On December 16, 2020, the European Commission released the EU’s cybersecurity strategy for the next decade (see press release here and report here).

The EU’s cybersecurity strategy puts forward concrete proposals for regulatory, investment and policy initiatives in the following three areas:

1. Resilience, technological sovereignty and leadership – the European Commission proposes to:

    • reform the Network and Information Systems Directive (Directive (EU) 2016/1148) to increase the level of cyber resilience of all relevant sectors, public and private, that are important for the economy and society;
    • build a network of Security Operations Centers across the EU;
    • work with EU Member States to deploy a new means to transmit confidential information using an ultra-secure form of encryption built with European technology to shield against cyberattacks;
    • work with EU Member States to ensure that the risks relating to 5G and future generations of networks are mitigated adequately and in a coordinated way;
    • adopt new horizontal rules to improve the cybersecurity of all connected products and associated services placed on the EU internal market, in particular by establishing a new duty of care for connected device manufacturers;
    • develop a contingency plan, supported by EU funding, for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system;
    • financially support cyber-secure digital transformation to foster leadership in digital technologies and cybersecurity across the digital supply chain (including data and cloud, next generation processor technologies, ultra-secure connectivity and 6G networks); and
    • develop cybersecurity awareness and guidance.

2. Building operational capacity to prevent, deter and respond – the European Commission proposes to:

    • establish a Joint Cyber Unit to serve as a virtual and physical cooperation platform for the different cybersecurity communities in the EU, with a focus on operational and technical coordination against major cross border cyber incidents and threats;
    • improve the capacity of law enforcement to investigate cybercrime, fully respecting fundamental rights;
    • strengthen the cyber diplomacy toolbox to ensure a joint EU diplomatic response to malicious cyber activities; and
    • review of the Cyber Defence Policy Framework to enhance further coordination and cooperation between EU actors, as well as with and between Member States.

3. Advancing a global and open cyberspace through increased cooperation – the European Commission proposes to:

    • step up its engagement in, and leadership on international standardization processes, and enhance its representation in international and European standardization bodies as well as other standard development organizations;
    • advance responsible state behavior in cyberspace in international fora and strengthen and expand cyber dialogues with third countries; and
    • develop an EU External Cyber Capacity Building Agenda to ensure coherent measures to strengthen cyber resilience, capacities to investigate and prosecute cybercrime, and address cyber threats.

In parallel to the abovementioned EU cybersecurity initiatives, EU Member States are also proposing national measures to combat cyber threats. For example, the German government adopted on December 16, 2020, the draft IT Security Act 2.0 (still pending approval). This act will set new standards for defending against cyber-attacks and is expected to significantly impact IoT services.

The Covington team will continue to monitor developments in the cybersecurity space.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.