EU’s first ever report on the state of cybersecurity in the Union

The report provides an evidence-based overview of the cybersecurity maturity state of play as well as an assessment of cybersecurity capabilities across Europe. The report also includes policy recommendations to address identified shortcomings and increase the level of cybersecurity in the EU. 

The EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, highlighted: “Since its establishment, ENISA has been steadfast in its commitment to providing expertise and strategic support to EU Member States. Amidst growing cybersecurity threats, technological advancements, and a complex geopolitical landscape, it is vital to assess our capabilities. Through this process, we can effectively evaluate our maturity levels and strategically plan our next steps. The first report on the state of cybersecurity in the Union reflects on our ongoing collective efforts and underscores our shared goal to bolster security and resilience across the EU."

The analysis conducted is based on various sources, including but not limited to the EU Cybersecurity Index, the NIS Investment reports series, the Foresight 2030 and the ENISA Threat Landscape report. This report is the result of extensive consultation with all 27 EU Member States and the European Commission. 

The main findings 

The risk assessment conducted on a Union level revealed substantial cyber threat level to the EU, highlighting discovered vulnerabilities exploited by threat actors targeting EU entities.

With regards to the cybersecurity capabilities at the EU level, EU Member States have developed cybersecurity strategies that present an overall alignment in objectives. Critical sectors appear more heterogenous in terms of size and criticality which complicates supervision and uniform implementation of cybersecurity measures. On the citizens level, it is suggested that cybersecurity awareness has likely increased among EU citizens. Digital skills level of younger generations appears higher, despite variations in the availability of education programmes and education maturity among Member States. 

Policy recommendations 

The report identifies four priority areas that policy recommendations would address: 1) policy implementation, 2) cyber crisis management, 3) supply chain and 4) skills 

The key outcome of the report are six policy recommendations, covering the four priority areas above and, additionally, the capabilities of critical sector operators and cybersecurity awareness and cyber hygiene.

• Strengthening the technical and financial support given to European Union Institution, Bodies and Agencies (EUIBAs) and national competent authorities and to entities falling within the scope of the NIS2 Directive to ensure a harmonised, comprehensive, timely and coherent implementation of the evolving EU cybersecurity policy framework using already existing structures at EU level such as the NIS Cooperation Group, CSIRTs Network and EU Agencies.
• As called upon by the Council, revising the EU Blueprint for coordinated response to large-scale cyber incidents, while taking into account all the latest EU cybersecurity policy developments. The revised EU Blueprint should further promote EU cybersecurity harmonisation and optimisation, as well as strengthen both national and EU cybersecurity capabilities for levelled up cybersecurity resilience at national and European level.
• Strengthening the EU cyber workforce by implementing the Cybersecurity Skills Academy and in particular by establishing a common EU approach to cybersecurity training, identifying future skills needs, developing a coordinated EU approach to stakeholders’ involvement to address the skills gap and setting up a European attestation scheme for cybersecurity skills.
• Addressing supply chain security in the EU by stepping up EU wide coordinated risk assessments and the development of an EU horizontal policy framework for supply chain security aimed at addressing the cybersecurity challenges faced both by the public and the private sectors.
• Enhancing the understanding of sectorial specificities and needs, improving the level of cybersecurity maturity of sectors covered by the NIS2 Directive and using the future Cybersecurity Emergency Mechanism to be established under the Cyber Solidarity Act for sectorial preparedness and resilience with a focus on weak or sensitive sectors and risks identified through EU-wide risk assessments.
• Promote a unified approach by building on existing policy initiatives and by harmonising national efforts to achieve a common high-level of cybersecurity awareness and cyber hygiene among professionals and citizens, irrespective of demographic characteristics.

Looking into the future

Several key themes are expected to require greater policy attention as we progress. Latest cybersecurity policy developments in the EU have established a strong foundation that allows for capability, nonetheless, authorities both at EU and national level face challenges in adapting to their new roles while navigating into the evolving threat landscape. In particular, Artificial Intelligence (AI) and Post-Quantum Cryptography will be attracting greater attention in the years ahead, while the EU has to step up competitiveness in the field through research, development and innovation. To prepare for the challenges of tomorrow, common situational awareness and well-tested operational cooperation are fundamental.

• 2024 Report on the State of the Cybersecurity in the Union
• State of cybersecurity in the EU | ENISA
• Cybersecurity policies | ENISA