The European Commission (EC) has announced plans to substantially beef up the region’s cyber security capabilities, including an EU-wide cyber security certification scheme.
The plans were announced by EC President Jean-Claude Juncker during his State of the Union address in Strasbourg, in which he admitted that the region is still not well-equipped when it comes to cyber attacks. Last year alone there were more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cyber security incident, he said.
The Commission subsequently announced a package of measures and proposed rules to increase cyber security preparedness, resilience and harmonisation in the EU. The measures compliment the Network and Information Security Directive, adopted in July 2016 and are due to be implemented next year.
The standout proposal is the creation of a European Cyber Security Agency, transforming the existing European Agency for Network and Information Security (ENISA). Under the plan, ENISA will see its resources double and be given an increased mandate to promote better cyber security and defend against cyber attacks.
Proposed new legislation (a Cyber Security Act) will empower ENISA to assist EU member states in preventing and fighting large scale cross-border attacks, such as the recent WannaCry and NotPetya ransomware incidents. This would see ENISA organise yearly pan-European cyber security exercises and draw up a blueprint for an EU coordinated response to large scale cyber attacks.
The wider package of measures also includes a certification scheme for cyber security products and services, as well as a new directive to combat the fraud and counterfeiting of non-cash means of payment and new rules to encourage the flow of non-personal data.
ENISA will be the body charged with overseeing the proposed European certification scheme for online goods and services. This would see the body certify the security of information and communications technology (ICT) products and services according to a comprehensive set of rules, technical requirements, standards and procedures.
Although details of the certification regime have yet to be unveiled, business is likely to welcome such moves. There is already a growing trend for organisations to seek assurances from their business partners that they are cyber secure, through due diligence or adherence to cyber security standards, as well as requirements to purchase cyber insurance.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org