EU publishes new Cybersecurity Strategy and related legislative proposals

The European Commission (EC) and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy for the Digital Decade. The EU Cybersecurity strategy contains proposals for deploying regulatory, investment, and policy instruments to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. The EU Cybersecurity strategy also included commitment of the EU to unprecedented levels of investment in the EU's digital transition over the next seven years, potentially quadrupling previous levels. 

Additionally, the EC has adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive). The proposal responds to an evolved cybersecurity landscape and expands the scope of the current NIS Directive by adding new sectors based on their criticality for the economy and society. It also eliminates the distinction between operators of essential services and digital service providers, addresses security of supply chains and supplier relationships, and enhances the role of the Cooperation Group in shaping strategic policy decisions on emerging technologies and new trends.

The EC further unveiled the proposal for a Directive on the Resilience of Critical Entities - a new directive to ensure that critical entities are able to prevent, resist, absorb and recover from disruptive incidents. All critical entities identified under this directive would be subject to cyber resilience obligations under NIS2.

The proposal covers ten sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. The draft envisions EU Member states to have a strategy for ensuring the resilience of critical entities, carry out a national risk assessment and, on this basis, identify critical entities. Critical Entities Resilience Group, a group of experts, would facilitate  cross-border cooperation between the EU member states.

The EC also published an impact and progress report on 5G technologies.