At the ISSA London 2013 European conference on February 5, Ann-Sofie Ronnlund the EC’s directorate-general for communication networks, content and technology, told the audience that due to increased cyber threats, the European cyber security strategy is focused on addressing insufficient national preparedness and boosting co-operation across the EU.
“We need to work together to counteract the cyber risks and the incidents that are happening cross-border. We need to ensure a safe and resilient digital environment in respect of fundamental rights and EU core values”, Ronnlund said.
The EC strategy has three main aims: to prevent and fight cybercrime; to strengthen the security and resilience of networks and information security systems; and to establish a more coherent European cyber security policy.
The proposed legislation on NIS, Ronnlund advised, will:
- Improve the security of smart grids and industrial control systems
- Fight botnets
- Raise awareness
- Develop cyber security standards and procurement policies
- Encourage research investment
- Develop industrial and technical resources at an EU level
The European Cybercrime Centre (EC³) at Europol in The Hague will provide support to “enhance national capabilities to investigate and combat cybercrime”, and encourage the fast implementation of cybercrime directives, Ronnlund said.
The cyber defence policy strategy, advised Ronnlund, aims to “Gather national initiatives under one EU umbrella” and encourage dialogue and co-operation between the military and civilian sectors, establishing an international cyberspace policy. Such policy would enshrine basic human rights and EU core values, Ronnlund insisted.
A further objective of the proposed NIS directive, she advised, is to strengthen the relationship and cooperation between public and private sector. Trust is essential, said Ronnlund, who also emphasized the importance of “better trust between member states” and “increased trust from consumers in relation to online payments. We need to promote trust in a digital economy”.
Finally, Ronnlund referenced the risk management component of the proposed directive, which includes the requirement for data breach disclosures to national data protection authorities.
The proposal is to extend data breach disclosure obligation to the energy sector, healthcare, credit providers, transport, and providers of search engines and electronic payment platforms.
The obligations to report data breaches will apply only to “significant” incidents from a “societal point of view”, Ronnlund assured the audience.
“We need to establish trust between states and end users through increased transparency,” she concluded.