By Catherine Stupp*
(EurActiv) — The European Commission will add funds and new powers for the EU cyber security agency and introduce a range of measures to limit threats from hackers, Commission President Jean-Claude Juncker announced in his annual state of the union speech on Wednesday (13 September).
Cyber security attacks can be “more dangerous to the stability of democracies and economies than guns and tanks,” Juncker said during his address to the European Parliament.
He made a brief reference to the new cyber security proposals during his speech, which lasted more than one hour.
Juncker got to the point by citing the figure of “more than 4,000 ransomware attacks per day” in the last year and said that “80% of European companies experienced at least one cyber security incident” in that period.
Earlier this year, businesses and national cyber security authorities across the EU were shaken by large-scale hacking attacks, like the WannaCry and Petya viruses.
“Cyber attacks know no borders and no one is immune,” Juncker added.
Juncker’s speech was short on details, but shortly after he finished speaking, the Commission published a flurry of legislative documents.
They include a new proposal to overhaul ENISA, the Athens-based EU cyber security agency; a plan to create an EU-wide programme for certifying the security level of software and tech products; and a sweeping long-term cyber security strategy for the bloc.
ENISA’s management staff has fought for years to convince the Commission it needs a budget increase. The agency received around €11 million this year from Brussels and currently employs 84 people. They appear to have finally got what they wanted.
The Commission’s proposal gives the agency a set of new powers: it puts ENISA in charge of a new EU-wide certification scheme and asks it to coordinate between member states’ national authorities when there is a wide-scale cyber security attack.
“We got more than I thought we would. They strengthen our mandate, give us more competences and put us in charge of certification. It’s all positive,” Udo Helmbrecht, ENISA’s director, told EURACTIV.com.
“They give us much more influence,” he added.
The agency plans to add 40 new staff members if its budget increase is approved.
But it’s up to member states to decide how much they want to cooperate in the revamped new system: the Commission is not forcing national cyber security agencies to share more sensitive information with ENISA or with each other.
Cyber security is a touchy area for some EU countries because many do not want to hand over sensitive information about their security vulnerabilities to other member states.
“In the end, it will be a discussion of how much member states want to do on the European level and what do they want to do on the member state level,” Helmbrecht said.
Under the new proposal, ENISA would draft certification rules that will apply to products across the EU. The Commission would pass them through a so-called implementing act, a fast-track process for agreeing EU legislation.
The Commission touts the certification plan as a way to avoid fragmentation and high costs for companies that currently need to have their products approved separately in different EU countries.
One example in the proposal lists the price of certifying the security level of smart meters, which are connected to the internet to measure energy supplies. Germany’s cyber security agency charges more than €1 million to certify smart meters, while companies pay around €150,000 in France and the UK.
Companies can apply for one certification under the new system that will last a maximum of five years and apply all over the bloc. But they will not be required to certify in order to operate in the EU—the scheme is only supposed to help firms avoid expensive application processes in different national systems.
The broad-ranging EU cyber security strategy that was also published on Wednesday suggests a new chain of response for when large-scale hacking attacks hit EU countries. Those include member states’ authorities, ENISA, other EU response offices, which the Commission wants to communicate with each other to limit any damage after breaches.
ENISA will organise regular cyber security exercises to test the new response network.
“The result will be a shift for the EU from a reactive to a proactive approach to protecting European prosperity, society and values, as well as fundamental rights and freedoms, through responding to both existing and future threats,” the strategy reads.
The Commission also asks countries to step up how they respond to criminal attacks from outside the bloc.
As EURACTIV previously reported, the Commission also wants to set up a research centre to work on cyber security threats and response methods.
The Commission will start an in-depth analysis about creating a new centre, known in Brussels jargon as an “impact assessment”, later this year. It could potentially set up the body in 2018.