A Guide to Policy Making in Europ e’s Cyber Landscape

N o v e m b e r 2019

www.GlobalCyberPolicyWatch.com i Table of Contents

Executive Summary...... 1

An Overview of the ...... 2

The – Cybersecurity as a Priority...... 2

Notable Cybersecurity Developments...... 3

A Look Ahead to the ...... 4

Agenda...... 5

Commissioner-Elects...... 5

Conclusion...... 5 A Guide to Policy Making in Europe’s Cyber Landscape

Executive Summary As global cyber threats continue to develop and Cybersecurity risk is escalating and evolving in alter the cyber ecosystem, it is important for the our increasingly interconnected world. Attacks on European Commission to be willing and able to communications networks are not confined within tackle possible cyber threats. This issue brief aims borders and do not discriminate between end to explain the structure of the EU’s governing users. Cybersecurity continues to manifest itself as bodies, highlight the work that has been done a priority around the world. The thus far with respect to cybersecurity, and provide (EU), for example, has been working to get ahead of an overview of growth to expect from the new possible threats, positioning itself as a leader in the European Commission. digital community. Key Takeaways The cybersecurity of Europe is tied to the European Commission, one of the main legislative bodies of • The European Commission is the main driver of the the EU. The Juncker Commission, the European European Union’s policy direction Commission in office since November 1, 2014, is • The Juncker Commission transformed the European credited with launching a large project called the Commission’s approach to cybersecurity Digital Single Market (DSM). Since its inception in May 2015, this project has aimed to tear down • The Digital Single Market is driving a more unified regulatory barriers and create a single EU-wide digital marketplace for Europe and is developing cybersecurity measures to maintain integrity in the digital market, contributing 415 billion per new marketplace year in economic growth. In order to successfully execute the project, vast cybersecurity measures • The incoming von der Leyen Commission (set to have been – and must continue to be – taken to assume office on December 1, 2019) will expand upon these efforts and has proposed legislation to regulate guarantee its sustainability in the current era. hate speech, illegal content, and political advertising

December 1, 2019 will mark the beginning of a new European Commission: the von der Leyen Commission. This incoming legislative body is inheriting a Europe that is increasingly committed to understanding the cyber threats that countries will face in the 21st century. However, cyber risks are not, by nature, static. They are always progressing and becoming more complicated, making apparent the need for a unified response that transcends country lines. While the Juncker Commission has been working to establish the DSM and a cybersecurity framework to protect it, the von der Leyen Commission will need to fortify that framework to ensure the integrity of the DSM and other critical infrastructure.

1 An Overview of the The Juncker Commission – European Commission Cybersecurity as a Priority The European Commission helps shape the European As mentioned above, the primary project that Union’s (EU) overall strategy, proposes new EU laws the Juncker Commission has undertaken to push and policies, monitors implementation of legislation, Europe to the forefront of the digital world is the represents the EU internationally, and manages Digital Single Market (DSM). This project, which the EU budget. Heading the Commission is the was announced in May 2015, is the EU’s strategy Commission President, who leads 28 Commissioners, of connecting all of Europe to a single digital each responsible for a different portfolio of issues. market and asserting Europe as a world leader in the . The goals of the DSM are to Besides the European Commission, the other two provide better access for consumers and businesses main institutions involved in the EU legislative to digital goods and services across Europe; create process are the Council of the European Union, which the right conditions and a level playing field for represents the governments of each Member State, digital networks and innovative services to flourish; and the , which represents the and maximize the growth potential of the digital EU’s citizens through direct elections. The only body economy. The Commission also aims to prepare the allowed to propose legislation is the Commission, EU’s single market for the digital age by removing while the other two bodies approve or disapprove unnecessary regulatory barriers, such as incongruent of such bills through co-decision. Once legislation packaging, marking, and labeling requirements is passed, the Commission and Member States among the different EU nations. implement them, and the Commission ensures that the laws are implemented correctly. The aim of the Juncker Commission is to create a digital single market where the free movement of goods, However, the Council and Parliament wield a system persons, services, capital and data is guaranteed – of checks on the Commission. The and where citizens and businesses can seamlessly and nominates a Commission President to be elected by fairly access online goods and services, whatever their the newly-elected European Parliament. Once elected, nationality, and wherever they live. the Commission President selects one potential Commissioner from each Member State, who must In doing this, the Commission hopes to generate and then be accepted as a cohort by means of a majority support opportunities for start-ups and companies vote by both the Parliament and Council. to grow and innovate within Europe’s 500 million- person market. While the European Commission For the past five years, the European aspires to create this digital marketplace for Europe, cybersecurity plays a crucial role in the project’s goal. “ Commission has been one of In order to maintain faith in this new digital economy Europe’s main drivers of change that relies on seamless transactions over the internet, in the digital world. individuals and companies must have assurances that ” it won’t be easily disrupted by a cyberattack. Thus, implementing proper cyber hygiene is crucial to this For the past five years, the European Commission new project to safeguard it from vulnerabilities. By has been one of Europe’s main drivers of change in improving the cybersecurity of Europe and building the digital world. The impending end of the Juncker out its promise of a DSM, the Juncker Commission Commission demands a review of its successes has given EU citizens confidence in the promise of and strides in advocating for digital change and an online world. cybersecurity reform.

2 By improving the cybersecurity of On July 6, 2016, the Directive on security of network “ Europe and building out its promise and information systems (the NIS Directive) was instituted as the first EU-wide legislation on of a DSM, the Juncker Commission cybersecurity after the DSM was announced. The NIS has given EU citizens confidence in Directive provides legal measures to boost overall the promise of an online world.” cybersecurity by ensuring: • Member States are appropriately equipped with a has been serving as the Commissioner Computer Security Incident Response Team (CSIRT) on Research, Science, and Innovation. In this role, Network and a national NIS authority; he oversees Horizon 2020, a large fund charged with • Cooperation among Member States through a NIS investing nearly 80 billion euros in research and Cooperation Group in order to facilitate strategic innovation in the EU, spanning from 2014 to 2020. cooperation and exchange of information; and The fund is actually the 8th Framework Programme • A culture of security across sectors, including the (FP8) of the EU, which is centered on innovation, energy, transport, water, banking, financial, and delivering economic growth faster, and delivering healthcare sectors. solutions to end users – typically government agencies. Horizon 2020 recognizes that security in The NIS Directive has had the positive effect of Europe has evolved beyond conventional preservation encouraging organizations to address cybersecurity tactics. One of the project’s goals is to protect people issues. One of the most important things to come and structures from cyberattacks. out of this Directive was that it formalized the Commission’s work on improving the cybersecurity In order to ensure that Europeans and the global of the EU. A cybersecurity framework takes time to community have trust in the DSM, the Juncker fully develop, but the incremental steps taken by Commission has used the funding of Horizon 2020 to the Commission since the NIS Directive effectively ensure proper cybersecurity practices to safeguard the increased awareness around the importance of longevity of the ongoing DSM project. Additionally, cybersecurity while beginning to mitigate the Commission has already drafted and approved of future threats. the follow-up to Horizon 2020… Horizon Europe. This signals a continued promise to invest in In the subsequent year, on September 17, 2017, the EU scientific and research initiatives, despite an Commission released the Cybersecurity Act. Upon organizational transition. Spending is expected to see releasing the Act, President Juncker stated, “In the an increase by 50% over 2021 through 2027. past three years, we have made progress in keeping Europeans safe online. But Europe is still not well equipped when it comes to cyberattacks. This is Notable Cybersecurity Developments why, today, the Commission is proposing new tools, In order to secure the DSM and protect Europe including a European Cybersecurity Agency, to help from debilitating cyberattacks, the Juncker defend us against such attacks.” Commission recognized the need to get cybersecurity legislation passed, create and strengthen protective The Cybersecurity Act had two main features. organizations, and evaluate these systems to ensure First, it strengthened the European Union Agency for their fortitude. Cybersecurity (ENISA) by allocating more resources to the agency and assigning it with new tasks, such as mandating and supporting an EU-coordinated effort in the event of a cross-border cyberattack. ENISA also assumed the role of secretariat of the national CSIRTs Network. Second, the Act introduced a new EU-wide cybersecurity certification framework for information and communications technology (ICT) products, services, and processes. By creating these assurances, the Commission believed that trust in and security of the DSM would be augmented. 3 The Commission further strengthened cybersecurity By December 31, 2019, the NIS awareness and preparedness through the “ Cooperation Group is expected to implementation of free and fair elections. In September 2018, a recommendation by the have agreed upon a diplomatic toolkit Commission noted, “2019 will be the first European of measures to address and mitigate Parliament election in the changed security the risks identified at both the environment.” The Commission understood that the national and EU levels. new cyber-ecosystem brings forth greater challenges ” and cited that “cyber incidents including cyberattacks Following the assessment’s release, Member States targeting electoral processes, campaigns, political are now agreeing on measures that can be used at a party infrastructure, candidates or public authorities’ national level, including certification requirements, systems have the potential to undermine the integrity tests, controls, and identification of the products or and fairness of the electoral process and citizens’ suppliers that are considered potentially non-secure. trust in elected representatives that relies on free By December 31, 2019, the NIS Cooperation Group is elections.” The Commission proposed that Member expected to have agreed upon a diplomatic toolkit of States maintain transparency by encouraging entities measures to address and mitigate the risks identified to disclose the origin of paid political messages to at both the national and EU levels. Ultimately, by counter disinformation. It also recommended that October 1, 2020, Member States are expected to each Member State’s “national election cooperation reconvene to assess the efficacy of the measures they network” work with one another and exchange would have – at that point – been taking over the information on election threats. past year. In November 2018, a Eurobarometer survey revealed that 61% of Europeans worry that cyberattacks might manipulate elections. Ahead of the May 2019 A Look Ahead to the EU Parliamentary elections, over 80 representatives von der Leyen Commission from EU governments, as well as observers from On July 16, 2019, the European Parliament elected the European Parliament, European Commission, as the next President of the and ENISA, tested the EU’s response to potential European Commission. She will follow on all that the cybersecurity incidents that might affect the Juncker Commission has set forth during a period elections. This evaluation was influential because it of transition into an increasingly digital world. demonstrated to EU citizens that their elections would It is nearly time for the incoming von der Leyen be secure; it was intended to provide peace of mind. Commission to assume the growing cybersecurity With Russia reportedly having attempted to meddle responsibilities of the DSM project, as well as the in the European Parliament’s May elections, prior security of the EU. testing of election security was well-founded.

In the past year, the Juncker Commission has also been hard at work establishing regulations around fifth generation (5G) networks. In March 2019, the European Commission released its recommendations for how the EU should approach 5G in order to establish a secure network. The Commission proved its commitment to abiding by this proposal when it released a coordinated risk assessment of 5G network infrastructure in October 2019. In tandem with ENISA and Member States, this high-level report is the EU’s most recent effort to adopt a common approach toward securing Europe’s 5G networks.

4 Agenda Also in the administration are Commissioner , who will oversee Horizon Europe (which In von der Leyen’s agenda for Europe, she writes, will succeed the Horizon 2020 initiative) and Thierry “Europe must lead the transition to a healthy planet Breton of , who will continue working to and a new digital world. But it can only do so by promote the DSM. Focusing exclusively on security bringing people together and upgrading our unique policy and heading the “Stronger Europe in the social market economy to fit today’s new ambitions.” World” portfolio will be . During his She continues by proposing a Digital Services hearing before the European Parliament, Borell Act, which would overhaul how the EU treats tech stated, “Today’s geopolitical conflicts do not take companies by giving the EU legal powers to regulate place mostly in the trenches in the battlefield, but hate speech, other illegal content, and political mainly in the cyberspace.” These defined priorities advertising. This act would allow EU policymakers across leaders and across countries reveal a shared to draft specific rules to target all parts of the tech desire for a renewed focus on cybersecurity, starting sector, including ISPs, search engine giants, cloud from day one. services, and social media giants. von der Leyen’s claim is that a new will improve the EU’s “liability and safety rules for digital The European Union is an obvious platforms, services and products, and complete “ strategic partner of the U.S., and [the EU’s] Digital Single Market.” its own position on cybersecurity Additionally, she makes a brief mention of a desire has spillovers into our domestic to establish a Joint Cyber Unit, which would focus on network, ranging from economic risks emerging from digitization. The establishment to security concerns. of a Cyber Unit is intended to speed up information ” sharing and better protect Europe from external interference. Conclusion Another important aspect of this agenda is her plan to establish a European Democracy Action Plan. This It is exceedingly important to garner a comprehensive plan would work to address the threats of external understanding of the actions being taken by both intervention in European elections. Her plan also allies and adversaries in the cyber environment. The wants to increase transparency on paid political European Union is an obvious strategic partner of advertising and issue clearer rules on financing of the U.S., and its own position on cybersecurity has European political parties. This is crucial considering spillovers into our domestic network, ranging from that six EU Member States will hold general elections economic to security concerns. The EU has established in 2020. its leadership and commitment through the proposal and enforcement of a number of cyber-related policies introduced by the European Commission. Commissioner-Elects von der Leyen’s agenda lays out new steps that build Cybersecurity has proven to be a bipartisan issue. upon the Juncker Commission’s previous work. Her There is much to anticipate in the upcoming years; appointed Commissioners have stated that they will beyond the excitement of technological advances continue the high-priority projects first started by the such as a more accessible digital marketplace and Juncker Commission. 5G capabilities, there is a new Commission that is situated to pursue these innovations and protect its Appointee Margethe Vestager will oversee “A Europe citizens in the process. The viability and longevity of Fit for the Digital Age” portfolio. During her hearing, the cybersecurity objectives initiated by the Juncker Vestager said that her main priority would be “to Commission are dependent on the incoming von der ensure that technological progress and digital Leyen Commission’s ability to recognize and adapt transformation serve citizens and respond to society’s to the evolving threat landscape. needs.” In addition, she will work to ensure that the Digital Services Act does what it is proposed to do. 5