Articles

Improving capacity and cybersecurity cooperation in the context of existing and proposed EU legislation

It is a universally acknowledged fact that cyber space has become a critical domain, and countries, organisations and individuals rely on a secure and operational cyber space to conduct business and social endeavours. Cybersecurity is very important to ensure that the cyber space domain is protected from existing and newly emerging threats.  

The European Union is on the forefront to ensure that there are the necessary legislative and operational frameworks that support the implementation of measures that enhance cybersecurity within the block. The EU started legislating as early as 2013, enacting Directive 2013/40/EU also known as the European Union’s Directive on attacks against information systems. This directive was one of the first steps towards cybersecurity in the EU and the objectives include defining offenses, establishing penalties for any offenses carried out, and laying down measures for effective investigation and prosecution of cybercrimes related to attacks against information systems. It also addresses jurisdictional issues, ensuring that cybercriminals can be prosecuted regardless of where the attack originated from within the EU. It also facilitates extradition between Member States for these offenses and ensures that legal persons, such as companies and organizations, can be held liable for offenses committed for their benefit. Directive 2013/40/EU aims to improve cooperation between law enforcement agencies and enhance the overall cybersecurity of the European Union. 

In its efforts to strengthen its cybersecurity capabilities and resilience against cyber threats, the EU developed the Network and Information Security directive (Directive (EU) 2016/1148). The purpose of this directive is to harmonise the approach to cybersecurity across Member States and aims to improve the overall cyber readiness and protection of critical infrastructure and essential services from cyber-attacks. The main objectives include the enhancing cybersecurity of critical entities; identifying entities that are essential for the maintenance of critical societal and economic activities; establishing National NIS Strategies; setting up incident notification and reporting requirements for identified essential service providers and digital service providers; and promote collaboration and information sharing. The NIS2 directive (Directive (EU) 2022/2555) is a further improvement on the previous directive, widening the scope from entities that are essential for the operation of societal and economic activities to a wider range of entities such as the public service. 

On March 27th of 2019, the EU Cybersecurity Act was adopted. The act was the next step by the EU towards achieving a more consistent and robust cybersecurity landscape across the EU. By establishing common standards and certifications, it aims to protect consumers, businesses, and critical infrastructures from cyber threats and enhance trust in digital products and services within the EU market. 

The EU Cybersecurity Act is a significant step towards achieving a more consistent and robust cybersecurity landscape across the EU. By establishing common standards and certifications, it aims to protect consumers, businesses, and critical infrastructure from cyber threats and enhance trust in digital products and services within the EU market. 

The latest EU initiative to further enhance cybersecurity is the drafting of the Cyber Resiliency Act. The purpose of this Act is to provide legislation or regulation for software and hardware products that are not yet covered by other EU legislation to ensure their security and resiliency. The products being affected by this legislation are mainly system software and embedded software usually operating at the hardware level, firmware level, and services level (such as operating systems etc.). The Act has two main objectives to ensure the development of resilient and secure software, and proper functioning of the internal market:  

  1. create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle. 
  1. create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements. Four specific objectives were set out:  
  1. ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle.  
  1. ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers. 
  1. enhance the transparency of security properties of products with digital elements. 
  1. enable businesses and consumers to use products with digital elements securely. 

With these acts and directives, the EU is sending a clear message that Cybersecurity is a very important domain for the EU and will mandate or support actions towards improving the security posture of the EU cyber space. All these directives and acts need to be implemented and thus the EU has invited Member States and the private sector to come up with initiatives that will support this legislation framework. Through the Digital Europe framework, funds have been made available to provide action grants in the field of cybersecurity. One of the topics included in this funding is the DIGITAL-ECCC-2023-DEPLOY-CYBER-04-EULEGISLATION — Support for Implementation of EU Legislation on Cybersecurity and National Cybersecurity Strategies which has the objective of capacity building and improvement of cooperation on cybersecurity at a technical, operational and strategic levels, in the context of existing and proposed EU legislation on cybersecurity such as the NIS2 Directive (Directive (EU) 2022/2555), the Cybersecurity Act and the proposed Cyber Resilience Act, and the Directive on attacks against information systems (Directive 2013/40). The outcomes expected from this call are: 

  1. Incident management solutions reducing the overall costs of cybersecurity for individual Member States and for the EU, better compliance with NIS2 (Directive (EU) 2022/2555) and higher levels of situational awareness and crisis response in Member States. 
  1. Organization of events, workshops, stakeholder consultations and white papers. 
  1. Enhanced cooperation, preparedness, and cybersecurity resilience in the EU. 
  1. Support actions in the area of certification 

The National Cybersecurity Coordination Centre for Malta, under the auspices of MITA, aims to promote EU funding opportunities within Maltese territory and provide technical assistance to Maltese entities to apply for EU-funding calls. In this manner, the NCC encourages interested parties to participate in this funding initiative and apply for the funds to contribute towards the improvement of cyber security in the EU. More information on this call for proposals is available on the NCC-MT website – https://ncc-mita.gov.mt/funding-calls/. 

This article is co-funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.