EU Cybersecurity strategy
The EU’s Cybersecurity Strategy (An Open, Safe and Secure Cyberspace) was published by the European Commission in 2013 to accompany the then proposed NIS Directive (Directive on security of network and information systems). It clarifies the principles that underpin cyber security policy both in Europe and internationally.
The EU’s Cybersecurity Strategy is expressed as five strategic priorities:
1. Achieving cyber resilience
In addition to improving cooperation between public authorities and the private sector to counter cross-border cyber threats, the EU’s Cybersecurity Strategy also recognises gaps in both national response capabilities and private sector involvement across the EU.
To mitigate these gaps, the Cybersecurity Strategy proposed both the NIS Directive, a law that has since come into force and extends the ENISA (European Network and Information Security Agency) mandate, and a range of awareness-raising initiatives regarding the importance of robust cyber security
2. Drastically reducing cyber crime
The strategy urges “those Member States that have not yet ratified the Council of Europe’s Budapest Convention on Cybercrime to ratify and implement its provisions as early as possible.”
The Commission will support Member States as they strengthen their capability to combat cyber crime, and will work closely with the European Cybercrime Centre (EC3) within Europol and Eurojust to align new policy approaches with operational best practices, supporting EC3 as the European focal point in the fight against cyber crime.
3. Developing cyber defence policy and capabilities related to the framework of the CSDP (Common Security and Defence Policy)
In order to encourage the private sector to ensure effective cyber security, the Cybersecurity Strategy states that the Commission will stimulate the European market demand for highly secure products, albeit recognising that the majority of the leading global providers of innovative ICT products and services are located outside the EU.
In support of the European standardisation organisations’ ongoing standardisation work, the Commission will focus on supply chain security by supporting the development of relevant security standards.
4.Develop industrial and technological resources for cybersecurity
To compel organisations to adopt secure ICT solutions, the Commission planned to launch a “public-private platform on NIS solutions”, as well as determining a means for major ICT hardware and software providers to inform national competent authorities of identified vulnerabilities with significant security implications. This resulted in a number of working groups providing recommendations on a range of widely applicable best practices.
In addition, the Commission intended to develop “technical guidelines and recommendations for the adoption of NIS standards and good practices in the public and private sectors”, with the use of the Horizon 2020 Framework Programme for Research Innovation to foster R&D investments. This programme was launched in 2014.
5. Establish a coherent international cyberspace policy for the European Union and promote core EU values
The underlying objective of the EU Cybersecurity Strategy is to promote and develop a coherent EU international cyberspace policy that improves engagement with key international partners and organisations, civil society and the private sector.
International organisations active in the cyber field and third countries sharing EU security values will consult with the EU to achieve this end. This includes the OECD, UN, OSCE, NATO, AU, ASEAN, OAS and the Council of Europe. In addition, there will be further progress on cooperation between Europe and America – particularly in the context of the EU-US Working Group on Cybersecurity and Cybercrime, which was originally established to respond to the issues raised by Edward Snowden in relation to US surveillance programmes and their disregard for citizens’ privacy of information.
Improved global coordination requires robust corporate social responsibility and international initiative. The EU encourages the development of confidence-building measures in cyber security as opposed to introducing new international legal instruments.
The EU will focus on how to ensure that the International Covenant on Civil and Political Rights, the European Convention on Human Rights, and the EU Charter of Fundamental Rights are respected online and enforced in cyberspace, in addition to intensifying its efforts to strengthen CIIP (critical information infrastructure protection) cooperation networks by involving government and private bodies.
Roles and responsibilities
To comprehensively manage the cross-border nature of cyber attacks, the EU’s Cybersecurity Strategy recommends an approach spanning NIS, law enforcement and defence by insisting on a shared responsibility between NIS competent authorities, CERTs (Computer Emergency Response Teams) and law enforcement agencies in the EU. This would undoubtedly fortify cyber security on both a national and international level. Much of this cooperative element has now been enshrined in law through the NIS Directive.
At national level, Member States need to outline the roles and responsibilities of their appropriate national entities in their own cyber security strategies.
At EU level, the various organisations tasked with cyber security – including ENISA, Europol/EC3 and the EDA (responsible for NIS, law enforcement and defence respectively) – need to increase coordination and collaboration. The NIS Directive has established a formal cooperation framework for doing so.
Cyber security and ISO 27001
While both cyber and information security concern the protection of information, cyber security essentially only deals with security of digital information. Information security provides a broader scope, addressing hard copy documents, physical security and human error, as well as the management of digital data.
An information security approach that addresses people, processes and technology is essential to an effective security posture. Hardware and software solutions alone will be insufficient.
ISO 27001 provides an internationally accepted best-practice standard that sets out the requirements for a comprehensive ISMS (information security management system). It forms the foundation of every sophisticated cyber security risk management strategy, and many other standards rely on ISO 27001 frameworks and methodologies to deliver added value.
ISO 27001 is simple to follow, provides a comprehensive and logical approach to designing, implementing and managing an ISMS, and includes guidance for conducting risk assessments and applying risk treatments. ISO 27001 harmonises with other standards, so you can centralise and simplify disjointed compliance efforts, thereby removing the need for multiple audits.
A certified ISO 27001 ISMS not only improves an organisation’s security posture, but also provides greater assurance to customers and stakeholders alike that their information is securely protected – increasingly a requirement of many global and government contracts.
Why IT Governance?
A specialist in the information security and IT governance field, we have led more than 400 successful ISO 27001 certifications around the world, and our team of experts has a wealth of professional experience to draw on.
We have created a set of ISO 27001 packaged solutions to give European organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and for a budget appropriate to your individual needs.
Get started with ISO 27001 today >>
Speak to an expert
Speak to one of our experts to find out more about our products and services, or to receive some guidance and advice.