Public Services > Central Government

EU kicks off cyber and free flow of data framework

Matteo Natalucci Published 20 September 2017

EU scales up its response to cyber-attacks and proposes framework for free flow of non-personal data in the EU


Following the EU state of the union speech, the European Commission has unveiled a wide-ranging cybersecurity package to equip EU nationals with effective tools to deal with cyber-attacks. It has also proposed a new set of rules to govern the free flow of non-personal data in the EU.

EU president Jean-Claude Juncker said, "Europe is still not well equipped when it comes to cyber-attacks. This is why the Commission is proposing new tools, including a European cybersecurity agency, to help defend us against such attacks."

The Commission proposes to reinforce the EU's resilience and response to cyber-attacks by strengthening the European Union Agency for Network and Information Security (ENISA), creating an EU-wide cybersecurity certification framework, a blueprint for how to respond to large-scale cybersecurity incidents and crises, and a European cybersecurity research and competence centre.

Building on ENISA, the new EU cybersecurity agency will be given a permanent mandate to assist member states in effectively preventing and responding to cyber-attacks. It hopes to improve the EU's preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of information sharing and analyses centres. It will help implement the directive on the security of network and information systems which contains reporting obligations to national authorities in case of serious incidents.

The Commission said it “now proposes to reform ENISA into a stronger EU cybersecurity agency with a permanent mandate, greater operational resources and a stable footing for the future. The main aim of the agency is to assist member states in implementing the NIS directive. New tasks and resources will be given to the agency in areas such as operational cooperation and Information and communication technologies (ICT) security certification in order to reflect the new reality and needs in cybersecurity. ENISA will therefore play an important role in the field of EU cybersecurity certification policy by preparing, in cooperation with Member States' certification authorities, candidate European cybersecurity certification schemes. The new Agency's mandate, objectives and tasks will be subject to regular reviews.”

The cybersecurity agency would also support the implementation of the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. New European cybersecurity certificates will ensure the trustworthiness of devices (internet of things) which drive critical infrastructures, such as energy and transport networks, but also new consumer devices, such as connected cars. cybersecurity certificates will be recognised across member states.  The use of the certification schemes will be on a voluntary basis for market players.

To reinforce the EU's cybersecurity capacity, the Commission proposes:

- The establishment of a European cybersecurity research and competence centre that will help member states to develop and roll out the tools and technology needed to keep up with an ever-changing threat and make sure our defences are as state-of-the-art as the weapons that cyber-criminals use. It will complement capacity-building efforts in this area at EU and national level. Pilot will be set up in the course of 2018.

- The creation of a blueprint for how Europe and member states can respond quickly, operationally and in unison when a large-scale cyber-attack strikes. The proposed procedure also asks member states and EU institutions to establish an EU cybersecurity crisis response framework to make the Blueprint operational. It will regularly be tested in cyber and other crisis management exercises.

- The possibility of a new cybersecurity emergency response fund, which could be considered for those member states that have responsibly implemented all the cybersecurity measures required under EU law.

- The creation of a cyber defence training and education platform in 2018. The EU and NATO will together foster cyber defence research and innovation cooperation. Cooperation with NATO, including participation in parallel and coordinated exercises, will be deepened.

- Enhanced international cooperation: The EU will strengthen its response to cyber-attacks by implementing the framework for a joint EU diplomatic response to malicious cyber activities, supporting a strategic framework for conflict prevention and stability in cyberspace. This will be coupled with new cyber capacity building efforts to assist third countries to address cyber threats.

EU's proposals further include a new directive on the combatting of fraud and counterfeiting of non-cash means of payment to provide for a more efficient criminal law response to cyber–attacks crime, as well as a Framework for a Joint EU diplomatic response to malicious cyber activities and measures to strengthen international cooperation on cybersecurity.

The new rules to govern the free flow of non-personal data in the EU will, together with the already existing rules for personal data, enable the storage and processing of non-personal data across the Union to boost the competitiveness of European businesses and to modernise public services in an effective EU single market for data services. Removing data localisation restrictions is considered the most important factor for the data economy to double its value to 4% of GDP in 2020.

Andrus Ansip, Vice-President for the Digital Single Market, said, "No country can face cybersecurity challenges alone. Our initiatives strengthen cooperation so that EU countries can tackle these challenges together. We also propose new measures to boost investment in innovation and promote cyberhygiene"

Julian King, Commissioner for the Security Union, said, "We need to work together to build our resilience, to drive technological innovation, to boost deterrence, reinforcing traceability and accountability, and harness international cooperation, to promote our collective cybersecurity."

Mariya Gabriel, Commissioner for the Digital Economy and Society, said: "We need to build on the trust of our citizens and businesses in the digital world, especially at a time when large-scale cyber-attacks are becoming more and more common. I want high cybersecurity standards to become the new competitive advantage of our companies."

To effectively step up the investigation and prosecution of cyber-enabled crime, the Commission will also present proposals to facilitate cross-border access to electronic evidence in early 2018. In parallel, the Commission is implementing practical measures to improve cross-border access to electronic evidence for criminal investigations, including funding for training on cross-border cooperation, the development of an electronic platform to exchange information within the EU and the standardisation of judicial cooperation forms used between member states.

Finally, to better assist member states and boost their cybercrime investigative capabilities, the Commission will dedicate €10.5 million under the internal security fund (ISF).

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.