Written by Zsolt G. Pataki,
The European Union (EU) faces a number of challenges to its goal of achieving a trustworthy and cyber-resilient digital single market: (i) a lack of funding for European cybersecurity companies to scale up; (ii) fragmentation of the European cybersecurity industry; (iii) strong dependence on non-EU providers; (iv) misalignment between public research and development programmes and market needs; (v) regulatory fragmentation; and (vi) a lack of common standardisation and procurement requirements across Member States.
These are the main results, in a nutshell, of a study recently published by the European Parliament’s STOA (Science and Technology Options Assessment) Panel entitled ‘Achieving a sovereign and trustworthy ICT industry in the EU‘. The project was proposed by Jan Philipp Albrecht (Greens/EFA, Germany), member of the STOA Panel, along with Paul Rübig, (EPP, Austria), First STOA Vice-Chair, with the aim of analysing how the EU could achieve an adequate level of cyber-resilience. Fighting cybercrime effectively and ensuring the protection of privacy is critical to guaranteeing people’s trust in a digital environment. The cross-border character of today’s cyber-threats demands a strong coordinated effort from Member States. Cyber-threat strategies remain a national competence however, with each Member State defining its own cybersecurity strategy according to its priorities. This situation seriously challenges EU coordination and results in regulatory fragmentation.
As part of this project, STOA organised a workshop on 27 September 2017, chaired by Jan Philipp Albrecht. The workshop provided additional inputs for the study and served as a forum between policy-makers, experts and the public, focusing on how digital service providers challenge data privacy and on the remedies that the EU can implement to ensure data reciprocity when citizens use search engines. Key expert speakers shared their views on the challenges that Europe faces in developing a cyber-resilient ICT industry, the risks of depending on non-EU providers, as well as the opportunities for European industry to compete in the vibrant and dynamic cybersecurity market. They agreed that establishing policies to increase EU cyber-resilience is crucial to the construction of a trustworthy digital economy and society. An institutional framework is needed in this context, where public bodies at the European and national levels can improve cooperation and coordination on tackling cyber-threats, and are able to foster a healthy and competitive cybersecurity industry in Europe, to reduce excessive dependence on non-EU cybersecurity providers.
The interim study was presented to the Civil Liberties, Justice and Home Affairs (LIBE) Committee on 21 November 2017, and received very positive feedback. The final study was discussed by experts and MEPs during its presentation to the STOA Panel on 14 December 2017.
The study identifies a set of key policy options for consideration, structured in four groups:
- Institutional policies aim at enhancing regulatory remedies to fight cybercrime while improving coordination between different public administrations. The role of EU bodies (mainly ENISA, the EU Agency for Network and Information Security) is limited to advising Member States and raising awareness among citizens. The Directive on security of network and information systems (NIS Directive) and the proposed regulation on the agency grant new responsibilities to ENISA, although its scope remains limited to the areas of advice and assistance. Reinforcing the role of ENISA as an independent and permanent agency, not subject to national interests, would be advisable, as suggested in the proposal for a new regulation on the agency.
- Market policies seek to create a level playing field across Member States, to ease cross-border trade of cybersecurity products and services. The policy options include: (i) unifying public procurement requirements of cybersecurity solutions; (ii) creating a trustworthy label for European cybersecurity products; and (iii) harmonising standardisation and certification of cybersecurity products.
- Industry policies focus on establishing the right conditions for the European cybersecurity industry to flourish in competition with third country providers. Policy options include: (i) fostering the development of open-source cybersecurity products; (ii) developing a cybersecurity industrial policy; (iii) supporting the creation of investment instruments focused on the cybersecurity sector; (iv) fostering market-driven research activities; and (v) increasing the availability of workers in the area of cybersecurity.
- Demand-side policies seek to increase end users’ (individuals and companies, mainly SMEs) commitment in and knowledge of the cybersecurity process.
In the study, each of these broad policy options is further broken down into specific policy options.
As an immediate consequence of this study, it is worth mentioning that Jan Philipp Albrecht – in his capacity as rapporteur for the LIBE Committee opinion on the Regulation on ENISA, the ‘EU Cybersecurity Agency’, repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘Cybersecurity Act’) – stated the goal of his amendments was to achieve a significant push towards higher IT security standards and better IT resilience across the EU, citing the STOA study as a reference.
We value your opinion and we would be grateful if you could fill in a short survey. Surveys are available for all STOA studies (click on the title and follow the link).