The EESC urges the EU and its Member States to adopt a European-level cybersecurity model, to strengthen the mandate of the European cybersecurity agency and, lastly, to establish an effective European certification scheme for online services and products.
The EU should agree on a European cybersecurity model, give the EU cybersecurity agency a stronger role and establish a European-level certification framework for online services and products. These are the key conclusions of the public hearing on the Cybersecurity Act held in Brussels on 9 January 2018 which will feed into the EESC opinion being drafted by Alberto Mazzola and Antonio Longo of the Section for Transport, Energy, Infrastructure and the Information Society (TEN).
The EESC broadly supports the cybersecurity package set out in the European Commission proposal submitted to the Council in September 2017 and flags up the following measures.
- A European cybersecurity model
The concept of cybersecurity has emerged worldwide. It is a global challenge as attacks may take place anywhere and target individuals, civil society organisations, social systems and economic sectors across any Member State. This is why the EESC is encouraging the EU to take the necessary steps and agree on a model of resilience against such attacks at European level.
"According to a special Eurobarometer survey on "Europeans' attitudes towards cybersecurity", 73% of Internet users are concerned that their online personal information could not be kept secure by websites and 65% that it could not be kept secure by public authorities," said the TEN president, Pierre Jean Coulon. "Most respondents are concerned about being the victims of various forms of cybercrime, and especially about malicious software on their device (69%), identity theft (69%) and bank card and online banking fraud (66%)."
- A stronger EU cybersecurity agency
The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cybersecurity in Europe and is currently based in Greece. The EESC believes it should be developed, made permanent and endowed with more resources. It should focus on e‑government and universal services (e-health) as well as preventing and combating ID theft and online fraud.
"New resources should be allocated to ENISA to enable it to fulfil its mandate and to enhance the resilience of the European cyber system," noted Alberto Mazzola, adding that "The EESC believes that we need to build a strong cyber skills base and improve cyber hygiene by establishing an EU-certified curriculum for high schools and professionals. We also believe that a European Digital Single Market would need a uniform interpretation of the rules, including mutual recognition between Member States, and that a certification framework could provide a minimum common baseline."
- A European cybersecurity certification
In order to guarantee a high level of security, the EESC recommends establishing an EU cybersecurity certification framework, based on commonly defined cybersecurity and ICT standards at European level. Online services and products could then be certified with a proper labelling system, with a view to improving consumer confidence.
Antonio Longo commented that "It is important to strengthen the trust of consumers, who are increasingly using digital payments for e-commerce and place their personal data online. We need a certification system that guarantees cybersecurity software, for instance through a recognisable label, as is currently the case for websites and the "lock" next to the address bar. In addition, the knowledge of the dangers in the digital world and the tools for avoiding illicit use being made of personal data must be gradually extended to schools and training courses for workers."
The opinion on the Cybersecurity Act will be discussed and adopted at the EESC plenary session in February 2018.