europe needed to implement higher security standards for critical infrastructure. The Forum Europe conference was organised in partnership with the European Cyber Security Organisation (ECSO).

The forum “explored Europe’s response to cyber security issues in a dynamically evolving global risk landscape and what the next steps for all actors of the ecosystem should be to create a safe and secure environment allowing Europe to leverage the tremendous socio-economic benefits offered by digital technologies,” it said. [ECS]

A cyber attack on March 20 against Italy’s Ferrari highlighted the ongoing threat against European businesses, and the need for the EU to respond to the persistent threat. The European Central Bank asked in March all major lenders in the eurozone to detail by next year how they would “respond to and recover from a successful cyber attack.” [WSJ][FT]

The ECB is in the process of designing a scenario involving a theoretical breach of the financial system’s cyber defences, which will be sent to all of the 111 banks it supervises to assess how they would react. Enria said it would have the results by the middle of next year.

Critical infrastructure owners and operators, such as the port of Rotterdam, are also researching how to upgrade their current defence measures by assessing leading public private cybersecurity information sharing programs, such as those established in the Port of Los Angeles, which withstands an estimated 40 million cyber attacks per month utilising advanced cybersecurity defences.

Rotterdam established its own program in 2021 with companies operating in the port, local law enforcement, and the Dutch National Cyber Security Center. Last year, an alleged Russian cyber attack temporarily disrupted operations at the leading European oil import port terminal complex of Amsterdam-Rotterdam-Antwerp. [FERM][WEF][LA] [WSJ]

NIS2

The EU passed the Directive on Network and Information Security Two (NIS2) in December 2022, updating the original 2016 directive, as it tries to improve its cyber defences. The new directive mandates that EU member states publish compliance measures by October 2024. [EU]

NIS2 also aims to establish a common baseline of cybersecurity, similar to that of the US National Institute of Standards Cybersecurity Framework. [CFW]

The new baseline will require significant changes for industry as they attempt to comply with new cyber incident reporting requirements and utilise new manufacturing standards under a secure by design model. New specified risk management standards are expected to increase cybersecurity, but they may also affect corporate autonomy and require expensive adjustment.

Businesses will be required to have a business continuity plan in case of cyber attack and implement risk management policies and cybersecurity upgrades to meet specified standards. Regulated business sectors, including energy, transport, banking, digital infrastructure, information and communications technology (ICT) service provision, healthcare, and others are specified.

EU-CyCLONe

The EU has also established theEuropean Cyber Crises Liaison Organisation Network (EU-CyCLONe). It requires each member state to develop a national strategy to safeguard information systems, including the designation of cyber incident response teams.

The EU will also publish cybersecurity regulations for cloud service providers – including major international companies such as Amazon, Microsoft, Google and Oracle –, Domain Name Service (DNS) providers that administer internet websites, online managed service providers remotely managing information technology assets – such as famous hacking victim Solar Winds – and search engines themselves.

(rw/gc)