EESC urges strategic revision of EU's Cybersecurity Strategy

Europe's cyber resilience and cyber industry must be strengthened

The internet and digital technologies have been transforming our way of life. They play an essential role in economic and social life, for instance to support vital energy, health, government and financial services. The digital economy already generates over one fifth of GDP growth in the EU and most Europeans buy online each year. Our society depends on the Internet and connected digital technology and therefore it is important that this critical infrastructure be properly protected. Digital infrastructure and services are vulnerable to a growing risk of cybercrime and cyberattacks that threaten Europe's prosperity and quality of life.

Cyberattacks on the rise

Every day, cybersecurity incidents cause major economic damage to European businesses and the economy at large and undermine the trust of citizens and enterprises in the digital society. Only a few days ago, Yahoo disclosed a new massive data breach involving more than 1 billion accounts with personal data stolen. This was the second cybersecurity incident to hit Yahoo in a rather short period of time. According to the Global State of Information Security Survey 2016, around 80% of European companies have experienced at least one cybersecurity incident over the past year and the number of security incidents across all industries worldwide rose by 38% in 2015.

Europe needs to strongly react

For the EESC, these high numbers are proof enough that the 2013 EU Cybersecurity Strategy and the specialised entities and sectoral initiatives are not sufficient to ensure resilience to cyberattacks and to respond properly to incidents. The EESC has therefore adopted an opinion on Strengthening Europe's Cyber Resilience System, in which it welcomes the European Commission's communication on Strengthening Europe's cyber resilience system and fostering a competitive and innovative cybersecurity industry but also calls for an update of the 2013 EU Cybersecurity Strategy and proposes a range of measures, such as the allocation of adequate funding to the European Cybercrime Centre, to the European Defence Agency and to cybersecurity research and innovation. Moreover the Committee hopes that the contractual Public Private Partnership (cPPP) on cybersecurity, which has been signed by the European Commission and is expected to unlock 1.8 bn Euro investments in the cybersecurity industry, will be used Europe-wide to support the development of companies specialising in cybersecurity.

European coordination and cooperation is key

While the EESC welcomes the Commission's intention to evaluate the mandate of the European Network and Information Security Agency (EINSA), it also calls for the creation of a European authority for cybersecurity along the lines of the European Aviation Safety Agency to provide the strength of leadership and integration required to tackle the challenges at EU-level and to engage on cybersecurity issues on the international stage. In its opinion the EESC urges the creation of a national cybersecurity development model and rating system to measure each Member State's level of resilience. In the Committee's view, it is also crucial to educate staff of public administration institutions and agencies on information governance, data protection and cybersecurity, raise citizens' awareness of the risks and encourage proactive protection approaches. Thomas McDonogh, EESC member and rapporteur on the Committee's opinion said: "It's important that large companies be obliged by law – like in the US - to reveal cyberattacks - like Yahoo did when its computers were hacked -, because it is important that the customers are warned. Informing customers should be mandatory."

In addition, the EESC considers that the EU Cybersecurity Strategy also needs to deliver on:

- the preservation of privacy and respect of fundamental rights

- informed and responsible businesses

- a deep partnership between all involved parties (governments, private sector and citizens)

- and common technical standards.

In 2017 the EESC will follow up the issue in order to better protect EU citizens, businesses and the market.