On 16 November 2021, EIF hosted a virtual debate on the ‘EU cybersecurity strategy - how to ensure a more cybersecured EU?’ to take stock of the EU’s cybersecurity strategy, including the progress made on the adoption of the NIS2 Directive.
The debate, hosted by MEP and EIF member Bart Groothuis, was moderated by EIF Director General Maria Rosa Gibellini and featured the following cybersecurity experts:
- Lokke Moerel, Professor Global ICT at Tilburg University, Member of the Dutch Cyber Security Council, and cyber expert on the European Commission’s Horizon2020 Innovation Program
- François Zamora, Chief Security Officer, European Division Orange
- Jakub Boratynski, Head of Unit for Cybersecurity and Digital Privacy, DG CNECT, European Commission
MEP Bart Groothuis set the scene focusing on how we can make a more cyber secure European Union; despite all the current initiatives in fact - such as the Cyber Security Act or the NIS2 Directive - we are far from done, said the MEP.
MEP Groothuis suggested three actions the EU should take: (1) develop new capabilities at European scale (such as a DNS capability announced in the Cybersecurity Strategy of the European Commission), (2) improve digital sovereignty with the creation of an European sovereign space and (3) make cybersecurity in the European institutions a political and top-level subject, through new legislation allowing the institutions to keep citizens safe.
“The European Union needs to be more of a geopolitical power in this changing world.”
Lokke Moerel congratulated MEP Bart Groothuis on his work on the NIS2 Directive draft (of which he is rapporteur for the European Parliament) where she sees many improvements and she made an overview of what, according to her, is still missing: (1) being AI and cybersecurity so intertwined, AI innovation hubs and cyber excellence centers should be combined; (2) cybersecurity should be fully part of the political discussions and the cyber sanction regime should be promoted as a political instrument to show Europe is serious about cyber; (3) a consistent and harmonized approach and standards, with well-functioning enforcement and strong political directions.
François Zamora brought on stage the industry perspective, giving a clear vision on how to fulfill the gaps in the supply chain of products and software and prevent the systemic level of risk, which can be done only by fostering cyber security at an ecosystem level through (1) making all critical actors in telcos’ networks and technologies responsible for their role in the ICT value chain, (2) fostering cybersecurity rating with a trusted and transparent approach in the ecosystem to have agencies that are controlled, monitored, and also transparent with the methodologies they are using.
In order to enable that at a European level, we need to drive our self-determination towards European digital sovereignty; the EU and the institutions need to be well aware of the stakes of cybersecurity and, more in general, we need to have a sufficient openness in the way we deal with our geopolitical system and know which are our dependencies on technologies and services.
It is possible to rely on non-EU technologies on top of which we would have EU sovereign software: to make the software industry aware of the vulnerabilities they are introducing using a variety of open-source and make transparent and trusted the ecosystem for cyber rating agencies in the context of a quest of European digital sovereignty is the way through.
Jakub Boratynski focused on the importance of the cybersecurity of products in the internal market and to be collectively prepared to manage a major cyber crisis in Europe.
On the first point, this objective was set out in the strategy adopted by the European Commission and will be present also in the Cyber Resilience Act; that would require a major dialogue and engagement with the industry.
On the second point, there is the need of building up national capabilities, developing EU-level cooperation. Mr. Boratynski thinks that there are still uncertainties on how we would manage this kind of crisis collectively; this is why the European Commission has adopted some years ago recommendations to the so-called blueprint to develop a comprehensive framework for cyber crisis response and, this year, though publishing recommendations for a Joint Cyber Unit.