Cybersecurity: A Key Political Priority for the European Union

Improving cybersecurity within the EU is a key political priority for the European Commission, the European Parliament, and the EU Council (representing the 27 EU member states) during the 2019–2024 legislative mandate.

This policy approach reflects a defined and progressive response to the need for businesses in Europe to improve their cybersecurity processes and controls. Equally, it is important that citizens improve their awareness of the risks broader society face from cybersecurity attacks.

EU legislators seek to build a comprehensive cybersecurity framework at a time when ICT innovation is modernising a whole host of vertical industries, including agriculture, health, industry, transport, and energy.

EU Cybersecurity Act 2019

This law introduced a new EU-wide cybersecurity certification system in Europe for ICT products, systems, and processes. The EU Cybersecurity Act enables companies doing business in the EU to benefit from having their ICT products certified only once, which is then recognised by all 27 member states of the EU.

• A European cybersecurity certification scheme defines a set of rules and technical specifications agreed at the European level for evaluating the cybersecurity properties of a specific product, service, or process.
• ENISA has been empowered in recent years to draw up three different EU schemes covering the certification of ICT products (common criteria), 5G, and cloud services.
• Cybersecurity certification increases the trust and security in products, services, and processes, which is crucial for the effective functioning of the EU internal market.
• These certification schemes must be underpinned by a complete series of different specifications based on verified, transparent, and objective technical criteria.

NIS2 2020

NIS2 (Network and Information Security) Directive is required to be enacted by all 27 EU member states by October 18, 2024. This new law will improve both the cybersecurity capabilities of EU member states and the risk management obligations to report cybersecurity incidents. NIS2 will also promote higher levels of international co-operation and information exchange between EU member states on how best to address cybersecurity risks. 

Related: NIS2: How Will Unified Cybersecurity Measures Impact the EU?

• Member states will have to list the names of companies and bodies deemed important or essential entities under the scope of NIS2. Sectors covered under NIS2 relate to, for example, the energy, transport, digital infrastructure, health, public administration, and manufacturing domains. NIS2 lists out clear requirements in the areas of vulnerability handling and disclosure, incident reporting, crisis management, how to improve basic computer hygiene practices, and cybersecurity training.
• NIS2 establishes EU CyCLONe – the European Cyber Crises Liaison Organisation to better co-ordinate the management of large-scale cybersecurity incidents across Europe.
• Verifiability, non-discrimination, and proportionality should be the guiding principles for NIS2 rollout within the EU. 
• A new EU ICT Supply Chain Toolbox is also being developed by ENISA, the European Commission and the NIS Co-operation Group. This toolbox will list out the economic sectors that fall under the scope of NIS2 that will be subject to a coordinated EU supply chain risk assessment.

Cyber Resilience Act (CRA) 2022

A core objective of the Cyber Resilience Act (CRA) is to introduce obligations for the manufacturers, importers, and distributors of products with digital elements sold within the EU.

On September 27, 2023, the trilogue process of negotiations for the CRA commenced. This legislative procedure brings together the European Commission, the European Parliament, and the EU Council into discussions to reach an agreement on a final CRA text. It is the intention of the EU institutions to secure a trilogue CRA agreement so that this new regulation can be approved by MEPS before the European Parliament elections take place in June 2024.

Related: New Cyber Resilience Act Enhances Cybersecurity Requirements for Digital Products Sold in the EU

• Cybersecurity must be factored into the design, development, and production of products with digital elements.
• Due diligence in the design and development of the security aspects of such products must be exercised.
• Agreement must be secured by the respective EU institutions during the trilogue phase as to which products will require to demonstrate either compliance under a certified EU cybersecurity scheme or undergo an independent mandatory third-party conformity assessment.  
• International standards can play a very positive role in rolling out the CRA.
• It is equally important that there is no overlap in the practical implementation of the CRA, NIS2, or Radio Equipment Directive (RED).

Huawei’s cybersecurity commitment in Europe and across the world

• Huawei operates three cybersecurity and transparency centres in the EU. Located in Brussels, Rome, and Bonn, these centres provide opportunities to our customers and government stakeholders to examine and test Huawei cybersecurity solutions.
• The EU is a strong leader in the area of standardisation. Huawei holds security certification for circa 360 products and fully complies with management systems certification requirements as laid down by ISO 27001 and ISO 28000. 
• International collaboration and co-operation are key elements of the strategies pursued by Huawei to mitigate cybersecurity risk, including in the EU context.
• Huawei has published a Q&A guide cybersecurity best practices for SMEs in Europe. There are 25 million SMEs in Europe employing 100 million people, and SMEs are major drivers of growth and jobs in Europe.

Read more about Huawei’s commitment to cybersecurity.

Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.