The European Economic and Social Committee has welcomed the proposed new package of EU cybersecurity measures but pointed to weaknesses in addressing Europe's huge cyber skills gap. Critical entities also need streamlining, simplification and clearer application guidelines, in the EESC's view.

In an opinion adopted at its April plenary, the EESC hailed the new EU cybersecurity strategy as a positive step towards protecting governments, people and businesses from cyber threats, and safeguarding economic growth – an area where the EU appears to be highly vulnerable, with the economic impact of cybercrime estimated at 0.84% of GDP compared to 0.78% in North America.

However, the EESC stresses that there is a critical shortage of cybersecurity skills in Europe and that the strategy will not be sufficient to meet it. Demand for cybersecurity professionals has been growing in recent years and skyrocketing with the pandemic.

But there are more roles open than professionals to fill them: cybersecurity job vacancies in the EU are expected to reach at least 200,000 by 2022.

"Clearly, the EU urgently needs trained professionals working in cyber security roles in both the private and public sectors for the security of individuals, businesses and the EU", said Philip von Brockdorff, rapporteur of the EESC opinion on the strategy. "This is why the EESC strongly recommends a harmonised Cyber Security Career Pathway to help address the increasing skills gap across the EU."

The United States has developed a Cyber Security Career Pathway Tool to help people considering a career in cyber security identify, build and navigate a relevant career path. Europe could develop an EU-wide Cyber Security Career Pathway Tool of its own, suggests the EESC, to help train a cyber-security workforce with comparable skills in Europe, capable of moving across borders and meeting demand in this high growth industry across the bloc.

In another opinion adopted at the April plenary, drawn up by Maurizio Mensi, the EESC welcomed the Commission's two proposals to make public and private critical entities more resilient to threats from cyber and physical attacks, pointing out the need to strengthen industry and innovation capacity in an inclusive manner through a strategy based on four pillars: data protection, fundamental rights, security and cybersecurity.

However, in the interest of streamlining and simplification, the Committee calls for the two proposals to be combined into a single text, as they are closely linked and complementary (one focuses primarily on cybersecurity and the other on physical security) and some of the provisions overlap.

Referring to the scope of application, the Committee stresses that specific and clearer guidelines are needed to precisely identify the "critical" entities bound by the proposed directive. Commenting on this, Mr Mensi said: "The criteria for distinguishing between "essential" and "important" entities in sectors identified as critical to the economy and society should be more precisely defined. We need to make sure that differing approaches at national level do not result in barriers to trade or free movement of goods and services, which could jeopardise businesses and undermine trade." (dm/mp)