Whether it’s cloud computing or artificial intelligence (AI), many companies are hesitant to use it because they don’t know exactly what to look for in data security and privacy. Not that it’s not the case that there are hardly any EU directives and regulations addressing privacy and security issues in cyberspace, quite the contrary.
One could almost say that the lamented legal uncertainty is not due to too little legal guidance, but to the large number of regulations and directives that the EU discusses, works on, adopts and puts into force.
Many companies therefore want guidance, in the area of data protection, for example, from the data protection supervisory authorities. With regard to the GDPR (General Data Protection Regulation), more than three quarters (78 percent) of companies now say that legal uncertainty is the biggest challenge, compared with just 68 percent two years ago, according to the Bitkom digital association. Too many changes or adjustments to the requirements are a complaint of 74 percent, up from 59 percent in 2019, while inconsistent interpretation within the EU is hampering 52 percent. In addition, two-thirds (66 percent) criticize a lack of implementation support from data protection regulators, compared with 53 percent two years ago.
For the necessary orientation in the area of cybersecurity, it can help, for example, to take a closer look at the EU’s vision and strategy in this area. Then the connections between all the regulations and directives will become clearer.
How the EU Sees Cyberspace
First, understand how the EU sees cyberspace as a whole: Cyberspace has become an arena for geopolitical competition, and therefore the EU must be able to respond quickly and forcefully to cyberattacks such as state-sponsored malicious cyber activities targeting the EU and its member states and make full use of all its tools, according to the Council of the European Union. Hostile actors need to be aware that cyberattacks against member states and EU institutions will be detected early, identified promptly, and countered with all necessary tools and measures, it said.
In addition, the Council highlights, among other things, these functions of the EU in the cyber domain: strengthening resilience and protection capacities, strengthening solidarity and comprehensive crisis management, improving cooperation with partner countries and international organizations to prevent, deter and respond to cyber attacks.
Among other things, the Council invites the EU Commission to propose common EU cybersecurity requirements for networked devices and related processes and services, invites relevant authorities such as the EU Cyber Security Agency (ENISA) to formulate recommendations to strengthen the resilience of communication networks, and stresses the importance of establishing regular cyber exercises to test and develop the EU’s internal and external response to large-scale cyber incidents.
Cybersecurity as part of the Strategic Compass
The EU’s cybersecurity requirements should also always be seen in conjunction with the Security and Defense requirements as a whole. For example, the Council formally endorsed the so-called Strategic Compass at a time when the return of war is being experienced in Europe, according to the Council of the EU.
The compass provides the European Union with an ambitious action plan to strengthen the EU’s security and defense policy until 2030. The more hostile security environment requires a quantum leap forward and an increase in capability and readiness to act, strengthen resilience, and invest more and better in the EU’s defense capabilities, it said.
The goal of the Strategic Compass, he said, is to make the EU a stronger and more capable security provider. The EU must be able to protect its citizens and contribute to world peace and security, he said.
The Strategic Compass also contains explicit statements on cyber security. Accordingly, in order to strengthen its ability to anticipate, defend against, and respond to current and rapidly emerging threats and challenges and to safeguard the EU’s security interests, the EU intends to further develop the Cyber Diplomatic Toolbox and establish an EU Cyber Defense Policy to be better prepared and better able to respond to cyber attacks.
The Cyber Diplomacy Toolbox will provide a way to coordinate EU member states’ response to malicious cyber activity at the EU level
The EU will also provide additional incentives for member states to engage in joint capability development and invest jointly in strategic enablers and next-generation capabilities for land, sea, air, cyberspace, and space operations.
Cybersecurity Should and Will Be Significantly Strengthened
Cyber space has become the fifth domain of warfare alongside the traditional domains of sea, land, air and space, according to the European Parliament. With digitalization and the greater technological interconnectedness of societies, the threat of cyberattacks is increasing, it said.
The European Parliament’s Foreign Affairs Committee (AFET) stressed the need to strengthen cyber defense capabilities as early as July 2021, and had indicated that this would require increased cooperation between all relevant EU agencies and other entities, as well as with NATO.
The committee’s report welcomed the European Defense Agency’s efforts in this area and noted that EU initiatives to develop defense capabilities can help improve cyber preparedness, crisis response, and cooperation.
Thus, when regulations and directives (such as NIS-2 Directive, the updated Better Protection of Network and Information Systems Directive, and the “Critical Facilities Resilience Directive” (CER)) tighten cybersecurity and resilience requirements, this should be understood in the context of this EU Strategy for a Secure Cyber Space.
There is no doubt that there will be a further significant strengthening in EU cybersecurity, a development that will and must also contribute to greater cybersecurity in the economy and society. Cyber space is seen as a place of geopolitical competition and warfare, and accordingly one must expect armament and strict regulation here as well.