On Wednesday the EU Commission presented a new cybersecurity strategy together with the EU foreign affairs officer Josep Borrell. The commission takes the cyber war scenario seriously and is already working with the member states on “building operational capacities for prevention, deterrence and reaction” against major hacker attacks, it said. A “common cyber unit” is being prepared.

Preparing for malicious attacks This cyber unit is intended to strengthen the IT skills of “defense circles in the field of cybersecurity” and law enforcement agencies in cooperation with “civil and diplomatic communities”. Borrell also wants to submit proposals for an “EU toolbox for cyber diplomacy” in order to prevent malicious attacks, especially on the critical infrastructure, supply chains and democratic institutions and processes.

The EU also wants to work to improve cooperation in the field of cyber defense and to develop state-of-the-art skills in this area. According to the strategy, it will build on the work of the European Defense Agency and call on the Member States to make full use of military cooperation and the EU Defense Fund. The EU has recently had its own sanctions regime against IT attacks, which was recently used because of the hacker attacks on the Bundestag.

“The time of innocence is over,” declared the European Lifestyle responsible commission vice-president Margaritis Schinas according to a report of the FAZ at the presentation of the agenda. “We know we are a target”. It is now a matter of “withstanding attacks and responding to them”. Internal Market Commissioner Thierry Breton therefore emphasized: “We have to arm ourselves for this new war.” He did not want to comment on possible counter-attacks in the form of the hackbacks, which are highly controversial in this country. This is confidential and a matter for the Member States, who are working hard on it.

Hundreds of attacks in Europe According to the Commission, the EU 2019 around 450 attacks on critical infrastructures (Kritis) such as the energy and water supply sectors , Information and communication technologies, health, transport and finance. The federal government recently referred to significantly more cyber attacks on clinics and utilities. Schinas lamented the “first cyber death in Europe” after a hacker attack on the Düsseldorf university clinic. Just last week, cyber criminals had targeted the European Medicines Agency and risked delays in testing vaccines against Covid – 19.

With the package, the Commission also proposes a reform of the Network and Information Security (NIS) Directive. The aim of the planned “measures for a high common level of cybersecurity” is to improve the resilience of critical public and private sectors. The Brussels executive body has its eye on hospitals, energy networks, railways, data centers, public administrations, research laboratories and other Kritis operators.

A “cybersecurity shield” for Europe More areas are to be covered than before, for which higher security requirements also apply. According to the plan, supply chains and relationships between the providers will be recorded for the first time. Reporting obligations are to be simplified and the supervision and enforcement of the necessary activities improved, for example through a uniform sanctions framework.

The Commission is also outlining a network of security intervention centers across the EU using artificial intelligence (AI). The aim is to put a “cybersecurity shield” across the EU with the ability to recognize early signals of impending hacker attacks and to act preventively. In addition, there is to be a new directive on the “Resilience of Critical Facilities”. This is intended to expand the obligations for Kritis operators that have existed since 2008, including the classic areas such as space travel and public administration as a whole. Member States must therefore define national strategies to ensure the resilience of critical institutions and carry out regular risk assessments.

On the basis of a report on the 5G toolbox, the Commission also urged EU countries to step up efforts to reduce “exposure to To minimize high-risk providers and to avoid the dependency “on such suppliers as Huawei. The two draft directives still have to be coordinated with the EU Parliament and the Council of Ministers. It is already certain that the planned IT Security Act 2.0 will not last long and that Germany will soon have to readjust it again. The eco-Verband der Internetwirtschaft therefore demands that the work on “NIS 2.0” be awaited immediately.

(mho)