Overview of selected policies relevant to
Digital Security call
14th progress report towards an effective and genuine Security Union
Countering cybercrime and enhancing cybersecurity remains a priority for EU action. In order to create synergies, scale up existing competences and research and come up with marketable solutions that can improve cybersecurity of the Digital Single Market, the Commission launched, on 1 February 2018, a call for proposals for a EUR 50 million pilot project to support the creation of a network of cybersecurity competence centres across the EU. The network will bring together research expertise in cybersecurity from across the European Union (e.g. university labs/public or private
The recent use of cyber means to manipulate behaviour, deepen societal divides and subvert democratic systems and institutions has only served to underscore the need to preserve tools which ensure accountability online. This was another aspect highlighted in the 2017 Joint Communication, notably by improving the availability and accuracy of information in the "WHOIS" domain name registration database, which is an important resource for cybercrime investigations and cybersecurity. As work is ongoing within ICANN to make this database compliant with data protection rules, in particular the General Data Protection Regulation, the Commission sent a letter to ICANN on the dual objectives of ensuring quick access to its directories for public interest purposes whilst being fully compliant with EU data protection rules. The ICANN Government Advisory Committee, in which national governments and the Commission are represented, voiced its concerns and called on ICANN to ensure continued access to the WHOIS, including
In January 2018, the European Commission set up an independent
On 16 April 2018, the Foreign Affairs Council adopted Council conclusions on malicious cyber activities. These conclusions are a practical implementation of the Joint EU Diplomatic Response to Malicious Cyber Activities (the "cyber diplomacy toolbox") in response to specific malicious cyber activities, such as the Wannacry and NotPetya cyberattacks. The Foreign
Affairs Council Conclusions underline the importance of an open, free, peaceful and secure cyberspace, and stress that the application of existing international law and the adherence to voluntary
Read the whole report
Also find the document “The European Agenda on Security” defining 3 priorities for European Security, including cybercrime and cybersecurity.
2.General Data Protection Regulation (GDPR)
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
Read the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Click to get a compact picture with links to relevant legislation concerning the Rules for the protection of personal data inside and outside EU.
If you are looking for a website that educates the public about main elements of the General Data Protection Regulation, then check the GDPR Portal. To get an overview of the main changes under GDPR and how they differ from the previous directive click here.
3.Digital Single Market
A Digital Single Market is one in which the free movement of goods, persons, services and capital is ensured and where individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence.
It has a
The Digital Single Market Strategy will be built on three pillars:
•Better access for consumers and businesses to online goods and services across Europe – this requires the rapid removal of key differences between the online and offline worlds to break down barriers to
•Creating the right conditions for digital networks and services to flourish – this requires
•Maximising the growth potential of our European Digital Economy – this requires investment in ICT infrastructures and technologies such as Cloud computing and Big Data, and research and innovation to boost industrial competiveness as well as better public services, inclusiveness and skills;
Scientific advice in the area of cybersecurity has been requested by Vice President Ansip and Commissioner Oettinger during the SAM High Level Group first meeting on 29 January 2016. The corresponding scoping paper outlines the issues at stake, the EU policy landscape and the potential areas for scientific advice to inform
Acknowledging the broader scope of the cybersecurity topic, the SAM High Level Group agreed at its second meeting on 17 March 2016 to focus its work on the question of Digital Identities for a Digital Single Market. 2nd Scientific Opinion of the SAM HLG: Cybersecurity in the European Digital Single Market.
The NIS Directive is the first piece of
The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.
The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:
•Member States preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority,
•cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks,
•a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to
take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.
5.eIDAS – Regulation on electronic identification and trust
services for electronic transactions in the internal market and
repealing Directive 1999/93/EC
As of 1 July 2016, the provisions applicable to trust services apply directly in the 28 Member States. This means that trust services under eIDAS are no longer regulated by national laws. As a result, the qualified trust services are recognised independently of the Member State where the Qualified Trust Service Provider is established or where the specific qualified trust service is offered.
Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
6.Communication: “Strengthening Europe's Cyber Resilience
System and Fostering a Competitive and Innovative
In its Communication of 5 July 2016 the European Commission announces the launch of a
7.Proposal for an
The European Commission's proposal for a Regulation on Privacy and Electronic Communications aims at reinforcing trust and security in the Digital Single Market by updating the legal framework on ePrivacy.
European legislation is keeping up with the fast space at which
the data protection framework, which culminated in the adoption in May 2016 of the new General Data Protection Regulation. The ePrivacy legislation needs to be adapted to align with these new rules.
The proposal for a regulation on high level of privacy rules for all electronic communications includes:
•New players: privacy rules will in the future also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger and Skype. This will ensure that these popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.
•Stronger rules: all people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
•Communications content and metadata: privacy is guaranteed for communications content and metadata, e.g. time of a call and location. Metadata have a high privacy component and is to be anonymised or deleted if users did not give their consent, unless the data is needed for billing.
•New business opportunities: once consent is given for communications data - content and/or metadata - to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals; these could help public authorities and transport companies when developing new infrastructure projects.
•Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user- friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for
•Protection against spam: this proposal bans unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a
•More effective enforcement: the enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.
8.Cybersecurity Package 2017
Joint Communication JOIN(2017)450: The Commission announced the intention to create a Cybersecurity Competence Network with a European Cybersecurity Research and Competence Centre, currently reflected in
As part of the EU cybersecurity strategy, the European Commission and the European Cyber Security Organisation (ECSO) signed a cPPP on 5 July 2016.
The aim of the partnership is to foster cooperation between public and private actors at early stages of the research and innovation process in order to allow people in Europe to access innovative and trustworthy European solutions (ICT products, services and software). These solutions take into consideration fundamental rights, such as the right for privacy.
It also aims to stimulate cybersecurity industry, by helping align the demand and supply sectors to allow industry to elicit future requirements from
The cPPP will be instrumental in structuring and coordinating digital security industrial resources in Europe. It will include a wide range of actors, from innovative SMEs to producers of components and equipment, critical infrastructure operators and research institutes, brought together under the umbrella of ECSO.
The EU will invest up to €450 million in this partnership, under its research and innovation programme Horizon 2020. Cybersecurity market players are expected to invest three times more.
Read the policies behind the cPPP on cybersecurity, in the reference documents section.
10.State of the Union 2017 - speech of the President of the Commission (13/09/2017)
•there is a need for a Europe that protects, empowers and defends;
•the priority is to better protect Europe in the digital age
On 13 September 2017 the Commission issued a proposal for a regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').
Certification plays a critical role in increasing trust and security in products and services that are crucial for the digital single market. At the moment, a number of different security certification schemes for ICT products exist in the EU. Without a common framework for EU- wide valid cybersecurity certificates, there is an increasing risk of fragmentation and barriers in the single market.
The proposed certification framework will provide
The certification will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified cybersecurity requirements. The resulting certificate will be recognized in all Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service.
The schemes proposed in the future European framework will rely as much as possible on international standards as a way to avoid creating trade barriers and ensuring coherence with international initiatives.
12.Digital Summit in Tallinn
The Estonian Presidency of the Council of the European Union, in cooperation with the President of the European Council and the European Commission, organised the Tallinn Digital Summit to bring together EU heads of state or government on 29 September 2017. Main conclusions from the Summit:
•"We should make Europe a leader in cybersecurity by 2025, in order to ensure the trust, confidence, and protection of our citizens, consumers and enterprises online and to enable a free and
•"Europe needs a common European approach to cybersecurity. Europe has to function as a single European cyberspace and a single cybersecurity market, including in terms of
13.Exploring the opportunities and limitations of current Threat Intelligence Platforms
The main objective of this report is to understand the limitations of threat information sharing and the analysis tools that are currently in use. Moreover, the second objective is to provide the relevant recommendations so that these limitations can be addressed and overcome.
14.Recommendations on aligning research programme with policy
The scope of this report is to review existing analysis reports on EU funded Trust and Security Projects, summarize achievements that have significantly promoted specific pillars of NIS, identify and summarize specific outcomes that can promote and support emerging policy and legislative initiatives, namely eIDAS, GDPR, support industry policy in cybersecurity, and provide recommendations on the formulation of forthcoming work programmes.
15.Handbook on Security of Personal Data Processing
The overall scope of the report is to provide practical demonstrations and interpretation of the methodological steps of the ENISA’s 2016 guidelines for SMEs on the security of personal data processing. This is performed through specific use cases and pragmatic processing operations that are common for all SMEs.
Increase the visibility of security related research in Europe and optimize the networking between research facilities, universities, public authorities, end users, suppliers of security solutions and operators of critical infrastructures
The NCPs are national structures, established and financed by governments of the 28 EU Member States and the States Associated to the EU R&I Framework Programme. NCPs are also established in many non-EU and non-Associated Countries.