EU Cybersecurity Package: New Potential for EU to Cooperate with NATO

The European Union’s new ambitious approach to cyber challenges could be a game-changer for its cyber posture as well as for the transatlantic and neighbourhood relations, concludes this analysis by Tomáš Minárik and Siim Alatalu of the NATO Cooperative Cyber Defence Centre of Excellence, the NATO-affiliated cyber defence think-tank. Nevertheless, the EU could make better use of existing expertise in NATO and individual Member States.

The following analysis does not represent the official views of NATO.

On 13 September 2017, the European Commission and the High Representative issued a Joint Communication to the European Parliament and the Council [JOIN(2017) 450 final], bearing the title Resilience, Deterrence and Defence: Building strong cybersecurity for the EU. It introduces an ambitious and comprehensive plan to improve cybersecurity throughout the EU. The Commission and the High Representative (HR) proposed a broad range of measures, divided into three areas – resilience, deterrence and defence:

‘The package reflects a renewed focus of the EU on defence and security issues in general. An example of this is the introduction of the notion of deterrence so prominently to the overall approach. The EU’s definition of deterrence in the Joint Communication context eventually appears different from the widely known definition of NATO and Allies. While some of the proposed measures could prove to be difficult to achieve in light of the specific nature of cybersecurity where Member States themselves, rather than the EU, are responsible for the operational issues, the comprehensive approach to cyber security on both the Union and the national levels, as laid out in the package, deserves credit‘, says Siim Alatalu of the NATO Cooperative Cyber Defence Centre of Excellence.

‘A risk in the proposed approach lies in the sheer number of planned activities, which could lead to a duplication of efforts on the ground and a dissipation of focus‘, adds Tomáš Minárik, researcher at NATO Cooperative Cyber Defence Centre of Excellence Law Branch.

The Joint Communication’s 18 pages provide an ample selection of proposals, of which the new mandate of ENISA (EU Agency for Network and Information Security), the cyber security certification framework and the cooperation with NATO stand out for their possible effect on how cyber business will be done in Europe in the coming years.

Some opposition can be expected from the EU member states: the Head of International Relations at Germany’s Federal Office for Information Security (BSI) has already criticised the package during the Cybersec Conference in Krakow on 10 October 2017, stating that EU member states should first focus on implementing the rules that have already been agreed, referring primarily to the Network and Information Security (NIS) Directive from 2016.

Renewed ENISA mandate needs further clarification

The update of ENISA’s mandate can be considered a logical development. ENISA, established only in 2004, has been the only EU agency with a fixed-term mandate and limited budget and staff, despite the ever-increasing role of IT-related concerns for nations and organisations globally. ENISA’s role has mainly been to provide expertise and advice rather than dealing operationally with cybersecurity. The Commission now proposes to give ENISA a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. According to the European Commission, ENISA has only partially met its objectives, as previously set out in its strategy. It ‘has not fully succeeded in developing a strong brand name and gaining sufficient visibility to become recognised as ‘the centre of expertise in Europe’,[1] due to its broad mandate and insufficient resources. It has relied on external expertise over in-house expertise, which correlates with the difficulties in recruiting and retaining specialised staff and the limited ability to develop a long-term vision, owing again to the fixed-term mandate.

According to Tomáš Minárik, the EU has realised that fulfilling all the goals of cyber security will require substantial expansion of budget and manpower. ‘The Commission does not appear to trust the ENISA enough to give it all of the core functions, and it is trying to separate at least the most expertise-sensitive roles – research and capacity-building – and creating a specialised organisation or committee for each (the European Cybersecurity Research and Competence Centre and the EU Cyber Capacity Building Network)‘, says Minárik. The Joint Communication is notably silent on a possible location and tasking of the proposed Centre.

Cybersecurity certification framework:[2] too ambitious to be realised?

The voluntary cybersecurity certification framework encompasses the broad objective of having IT products with access to the EU market certified in terms of their cyber security, in which ENISA should play a significant role. This voluntary framework is expected to ensure security in critical or high-risk applications, widely deployed digital products and Internet of Things devices. The Commission will work to analyse the implications of liability raised by new digital technologies. Also, the effect of foreign acquisition on critical technologies is becoming a key aspect in the framework of screening foreign investments. From the global perspective, this seems to be quite a progressive plan.

‘The catch is that the rhetoric does not fully correspond with the content of the proposal: most notably, national cybersecurity certification schemes will cease to apply at a set time after the framework is adopted, and no new national schemes are to be adopted. The proposal does not explain how this would be in line with the voluntary nature of the framework‘, says Tomáš Minárik.

The certification framework is an ambitious goal which may result in a higher level of cybersecurity and consumer confidence throughout the EU; however, the risk is that the EU will eventually use it to raise a non-tariff barrier to external trade in ICT, which will lead to limited competition and higher prices for end users within the EU.

‘More regulation may mean more difficulties for small and medium enterprises. Also, some EU countries might use their clout in negotiating a level of regulation favourable to their companies, securing their position in the EU market at the expense of start-ups from less powerful EU countries‘, notes Minárik.

On a more positive note, as the EU is lagging behind the US in its digital economy (as the largest ICT companies are US or Asian), the certification framework may help develop its fledgling cybersecurity industry, and give it a better global negotiating position with respect to the issues of personal data protection, the right to privacy and trans-border access to data.

Also, a single EU-wide certification scheme would help businesses to reduce their administrative costs related to introducing their products to different EU countries. So far, there have not been too many requirements for products’ cybersecurity, which is of course changing with the introduction of the NIS Directive, the General Data Protection Regulation (GDPR), and the draft e-Privacy Regulation, so some standardisation effort is to be expected. According to the document, ‘the landscape of cybersecurity certification of ICT products and services in the EU is quite patchy’.[3] There are several national and international certification standards (such as ISO 15408) being adopted in different countries, which could lead to market fragmentation if left unchecked.

However, the plan is still very vague about any timelines or specific cybersecurity proposals, although a certain level of vagueness is necessary, since the certification framework should ideally be neutral with respect to concrete products. Three categories of products are identified (critical or high-risk applications, widely deployed digital products, and Internet of Things devices), so the approach may be gradual and will probably copy the scope of the NIS directive to begin with. If so, most of the IoT devices will be spared for now, unless they are part of critical infrastructure.

The role of the European Cybersecurity Certification Group,[4] which will consist of national certification supervisory authorities of all EU member states, remains unclear. It is supposed to represent the interests of states in the process of developing the framework by the Commission and ENISA and during its implementation. According to the plan, the national certification supervisory authorities will have the right to certify products or services for the whole EU (the ‘one-stop-shop’ principle), which is a similar approach to the one chosen for personal data protection. However, this approach is not without problems; national authorities may not be doing their job properly, as was shown in the Schrems case, or companies may try to make use of more liberal authorities in different countries, as in the Weltimmo case.

Unprecedented potential for EU-NATO cooperation

Subchapter 4.3 of the Joint Declaration, dealing with EU-NATO cooperation, is short and crisp. The EU-NATO joint declaration from the Warsaw Summit is mentioned, as is the technical arrangement between CERT-EU and NCIRC. There has been some modest cooperation: in 2017, the organisations were to exchange concepts on the integration of cyber defence aspects into planning and conduct of respective missions and operations, harmonise training requirements, reciprocally open training courses and exercises and foster research cooperation.[5]

Nevertheless, for two organisations that share many member states and have so much in common with regard to cyber policy challenges, the cooperation between the EU and the NATO is definitely underdeveloped, considering the mutually recognised potential.

One avenue that could be explored relates back to the new mandate of ENISA. ‘For an organisation that serves an international community, ENISA could be (further) empowered to allow it to engage in cooperation with the appropriate NATO counterparts. Whilst the agreement signed between CERT-EU and NCIRC (the EU’s and NATO’s institutional computer security incident response teams) brings together institutions that deal with the daily cyber defence of the two organisations, much of the research and broader developments for the constituent nations is done at ENISA (for the EU) and at NATO’s Allied Command Transformation and NATO-affiliated organisations, such as the NATO CCD COE. Therefore, activities like fostering cyber defence cooperation between ENISA, a potential new competence centre and the NATO CCD COE could be of natural mutual interest‘, concludes Siim Alatalu.

Furthermore, next to the Warsaw Declaration, there could be merit in an overall deeper dive into how the two organisations could enhance their practical cooperation in the areas that the Joint Declaration covers outside the particular EU-NATO cooperation scope. Referring to the Berlin Plus agreement of 2002, the EU could in principle rely on particular NATO capabilities for its operations. On the other hand, the European Defence Agency is leading capability development efforts for the EU, which in principle could benefit NATO as well.

The Estonian Presidency of the Council has already showed leadership by organising the first-ever cyber defence exercise for EU defence ministers. It is clear that it needs to become a routine, not only between member states, but also at the permanent institutions of the Union. In 2017, NATO and the EU have agreed to have a parallel and coordinated approach to running their crisis management exercises. There does appear to be further momentum for the EU to join forces with NATO when it comes to cyber exercises, such as through better coordination of and mutual attendance at the respective Cyber Europe and Cyber Coalition exercises.

This brief reflects the independent views of NATO CCD COE researchers. It does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre), Sponsoring Nations and Contributing Participants of the Centre or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this document.

For a more comprehensive overview of the EU Cyber Security Package, please also read the recent article on a dedicated website of the INCYDER project.

NATO Cooperative Cyber Defence Centre of Excellence is a Tallinn-based knowledge hub, research institution, and training and exercise centre. The international military organisation is a community of, currently, 20 nations providing a 360-degree look at cyber defence, with expertise in the areas of technology, strategy, operations and law. NATO CCD COE is the home of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. The Centre also organises the world’s largest and most complex international technical cyber defence exercise, Locked Shields.

The Centre is staffed and financed by its sponsoring nations and contributing participants. Belgium, the Czech Republic, Estonia, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the Netherlands, Poland, Slovakia, Spain, Turkey, the United Kingdom and the United States are signed on as Sponsoring Nations of NATO CCD COE. Austria, Finland and Sweden have become Contributing Participants, a status eligible for non-NATO nations.