To answer these questions, Adam Waters and Callum Laidlaw spoke to our Senior Advisor and President of the Munich Security Conference Foundation Council, Ambassador Wolfgang Ischinger, about the key trends in cyber and data security.
An ambitious agenda
“Digitalisation and cyber are two sides of the same coin,” said European Commission President von der Leyen at the beginning of her term, emphasizing cybersecurity’s key role in Europe’s digital transformation and the need to protect corporates, consumers, and governments alike.
The pandemic saw an increase in attacks across the EU and UK in terms of numbers, but also in sophistication and impact. Businesses are increasingly data-dependent, and the public is also becoming reliant – consider the ‘Internet of Things’ and, in particular, digital communication platforms - all of which increase risk.
Pushing toward a single market for cybersecurity, the European Commission has pursued an ambitious agenda, aligned with the EU’s objective to achieve ‘technological sovereignty’. This has seen the bloc’s own capacities and rules for digital infrastructure and data management updated with horizontal requirements for critical sectors (Network and Information Security Directive 2), sectoral rules for the financial sector (Digital Operational Resilience Act), and recently proposed requirements for the ‘Internet of Things’ - the Cyber Resilience Act (CRA).
Regulation is also being developed by ENISA, the European Cybersecurity Agency, for certification schemes to enhance trust in services such as Cloud. Plans are also underway to enhance Member State coordination in responding to large-scale cyber crises through a Joint Cyber Unit.
"It is extremely important for the EU to invest more than ever in cybersecurity, as cyberthreats are becoming ever more relevant. We are looking at an evolving threat spectrum with increasing hybrid threats. In order to achieve technological sovereignty, Europe should take steps to strengthen its positions in the development, commercialization, and adoption of cybersecurity solutions."
The geopolitical context
As the 2022 Munich Security Index shows, cybersecurity is an issue of increasing concern for citizens across the Western world. Russia’s invasion of Ukraine was coupled with a campaign of cyberattacks, with ministries and banks among institutions impacted, and critical infrastructure disrupted across Member States. Globally, Western nations have deployed common responses to hybrid attacks.
While the restrictions placed in response to the pandemic may be largely a thing of the past, the enduring economic downturn could precipitate greater threats, as malicious actors may be incentivised to carry out ransomware attacks, and less could be spent by businesses, citizens, and governments on security.
"There is nothing more important for the members of the European Union, and for the Western world, than to be able to respond more efficiently, more quickly, and more collectively to cyber crises and challenges."
"The Munich Security Index has shown that cybersecurity is an issue of increasing concern, not only to governments, but to companies and citizens across the Western world. That is why accelerating our efforts - at the international level, the company level, the EU and NATO level - to better our crisis response is an issue of the highest priority."
Soft power and strategic autonomy
Western nations are coalescing as a counterweight to both overreliance on supply chains and internet models linked to authoritarian regimes, such as through the EU-US Trade and Technology Council, and Declaration for the Future of the Internet. But the shifting transatlantic relationship raises questions about the ability to shape online rules as the internet splinters.
Some policymakers see cybersecurity as a tool to promote European industrial autonomy and data sovereignty, and thereby the EU’s competitive advantage in Web 3.0 vis-à-vis competition from the U.S. and China. But France’s push for data localization provisions in ENISA’s cloud certification scheme, which would prevent third-country access to European data, is contentious among Member States. Access to non-personal data also features in the Data Act, which is currently under negotiation. Potential challenges for third-country cloud providers are still to come, as some move to sovereign cloud solutions.
ENISA’s certification schemes can demonstrate compliance with horizontal cybersecurity rules, such as NIS2 and CRA. They could appear in both the delayed cloud rulebook and marketplace, -- a best practice compendium and service repository, respectively -- to promote trusted services in line with EU values. Although voluntary, they could become mandatory for critical uses or supply chains, and perhaps eventually for public procurement more broadly.
"We are witnessing a strategic competition between autocracies and democracies to establish international norms and standards, not only for the classic areas of commerce, trade, and investment, but increasingly for the digital realm. It is good to see the EU taking a leadership role in trying to establish international norms which protect people’s digital privacy and freedom, and European companies’ ability to compete freely and protect intellectual property."
Cybersecurity runs through the digital policy agenda, which increasingly intersects with modern society, from critical infrastructure to misinformation and electoral integrity. The CRA extends cybersecurity rules to interconnected devices. However, key aspects such as critical product definitions will be updated by secondary legislation; flexibility for policymakers also comes with uncertainty for business.
The Commission will build on digital regulation as new technologies emerge, with an initiative on virtual worlds such as the metaverse in Q2 2023. As more of our lives are spent online and technologies provide more applications in industry, health, and smart cities, more attention will be required from policymakers, businesses, and citizens to keep us safe.
"Keeping up with technological developments can be a challenge for policymakers tasked with crafting digital regulatory policies. The Commission should invest in attracting enough digital experts that can help keep its digital regulations up-to-date and effective, even looking over the horizon, at coming threats, risks and challenges."
For further information or to understand how your organization can identify vulnerabilities, prepare for high-impact events, and minimize reputational damage when under attack, get in touch with us.