European Union (EU)
Last Updated: November 2018
Policy
Strategy Documents
Cybersecurity Strategy of the European Union
European Commission

Clarifies principles that should guide cybersecurity policy, with five strategic priorities:

  1. Achieving cyber resilience,
  2. Drastically reducing cybercrime,
  3. Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP),
  4. Develop industrial and technological resources
  5. Establish a coherent international cyberspace policy for the EU and promote core values
7 February 2013
EU Cyber Defence Policy Framework
Council of the European Union

Identifies priority areas for CSDP cyber defence and clarifies the roles of the different European actors.

18 November 2014
Other Documents
(in progress) Common approach to EU cyber security
European Council

• Asked following the reform package proposed by the European Commission in September 2017.

• Proposal sets out new initiatives such as: building a stronger EU cyber security agency; introducing an EU-wide cyber security certifications cheme; and swiftly implementing the NIS directive.

19-20 October 2017 (requested)
Coordinated Response to Large Scale Cybersecurity Incidents and Crises (Recommendation)
European Commission

• Blueprint for coordinated response to large scane cybersecurity incidents and crises at the Union level;

• Describes and sets out the objectives and modes of cooperation between EU Institutions, bodies, offices and agencies in responding to large scane cybersecurity incidents.

13 September 2017
(in progress) Cyber Diplomatic Toolbox
European Council

• Agreement to develop a framework for a joint EU diplomatic response to malicious cyber activities;

• The toolbox should include diplomatic measures within the EU Common Foreign and Security Policy which could be used against malicious operations directed against member states in cyberspace.

19 June 2017
Communications
Resilience, Deterrence and Defence: Building strong cybersecurity for the EU
European Commission - Joint Communication to the European Parliament and the Council

• Ensures full and effective implementation of the NIS Directive by 9 May 2018;

• Proposal to strengthen the ENISA;

• Proposal towards a single cybersecurity market;

• Proposal for a cybersecurity competence network with a European Cybersecurity Research and Competence Centre.

13 September 2017
Making the most of NIS – towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union
European Commission; - To the European Parliament and the Council

• Based on the Commission's preparatory work and analysis related to the implementation of the NIS Directive, on the input of the ENISA, and on discussions held with Member States in the transposition phase of the Directive;

• Complements and reinforces the efforts taken so far by bringing together and comparing best practices from Member States.

13 September 2017
Assessing the extent to which the Member States have taken the necessary measures in order to comply with Directive 2013/40/EU on attacks against information systems and replacing Council Framework Decision 2005/222/JHA
European Commission - To the European Parliament and the Council

Assessment acknowledges the major efforts by the Member States to transpose the Directive but notes there is still considerable scope for the Directive to reach its full potential if Member States were to fully implement all of its provisions.

13 September 2017
On the Mid-Term Review on the Implementation of the Digital Single Market Strategy: A Connected Digital Single Market for All
European Commission - To the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions
Calls for the Commission to
• Review of the 2013 EU Cybersecurity Strategy by September 2017
• Review of the mandate of ENISA to define its role in the changed cybersecurity ecosystem
• Develop measures on cyber security standards, certification and labelling, to make ICT-based systems more cyber-secure
• Enhance its international cybersecurity cooperation with EU's main trade partners to work towards stronger cybersecurity for connected objects.
10 May 2017
Strengthening Europe's Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry
European Commission; - To the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions

In synergies with the Communications on countering Hybrid Threats as well as on Delivering the European Agenda on Security, the Commission is looking at ways to address the evolving cybersecurity reality and assess additional measures that may be necessary to improve the EU’s cybersecurity resilience and incident response

5 July 2016
Joint Framework on countering hybrid threats, a European Union response
European Commission; - Joint Communication to the European Parliament and the Council

Section 4.4 is on Cybersecurity

6 April 2016
The European Agenda on Security
European Commission; - To the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions

The Agenda prioritises terrorism, organised crime and cybercrime as interlinked areas with a strong cross-border dimension.

28 April 2015
2010 EU Internal Security Strategy in Action: Five Steps towards a more secure Europe
European Commission; - To the European Parliament and the Council

Establishment of Cybercrime Center and National Computer Emergency Response Teams

22 November 2010
On Critical Information Infrastructure Protection: Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience
Commission of the European Communities; - To the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions

Enhance the security and resilience of CII; see "5.4 International Cooperation"

30 March 2009
Structure
Specialized Agencies
European Cybercrime Centre (EC3)
Europol

• Strengthen the law enforcement response to cybercrime in the EU and to help protect European citizens, businesses and governments from online crime.

• Also see 2CENTRE: Cybercrime Centres of Excellences Network

2013
Computer Emergency Response Team for the European Union (CERT-EU)

Permanent CERT for the EU institutions, agencies and bodies

11 September 2012
European Union Agency for Network and Information Security (ENISA)
European Union Agency for Network and Information Security (ENISA)
Raise awareness of network and information security and to develop and promote a culture, of network and information security in society for the benefit of citizens, consumers, enterprises and public sector organizations in the Union
2004
Telecommunications Ministerial Council of the European Union
Transport, Telecommunications and Energy Council
  • Involved in the preparation of new Directives in security and especially for Critical Information Infrastructure Protection;
  • Responsible for adopting, together with the European Parliament, legislation and guidelines on telecommunications networks and their interoperability. Also aims to improve competition, cyber security and innovation in the telecommunications sector.
Legislation
Regulations and Directives
(proposed) Regulation: Cybersecurity Act
European Commission

Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 56/2013, and on Information and Communication Technology cybersecurity certification

13 September 2017
(proposed) Directive: Combating fraud and counterfeiting of electronic payments
European Commission
• In line with Article 7 and Article 8 of the Budapest Convention;
• Aims to ensure that a clear, robust and technology neutral policy/legal framework is in place on electronic payments;
• Aims to eliminate operational obstacles that hamper investigation and proecution, as well as to enhance prevention.
13 September 2017
The Directive on security of network and information systems (NIS Directive)
European Commission
• Creates a Cooperation Group, composed of representatives of Member States, the Commission, and the EU Agency for Network and Information Security (ENISA)
• Requires member states to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority,
• Member States must adopt and publish, by 9 May 2018, the laws, regulations and administrative positions necessary to comply."
6 July 2016
Regulation (EU) 2016/679
European Commission, European Parliament, Council of Ministers of the European Union

Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Part of the General Data Protection Package)

27 April 2016
Directive (EU) 2016/680
European Commission, European Parliament, Council of Ministers of the European Union

Regulation on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (Part of the General Data Protection Package)

27 April 2016
Directive 2013/40/EU
European Parliament, Council of the European Union

Directive on attacks against information systems (also see follow-up report on 13 September 2017 assessing actions by member-states in accordance with this directive)

12 August 2013
(proposed) Regulation: Cybersecurity Act
European Commission

Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 56/2013, and on Information and Communication Technology cybersecurity certification

13 September 2017
(proposed) Directive: Combating fraud and counterfeiting of electronic payments
European Commission
• In line with Article 7 and Article 8 of the Budapest Convention;
• Aims to ensure that a clear, robust and technology neutral policy/legal framework is in place on electronic payments;
• Aims to eliminate operational obstacles that hamper investigation and proecution, as well as to enhance prevention.
13 September 2017
Cooperation
Meetings
European Council Meeting
European Council

• Adopted conclusions on migration, digital Europe, defence, and external relations;
• Conclusions on Digital Europe include: the need for a future-oriented regulatory framework; a common approach to cybersecurity; efforts to combat terrorism and online crime; a sense of urgency to address emerging trends including artificial intelligence and blockchain technologies.

19-20 October 2017
Tallinn Digital Summit
Council of the European Union, European Council, European Commission

• Platform that launched high-level discussions on further plans for digital innovation;
• Discussions focused on the essential topics for building a digital future for Europe: trust, security, e-government, industry, society and the economy.

September 2017
Meeting of the CSIRTs Network

Dedicated meeting to the formal adoption of the Terms of Reference, and the Work Plan. The second day saw presentations on CyberEurope, CEF, and various team updates.

February 2017
Activities
Cyber Europe 2018
European Union Agency for Network and Information Security (ENISA)

A series of EU-level cyber incident and crisis management exercises for both the public and private sectors from the EU and EFTA Member States taking place every two years

2018
Cyber SOPEx
CERT-EU

First step in a series of ENISA exercises focusing on training the participants on situational awareness, information sharing, understanding roles and responsibilities and utilising related tools, as agreed by the CSIRTs Network.

30 January 2018
Permanent Structured Cooperation on security and defence (PESCO)
European Union

Joint and collaborative defence capability development projects, including "Cyber Threats and Incident
Response Information Sharing Platform" and "Cyber Rapid Response Teams and Mutual Assistance in Cyber Security"

December 2017
European Cybersecurity Month (Mois Européen de la Cybersécurité)
European Union Agency for Network and Information Security (ENISA)

• Awareness campaign that promotes cybersecurity among citizens and organizations about the importance of cybersecurity;
• Takes place every October.

Oct. 2017
Global Action on Cybercrime Extended (GLACY+)

• Extension of GLACY, joint project with the Council of Europe aimed at supporting the implementation of the Budapest Convention;
• Aims "to enable criminal justice authorities to engage in international cooperation on cybercrime and electronic evidence";
• Supported seven countries in Africa and the Asia-Pacific: Mauritius, Morocco, Philippines, Senegal, South Africa, Sri Lanka and Tonga.

26-28 October 2016
Global Action on Cybercrime (GLACY)

• Joint project with the Council of Europe aimed at supporting the implementation of the Budapest Convention;
• Aims to strengthen the capacities of States worldwide to apply legislation on cybercrime and electronic evidence and enhance their abilities for effective international cooperation in this area.

1 November 2013-31 October 2016
Contractual public private partnership on cybersecurity (cPPP)
European Commission

Contractual arrangement on a public-private partnership for
cybersecurity industrial research and innovation.

5 July 2016
External Cooperation
Memorandum of Understanding, EU Institutions
European Union Agency for Network and Information Security (ENISA), European Defence Agency (EDA), Europol, CERT-EU

• Promoting cooperation on cyber security and cyber defence
• Focuses on five areas of cooperation, namely Exchange of information; Education & Training; Cyber exercises; Technical cooperation; and Strategic and administrative matter

23 May 2018
Cooperation Agreement, EU-NATO
EU Ministers

Agreement to step up cooperation between the two organisations in a number of areas, including cyber security and defence

8 December 2017
EU-NATO (15283/16)
European Council

Council Conclusions on the Implementation of the 8 July 2016 EU-NATO Joint Declaration.

6 December 2016
ITU-ENISA Regional Cybersecurity Forum
ITU; ENISA

Platform for strengthening regional cooperation, information sharing, and discussion on cybersecurity with particular focus on national cyber security strategies and national CSIRT/CIRT/CERT in terms of development approaches, good practices, challenges and opportunities.

29-30 November 2016
EU-NATO Joint Declaration
President of the European Council, President of the European Commission, SG of NATO

Cooperation in various areas, including cyber security and defence.

8 July 2016
EU-Malaysia Partnership and Cooperation Agreement (PCA)
Security Policy/Vice-President of the European Commission

Cooperation in the specific areas of justice and security, including cybersecurity

6 April 2016
EU-NATO Technical Arrangement
NATO Computer Incident Response Capability (NCIRC); CERT-EU

Facilitates technical information sharing between NCIRC and CERT-EU to improve cyber incident prevention, detection adn response in both organisations, in line with their decision making autonomy and procedures.

10 February 2016
Global Forum on Cyber Expertise, Member

A global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building

2015 (established)