|
Building a European Cyber-Shield
The Commission proposes to build a network of Security Operations Centres across the EU, and to support the improvement of existing centres and the establishment of new ones. It could commit over 300 million euros to support public-private and cross-border cooperation in creating national and sectoral networks. Member States are encouraged to co-invest in this project.
The centres would then be able to more efficiently share and correlate the signals detected and create high-quality threat intelligence to be shared with ISACs and national authorities. The goal would be to connect, in phases, as many centres as possible across the EU to create collective knowledge and share best practices. This network would constitute what the Commission calls “a European Cyber-Shield”.
The Commission also advocates for an increased use of Artificial Intelligence by these centres (e.g. to detect threats).
An ultra-secure communication infrastructure
The Commission refers to the quantum communication infrastructure (QCI) currently being developed by Member States (see previous briefing here).
Going further, the Commission will explore the possible deployment of a multi-orbital secure connectivity system. Building on GOVSATCOM and QCI, it would integrate cutting edge technologies (Quantum, 5G, AI, edge computing) adhering to the most restrictive cybersecurity framework to support secure-by-design services such as encrypted communication for critical governmental activities.
5G security
The Commission calls on the Member States to implement the 5G toolbox by Q2 2021 (more details on the toolbox here). It refers to the Commission Report on the impacts of the Commission Recommendation on the Cybersecurity of 5G networks. This report was also unveiled on 16 December.
For more details, see the Appendix on 5G, pages 26-28. Certification, supply chain resilience and standardisation for 5G are mentioned in this Appendix.
An Internet of Secure Things
The Commission is already working on IoT certification under the Cybersecurity Act. It will consider new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the Internal Market. Such rules could include a new duty of care for connected device manufacturers to address software vulnerabilities including the continuation of software and security updates as well as ensuring, at the end of life, deletion of personal and other sensitive data.
As a complement, the Commission would like cybersecurity rules for motor vehicles to be implemented for all new vehicle types as from July 2022. Theses rules would build on the proposed revision of general product safety rules, which do not directly address cybersecurity aspects.
A European DNS resolver service
The Commission intends to develop a contingency plan, supported by EU funding, for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system.
People and organisations in the EU increasingly rely on a few public DNS resolvers operated by non-EU entities. Such consolidation of DNS resolution in the hands of few companies renders the resolution process itself vulnerable in case of significant events affecting one major provider, and makes it more difficult for EU authorities to address possible malicious cyberattacks and major geopolitical and technical incidents.
The Commission will encourage relevant stakeholders including EU companies, Internet Service Providers and browser vendors to adopt a DNS resolution diversification strategy. The Commission also intends to contribute to secure Internet connectivity by supporting the development of a public European DNS resolver service. This ‘DNS4EU’ initiative will offer an alternative, European service for accessing the global Internet.
The Commission will also, in liaison with Member States and industry, accelerate the uptake of key internet standards including IPv6 and well-established internet security standards and good practices for DNS, routing, and email security, not excluding a European sunset clause for IPv4 to steer the market if there is insufficient progress towards their adoption.
A reinforced presence on the technology supply chain
The objective is to trigger a similar amount of investments by the Member States, to be matched by industry under a partnership co-governed with Member States in the proposed Cybersecurity Industrial, Technology and Research Competence Centre and Network of Coordination Centres (CCCN). The CCCN should play a key role in reducing dependence on other parts of the globe for the most crucial technologies.
4,5 billion euros public and private investment in cybersecurity are expected through the CCCN.
The Commission also mentions processor technologies, which will be strongly supported.
A Joint Cyber Unit
A Joint Cyber Unit would serve as a virtual and physical platform for cooperation for the different cybersecurity communities in the EU, with a focus on operational and technical coordination against major cross border cyber incidents and threats.
The Joint Cyber Unit would not be an additional, standalone body. Rather, the Unit would act as a backstop where the participants can draw on one another’s support and expertise.
Four main steps are proposed to deliver the Joint Cyber Unit:
-Define, by mapping available capabilities at national and EU level;
-Prepare, by establishing a framework for structured cooperation and assistance;
-Deploy, by implementing the framework drawing on resources provided by participants so that the Joint Cyber Unit becomes operational;
-Expand, by strengthening coordinated response capacity with input from industry and partners.
EU leadership on standards, norms and frameworks in cyberspace
The Commission wants the EU to step up its leadership in international standardisation and enhance its representation in international and European standardisation bodies as well as other standard development organisations.
Increase cybersecurity within the EU institutions
The Commission notes that there are different levels of cybersecurity across the EU institutions. The Commission will therefore make proposals for common binding rules on information security and for common binding rules on cybersecurity for all EU institutions, bodies and agencies in 2021.
If you have any questions on these issues, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
