The EU's new Cybersecurity Act increases its measures to protect national sectors and markets from cyber attacks.

EU cybersecurity reform

The EU Cybersecurity Act aims to protect national markets and sectors from attacks. (Credit: Alexandros Michailidis/Shutterstock.com)

The EU’s new Cybersecurity Act, originally adopted in April 2019 and effective from June 2021, establishes a cybersecurity certification framework for products and services that promises to fundamentally reform how the issue is tackled across the bloc.

Martin Morris talks to Juhan Lepassaar, executive director at the European Union Agency for Cybersecurity (ENISA), about how the new regime will operate for companies, and whether heightened cooperation between business and government is expected in the longer term.

Cyberattacks are not new – and the European Union Agency for Cybersecurity should know. As ENISA itself reported recently, there were 230,000 new malware infections every day between January 2019 and April 2020.

Meanwhile, Europol’s 2021 Serious and Organised Crime Threat Assessment highlighted a “notable” increase in the number of ransomware attacks on public institutions and large companies.

Against this backdrop, increasing digitisation has meant public administration, at both the national and EU levels, have come to rely on technologies as a means of carrying out their core functions, a process that has been intensified by Covid-19.

Indeed the pandemic, which resulted in 40% of EU workers switching to remote working in early 2020, also provided increased opportunities for cybercriminals – including attacks on critical infrastructure. That’s particularly given the number of devices available to exploit.

Key to addressing this, the EU Cybersecurity Act is intended to advance trust through an EU-wide certification framework, which includes cybersecurity certification schemes and “common cybersecurity requirements and evaluation criteria across national markets and sectors”.

The act makes particular reference to internet of things (IoT) devices and related products, where the existing regime is deemed insufficiently developed from a cybersecurity standpoint – this in turn leading to organisational and business users not having enough information on the cybersecurity efficacy of these products.

Fear of the unknown

However, while the new act will give companies the chance to certify their cybersecurity offerings, certification is currently voluntary – unless otherwise specified.

Indeed, in the case of ICT products and services with a low level of risk, Juhan Lepassaar, ENISA’s executive director, says they should be able to rely on self-assessment or third-party certification.

Yet if certification is seen as playing a crucial role in increasing trust and security across the digital world, it is also being undermined by the number of different security certification schemes for ICT products that currently exist across the EU.

So, in the absence of a common framework – such as EU-wide valid cybersecurity certificates embracing a common set of rules, technical requirements and so on – this will lead to an increasing risk of fragmentation and barriers between member states.

Lepassaar agrees, stating that the ultimate aim of the act and the framework around cybersecurity “is to strengthen trust in the connected economy, boost resilience and trust in the infrastructure and services and keep society digitally secure”.

He added that the pandemic and subsequent rapid digitalisation has meant that people rapidly moved activities such as work, schooling, shopping and healthcare online.

More generally, Lepassaar points to the growing menace of cyberattacks, with malicious actors continually adapting to take advantage of the digital reality.

“Different types of attacks have been observed, such as business email compromises and credential stuffing attacks,” he explains.

“Ransomware attacks have increased too, particularly ransomware as a service, which has now become mainstream, with multiple high-profile cases.”

A case in point was the ransomware attack on Ireland’s healthcare system in May 2021, which demonstrated – if proof was needed – that the potential is always there for catastrophic consequences at the corporate level.

Increasing attack vectors

As Lepassaar unsurprisingly says, attacks have therefore been increasing dramatically. That’s most clear with Covid-related email phishing attacks, which increased by 667% in just one month during the first lockdown.

Phishing describes the practice whereby an attacker sends a fraudulent message, designed to appear as coming from a legitimate institution, and tricking a victim into revealing sensitive information.

Logically, the more connected devices there are, the greater the likelihood of a successful phishing attack.

Indeed, connected devices already crowd out people on the planet, and their number is forecast to rise to 25 billion by 2025. Of these, an estimated one-quarter will be in Europe.

In response, Lepassaar invokes a Covid-19 analogy, arguing that individuals and companies need to improve their “digital hygiene”. In brief, that means increasing cybersecurity capabilities in order to be better prepared.

“Thus, one should be very cautious and suspicious of any emails asking to check or renew your credentials like passwords or pin codes even if it seems to come from a trusted source,” Lepassaar says, adding that “employees should always try to verify these types of requests through other means”.

He also suggests people should be suspicious of emails that ask them to open attachments or click on links. In the meantime, certification fragmentation across the EU remains the reality – and it’s not necessarily helpful for companies and their finance directors.

All the same, Lepassaar remains sanguine. “Drawing up cybersecurity certification schemes at the EU level aims at providing criteria to carry out conformity assessments to establish the degree of adherence of products, services and processes against specific requirements,” he says.

“One should be very cautious and suspicious of any emails asking to check or renew your credentials like passwords or pin codes.” Juhan Lepassaar, ENISA

“Companies – users and service providers alike – need to be able to determine the level of security assurance of the products, services and processes they procure, make available or use.”

Indeed, ENISA has already delivered a draft scheme for ‘common criteria’ that can be used to protect chip and smart cards. Nor is his agency stopping there.

As Lepassaar explains: “We are developing an EU certification scheme for cloud services, and recently the agency has started preparations for a third scheme on 5G.”

“Certification is expected to remain voluntary for these goods or services at the ‘basic’ level,” he continues. But by 2023, he expects the EU to determine if certain existing schemes will become mandatory for high-risk ICT items.

National authorities

At present, national authorities are being tasked with conformity assessment, and related penalties, for non-compliance with the certification schemes.

“The act allows each member state to determine penalties for non-compliance or violation of certification schemes,” Lepassaar reiterates. “Penalties are, however, required to be effective, proportionate and dissuasive.”

Noteworthy too is the fact that in March 2021 the European Council published its draft conclusions on the EU’s Cybersecurity Strategy for the Digital Decade.

It stated that while national security remains the sole responsibility of each member state, it also “acknowledges the importance” of strategic intelligence cooperation on cyberthreats.

That includes continued member state contributions to the EU’s Intelligence and Situation Centre (INTCEN), and supporting its work as the hub for “situational awareness and threat assessments” across the bloc.

Already, the EU is looking to protect key assets through another directive. Under new rules announced in December 2020, the remit of 2008’s European Critical Infrastructure directive expands.

This updated initiative covers strategically important sectors, including banking, energy, transport, as well as financial market infrastructures, health, drinking water, wastewater and digital infrastructure.

Under these proposals, moreover, member states would each be required to adopt a national strategy for ensuring the resilience of ‘critical entities’ by carrying out regular risk assessments, and ensuring they’re fit for purpose from a security standpoint.

Similarly, these latest proposals set out financial penalties for companies that don’t take their cybersecurity obligations seriously. These punishments are punitive, to say the least, and range from €10m to 2% of a company’s global turnover.

Yet given these rules will need to be approved by EU member states, as well as the European Parliament, the likelihood is that the horse trading could drag on for years.

What’s clear to Lepassaar, at any rate, is that the Cybersecurity Act marks the dawning of a new age of cooperation between business and government across the EU.

That’s not only true, he adds, in terms of strengthening ENISA’s role in working with and protecting businesses – but also for improving collaboration and information sharing.

The act also means strengthening awareness efforts around cybersecurity issues – notably by collecting and analysing information on serious incidents, as well as by publishing reports and guidance for citizens, organisations and businesses.

In short, says Lepassaar, his organisation is developing “a ‘market observatory’ with regular analyses and information on the main trends in the cybersecurity market, on both the demand and supply sides”.

In the meantime, Lepassaar adds, the EU’s updated certification framework will deliver certification schemes recognised across all member states, making it easier for businesses to trade across borders and for consumers to understand the security features of a product or service.

In the development of such schemes, moreover, ENISA will set up ad-hoc working groups of experts which bring a wide range of skill sets to the table.

To put it another way, this is clearly a step in the right direction.

Yet as so often with the EU, the obvious question now is: how quickly will these changes actually happen? Like the future of cybersecurity more broadly, that remains to be seen.

This article originally appeared in Finance Director Europe winter 2021.