The ambition of European Union Member States on the ‘cybersecurity cyberpackage’


The European Commission (EC) presented, on the 13th of September 2017, a setof measures related to cybersecurity - known as the ‘cybersecurity package’ - which consists of a roadmap regarding digital security for the European Union.

The twenty-eight Member States of the European Union adopted, on the 20th of November, the conclusions of the Council, setting up a first opinion on the ‘cybersecurity package’.

The twenty-eight Member States welcome the ‘cybersecurity package’ of the EC which lays down a clear path for the European Union regarding the cybersecurity area, which is to promote the European strategic autonomy. This objective has been strongly supported by ANSSI for many years. This path includes major milestones.

 

A new ENISA in support to the Member States

The Member States welcome the proposal to grant ENISA – the European agency in charge of networks and information security – with a reinforced mandate which defines its main objectives:

  • support and enhance the cooperation between the EU Member States,
  • support the Member States in their efforts to reinforce their own capacities in terms of governance, operational and financial resources,
  • contribute more generally to the reinforcement of the citizens’ trust in a digital Europe.

 

A future European framework relying on the existing expertise within the EU regarding security certification

The EC is proposing the creation of a European security certification framework aiming at evaluating digital security within the EU. The Member States are calling for an ambitious approach based on a reliable, transparent and independent process.

In order to raise the level of security within the EU, it is crucial that this framework covers all the security levels, up to the highest ones. For these highest levels, the resistance of the products to attacks shall be proven.

As a consequence, the cumulative expertise of the Member States and of the European industry, which has been recognised worldwide for more than twenty years, will be essential in the certification governance.

 

ANSSI: a strong supporter to the European strategic autonomy regarding digital security

ANSSI, which has been promoting the European strategic autonomy for many years, welcomes the EC roadmap. This proposal clearly underlines that digital security has now become a major challenge for the EU. The overall package presents positive work streams for the years to come.

  • As regards to the revision of ENISA’s mandate, ANSSI, which chairs the management board, calls for an agency with an ambitious mandate and reinforced missions when the European level brings real added value, in particular to
    • support the Member States in their efforts to reinforce their capacities, according to the provisions of the NIS directive;
    • support the cooperation between EU Member States, for example within the network of cyber security incident response teams (CSIRTs) of the Member States.
  • Last but not least, as regards to the creation of the European security certification framework, ANSSI welcomes the choice made by the EC to implement within the EU a disposal which has been used by many precursory Member States, among which France and Germany, for more than 20 years.

Security certification is a key element to reinforce digital security and trust within the EU; ANSSI will seek to promote an ambitious European security certification framework, which will fully benefit from the feedback of the pioneer Member States.

 


 

The content of the ‘cybersecurity act’

 

  • A common communication from the European Commission and the High representative for external action entitled « Resilience, deterrence and defence: building strong cybersecurity for the EU »;
  • A proposal for a regulation which contains within the same document a permanent mandate for ENISA and the creation of a European security certification framework;
  • A recommendation on a Coordinated Response to Large Scale Cybersecurity Incidents and Crises;
  • And a communication “Making the most of NIS – towards effective implementation of Directive”.

 

To find out more about the content of the ‘cybersecurity act’