Skip to content
Unit 19Cyber Conflict and Cyber StrategyChapter 6: The European Union’s Role in Cybersecurity
All chapters
  1. 1. A Message from the Authors
  2. 2. What is Cyber Warfare?
  3. 3. Cyber arms control
  4. 4. Offence and Defence of Major Cyber Powers
  5. 5. Cyber Terrorism and the Protection of Critical National Infrastructures
  6. 6. The European Union’s Role in Cybersecurity
  7. 7. Summary and Further Reading
Your bookmarks

When you add chapters to your bookmarks they'll appear here.

Chapter 6

The European Union’s Role in Cybersecurity

How to Watch and Read this Chapter

The main objective of this chapter is to give you an overview of the main institutional actors that have a role in the formulation and implementation of EU cyber security mission as well as an advanced understanding of the Union’s cyber security policies.

Cyber Security in the EU: Policy and Institutional Framework

In this video lecture, you will learn about:

  • the main “foundational” policies of the European Union in the digital and cyber security field
  • the main institutions and organizations with a prominent role in the making and execution of EU digital and cyber security policies

The NIS Directive and the Cyber Security Act

The Directive on security of network and information systems (the NIS Directive) entered into force in August 2016 with the aim to increase the overall level of cybersecurity across the EU.

The main provisions of the directive are:

  • identification of operators of essential services (i.e critical infrastructures)
  • adoption of cyber security national strategies
  • designation of national competent authorities and single point of contact
  • establishment of Computer Security Incident Response Teams (CSIRTs)
  • creation of the Cooperation Group among member states, ENISA and the Commission;
  • Establishment of the EU CSIRTs network
  • security requirements and incident notification for digital service providers

The Regulation on ENISA and on information and communications technology cybersecurity certification (the Cyber Security Act) came into force in June 2019. The regulation …

  • … gave a new mandate to ENISA, the EU agency for cyber security. The Agency was granted a permanent mandate and was given new tasks. In particular ENISA will have a key role in the establishment of a cyber security certification framework and in enhancing operational cooperation in the EU in the wake of EU-wide cyber security attacks.
  • … introduced a cyber security certification framework, intended as an EU-wide rule for cyber security certifications. Various schemes will specify the purpose and the security standards that should be met and the evaluation methodology.

5G Security in the EU: the 5G Toolbox

Against the backdrop of increasing fears related to the roll-out of foreign 5G technology in EU countries, in January 2020 the Commission released the 5G toolbox with a view to provide a coordinated EU approach on the secure deployment of 5G.

The toolbox is addressed to member states, the Commission and the NIS cooperation group.

Member states should:

  • strengthen security requirements
  • apply restrictions to high risk suppliers
  • avoid any major dependency on one supplier by adopting a multi-vendor strategy – especially, avoid major dependencies with high risk suppliers

The Commission, together with Member States, should:

  • maintain a diverse 5G supply chain by making use of instruments such as the screening of potential foreign investments concerning 5G assets and further strengthening EU capacities in 5G and post-5G technologies
  • develop relevant EU certification schemes so to ensure high level of security standardization

The NIS Cooperation Group should:

  • review periodically the national and EU risk assessments on the security of 5G and post 5G networks
  • monitor and evaluate the implementation of the toolbox
  • coordinate and support the implementation of supporting actions aimed at the elaboration of guidance and exchange of best practices
  • continue convergence of technical and organizational security requirements for network operators

Tackling Terrorism Online: EU Approach on Preventing Terrorist Content Online

In 2018, the European Commission submitted a proposal for the prevention of terrorist content online. The proposal foresees:

  • Terrorist content should be removed in one hour following a removal order by national authorities.
  • Hosting services should take proactive measures to better protect their services and users from terrorist content.
  • Service providers and member states should designate 24/7 points of contact to follow up on removal orders.
  • Safeguards to handle complaints related to erroneous removals should be created.
  • Hosting services and member states will have to report their actions in transparency and accountability reports.
  • Systematic failures to deal with removals result in strong penalties.

My Commission has prioritised security from day one – we criminalised terrorism and foreign fighters across the EU, we cracked down on the use of firearms and on terrorist financing, we worked with internet companies to get terrorist propaganda offline and we fought radicalisation in Europe’s schools and prisons. But there is more to be done.”

Jean-Claude Juncker, State of the Union Address, Strasbourg, 2016

EU Cyber Diplomacy and Capacity Building

The main goal of EU cyber diplomacy is to preserve a free, open and secure cyberspace, considered as the backbone of modern societies.

Free means promoting and protecting human rights and fundamental freedom in cyber space.

Open means a cyber space that is universal, affordable and whose access is equal to everyone.

Secure means having a safe environment in which cyber security measures are strengthened and cooperation is improved against cyber crime. This also means to increase resilience against cyber attacks through diplomatic and legal tools.

EU cyber diplomacy’s main objective is to make sure the main stakeholders around the world understand the importance of a free, open and secure cyber space. This is done through:

  • protecting human rights and fundamental online freedoms
  • enhancing competitiveness, growth and prosperity
  • promoting sustainable digital development in third countries
  • promoting a rule-based cyber space
  • shaping rules of internet governance
  • engaging with key partners.

In focus: Cyber security capacity building

The EU is an active player in building cyber security capacity both within its borders and outside. The main line of actions are of EU external capacity building are:

  • supporting national cyber strategies
  • increasing capacity of the justice systems
  • increasing incident handling
  • developing education, professional training and expertise as well as awareness
  • applying a whole society approach.

In 2018, the EU published the Operational Guidance for the EU’s International Cooperation on Cyber Capacity Building and in 2019 funded a large-scale project called Cyber4Dev with a geographical focus on Africa and South Asia.

EU Cyber Measures in Foreign, Security and Defence Policy

In this video lecture, you will learn about:

  • the Cyber Diplomacy Toolbox
  • the Cyber Defence Policy Framework

EU and NATO Cooperation on Cyber

Key moments

  • February 2016: Technical Arrangement between the NATO Computer Incident Response Capability (NCIRC) and the Computer Emergency Response Team of the European Union (CERT-EU) was signed.
  • July 2016: The European Council and NATO signed the Warsaw Declaration, which foresaw enhanced cooperation between the EU and NATO in 7 concrete areas, including cyber security.
  • 2016 and 2017: A common set of proposals was endorsed by the EU and NATO.
  • July 2018: A second Joint Declaration was signed in Brussels calling for further and demonstrable progress in the implementation of the set of proposals.
  • June 2019: A fourth progress report on EU-NATO cooperation was released.

Cooperation on cyber security and defence has been concentrating on:

  • exchanges on doctrine development
  • participation in cyber exercises; Information exchanges on planned training and threat indicators
  • briefings on crisis management
  • regular meetings

Highlights of this cooperation include:

  • cooperation among NATO Computer Incident Response Capability (NCIRC) and CERT-EU
  • NATO staff observed Cyber Europe 2018 and EU staff participated in Cyber Coalition 2018

The EU Non-Proliferation and Disarmament eLearning Course aims to cover all aspects of the EU non-proliferation and disarmament agenda. It's produced by PRIF with financial assistance of the European Union. The contents of individual learning units are the sole responsibility of the respective authors and don't necessariy reflect the position of the European Union.