The EU’s Cybersecurity Strategy (An Open, Safe and Secure Cyberspace) was published jointly by the European Commission and the High Representative of the European Union for Foreign Affairs and Security Policy in 2013 to accompany the proposal for the NIS (Network and Information Security) Directive. It “clarifies the principles that should guide cybersecurity policy in the EU and internationally.”
The EU’s Cybersecurity Strategy is expressed as five strategic priorities:
1. Achieving cyber resilience
The strategy proposes greater cooperation between public authorities and the private sector to counter cross-border cyber threats and contribute to a coordinated response in emergency situations.
It also recognises that, despite existing legislation and “progress based on voluntary commitments, there are still gaps across the EU, notably in terms of national capabilities, coordination in cases of incidents spanning across borders, and in terms of private sector involvement and preparedness”.
To address these gaps, the strategy proposes the NIS Directive, as well as a new regulation to extend the mandate of the European Network and Information Security Agency (ENISA). Various awareness-raising initiatives are also proposed to publicise the need for effective cyber security.
2. Drastically reducing cyber crime
The strategy urges “those Member States that have not yet ratified the Council of Europe’s Budapest Convention on Cybercrime to ratify and implement its provisions as early as possible.”
The Commission will support Member States as they strengthen their capability to combat cyber crime, and will work closely with the European Cybercrime Centre (EC3) within Europol and Eurojust to align new policy approaches with operational best practices, supporting EC3 as the European focal point in the fight against cyber crime.
3. Developing cyber defence policy and capabilities related to the framework of the Common Security and Defence Policy (CSDP)
To increase the cyber resilience of information systems that support Member States’ defence and national security interests, the strategy proposes that cyber defence capability development “should concentrate on detection, response and recovery from sophisticated cyber threats”.
Enhanced synergy “between civilian and military approaches in protecting critical cyber assets” is encouraged, as is support “by research and development, and closer cooperation between governments, [the] private sector and academia in the EU.”
An EU cyber defence policy framework will be developed, cyber defence training and exercises will be improved, and dialogue and coordination between international partners, including NATO, will be promoted in order to “ensure effective defence capabilities, identify areas for cooperation and avoid [the] duplication of efforts”.
4. Develop industrial and technological resources for cybersecurity
Recognising that “many of the global leaders providing innovative ICT products and services are located outside the EU”, the strategy states that the Commission will stimulate a “Europe-wide market demand for highly secure products” in order to provide incentives for the private sector “to ensure a high level of cyber security”.
The Commission “will support the development of security standards”, with work focusing on supply chain security, in support of the ongoing standardisation work of the European Standardisation Organisations.
The Commission will launch “a public-private platform on NIS solutions to develop incentives for the adoption of secure ICT solutions”, and will examine “how major providers of ICT hardware and software could inform national competent authorities [of] detected vulnerabilities that have significant security implications.”
The Commission will develop “technical guidelines and recommendations for the adoption of NIS standards and good practices in the public and private sectors”, and will also use the Horizon 2020 Framework Programme for Research Innovation to foster R&D investments and stimulate innovation to fight cyber crime.
5. Establish a coherent international cyberspace policy for the European Union and promote core EU values
The strategy states that the Commission, the High Representative and the Member States will work towards a coherent EU International cyberspace policy to increase engagement with key international partners and organisations, as well as with civil society and the private sector.
The EU will consult with international partners on cyber issues, particularly third countries that share EU values and organisations that are active in this field (such as the Council of Europe, OECD, UN, OSCE, NATO, AU, ASEAN and OAS). Cooperation with the US will be further developed, notably in the context of the EU-US Working Group on Cyber-Security and Cyber-Crime, which was originally established to address issues relating to the US surveillance programmes revealed by Edward Snowden, and their impact on EU citizens’ personal data.
In order to promote cyberspace as an area of freedom and fundamental rights, the EU should promote corporate social responsibility and launch international initiatives to improve global coordination in this field. It should also encourage the development of confidence-building measures in cyber security – rather than new international legal instruments – to increase transparency and reduce the risk of misperceptions in state behaviour.
The EU will focus on how to ensure that the International Covenant on Civil and Political Rights, the European Convention on Human Rights, and the EU Charter of Fundamental Rights are respected online and enforced in cyberspace.
The strategy also declares that the EU should intensify its ongoing efforts to strengthen Critical Information Infrastructure Protection (CIIP) networks involving governments and the private sector.
Roles and responsibilities
Given the cross-border nature of cyber threats, the strategy proposes a shared responsibility among NIS-competent authorities, Computer Emergency Response Teams (CERTs) and law enforcement agencies in the EU to strengthen national and international cyber security. It suggests an approach that spans NIS, law enforcement and defence:
Member States should set out the roles and responsibilities of their appropriate “national entities” in their own cyber security strategies.
At EU level, a number of organisations deal with cyber security. ENISA, Europol/EC3 and the EDA are responsible for NIS, law enforcement and defence respectively, and coordination and collaboration between these agencies is encouraged. Once implemented, the proposed NIS Directive will establish a formal cooperation framework.
Cyber security and ISO 27001
Despite having absorbed many of the measures normally associated with information security, cyber security really only addresses the security of digital information. Information security is a broader approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.
In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.
ISO 27001 is the internationally recognised best-practice standard that lays out the requirements of an ISMS (information security management system) and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO 27001 in order to deliver their specific added value.
Organisations with multiple compliance requirements often seek certification to ISO 27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO 27001 certification.
The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO 27001:2013 has been developed in order to harmonize with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Furthermore, the additional external validation offered by ISO 27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
Start your journey to being cyber secure today
IT Governance has a wealth of security experience. For more than 15 years, we’ve helped hundreds of organisations with our deep industry expertise and pragmatic approach.
All our consultants are qualified and experienced practitioners, and our services can be tailored for organisations of all sizes.
Browse our wide range of products below to kick-start your project.