The European Union Agency for Cybersecurity (ENISA) organised its first ever cybersecurity policy conference together with the European Commission to discuss the evolution of the EU cybersecurity policy framework.
With the Cybersecurity Act establishing a permanent mandate and giving an extended role to the European Union Agency for Cybersecurity (ENISA), we entered a new era for cybersecurity policy. Since then a number of new EU legislative initiatives have emerged together with the revised Network and Information Security Directive (known as NIS2) which just entered into force on 16 January 2023. EU legal instruments have become the commonly agreed tools for building trust around digital products and services within the Digital Single Market.
Head of Cabinet of Vice-President Schinas: Promoting our European Way of Life, European Commission, Despina Spanou, declared: "Cybersecurity skills will be the engine that we need to achieve this high level of cybersecurity across Europe. This is why we will present soon an EU Cyber Skills Academy with the aim of increasing the number of professionals training in cybersecurity and thus strengthen the EU's security capacity and defence."
Director of Directorate General Digital Society, Trust and Cybersecurity (CNECT.H), European Commission, Lorena Boix Alonso, stated: "The cyber threats landscape is evolving fast in current geopolitical setting. Thus, we need to ensure a solid EU cyber policy framework and its swift implementation. Today's event is a perfect occasion to exchange ideas on what to do to make it happen."
Cybersecurity legislation has extensively expanded and matured as it is intended to further develop cybersecurity across the EU. ENISA has been working to that end together with Member States to identify best EU practices in line with the provisions of the NIS1 Directive and share them among its stakeholders. The Agency is dedicated to supporting Member States with the implementation of the revised rules under NIS2, as well as a new range of rules, including those of the Digital Operational Resilience Act (DORA) and of the future Electricity Network Code for Cybersecurity, as well as the ones which will be introduced with the Cyber Resilience Act (CRA).
The conference held last week is the result of the joint efforts of the European Commission and ENISA. The event was intended to address the challenges in implementing the new provisions of the NIS 2 across the EU. It also gaged how to facilitate the implementation process, as well as to discuss new developments in the EU cybersecurity policy framework.
Experts discussed a common approach to the current EU legislative framework and exchanged opinions. Panels focused on key aspects of the topics on the agenda:
- Concerning the implementation roadmap of NIS2 and the respective challenges, particular emphasis was placed on how National Competent Authorities can build on the lessons learned from the NIS Directive and how they can work together with operators to support them in reaching the target cybersecurity maturity levels. Collaboration between the National Competent Authorities and the European Commission will also be a key success factor in meeting the NIS2 implementation roadmap milestones;
- On the topic of the Coordinated Vulnerability Disclosure (CVD) framework introduced by NIS2, discussions centred on how its implementation can be optimised to provide clarity to all stakeholders involved. Particular emphasis was placed on how the CVD framework will provide assurance to information security researchers disclosing vulnerabilities, as well as to how to best optimise the follow-up on disclosed vulnerabilities;
- The discussion on the Cyber Resilience Act (CRA) proposal emphasised the importance of harmonised standards in the success of the regulation and highlighted key elements that will be at the centre of negotiations in the upcoming period leading up to the adoption of the Regulation. Panellists and Conference participants alike welcomed the increased security that the CRA will bring to digital products in the EU market;
- The panel discussion on the Digital Operational Resilience Act (DORA) offered a good example of how sectorial cybersecurity rules can be introduced building on an existing strong framework. Discussions around this Regulation illustrated how DORA can support the streamlining of the plethora of incident reporting obligations for operators in the finance sector.
The need for skilled cybersecurity professionals was raised during the conference. Indeed, such professionals are essential if we want to implement the different provisions of the evolving EU policy framework. We will therefore need to increase the workforce to ensure all cybersecurity roles and functions will be adequately covered as the tasks at hand keep expanding. These tasks include for instance:
- implementation of sound cybersecurity practices;
- conformity assessment of digital products;
- development of cybersecurity schemes;
- responding and reporting of cybersecurity incidents; etc.
About ENISA
The European Union Agency for Cybersecurity (ENISA) is the Union's Agency dedicated to achieving a high common level of cybersecurity across Europe.
ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.
Further information
Cybersecurity Act (CSA)
Directive on measures for a high common level of cybersecurity across the Union (NIS2)
Cyber Resilience Act (CRA)
Digital Operational Resilience Act (DORA)
Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS)
State of Vulnerabilities 2018/2019 - Analysis of Events in the life of Vulnerabilities
Economics of Vulnerability Disclosure
Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations
Contact
For press questions and interviews, please contact press (at) enisa.europa.eu