For many users, digital technology may seem like a virtual world, but the fact remains that it is based on a material layer, with infrastructures that are often cross-border. Jean Peeters, holder of the Cyber and Digital Sovereignty Chair at the IHEDN, deciphers the European Commission's regulatory and legislative recommendations for strengthening cybersecurity in the Member States.
Today, how can the European Union (EU)
acting in the field of cyber security?
On 18 October last, the European Commission (EC) proposed strengthen the resilience of critical infrastructures (press release). This proposal is a reminder that cyber security, far from being a given, must remain an objective. As defined by theANSSIcybersecurity must be a " the state sought for an information system, enabling it to withstand events originating in cyberspace, likely to compromise the availability, integrity or confidentiality of the data stored, processed or transmitted and the related services that these systems offer or make accessible. ". It takes note of the evolution of a threat that has become hybrid and sophisticated, as we are seeing with the war in Ukraine and the apparent sabotage of the Nord Stream gas pipelines, as well as other recent incidents.
What does this proposal for a recommendation contain?
The Commission's proposal for a recommendation is based on a five-point plan for resilient critical infrastructures. It stresses the cross-border nature of digital infrastructures and the interdependence of States, as well as the links between cybersecurity and the physical security of operators. The Recommendation calls on member countries to act as quickly as possible and in a coordinated manner. As it states in its various publications: " society is heavily dependent on both physical and digital infrastructures, and the disruption of essential services, whether as a result of conventional physical attacks, cyber attacks or a combination of the two, can have serious consequences for the well-being of citizens, our economies and the trust placed in our democratic systems ".
In concrete terms, what are the States being asked to do?
Among the 34 recommendations, States are invited to "carry out or update their risk assessment concerning the resilience of entities operating critical infrastructures in the transport and energy sectors". They should also "subject entities operating critical infrastructures to stress tests". Finally, they must exploit "the funding opportunities that may exist at EU level" and "develop the use of Galileo and/or Copernicus for surveillance purposes".
What are the European Commission's priority areas for action?
The proposed recommendation gives priority to the key sectors of energy, digital infrastructure, transport and space. It is clear today just how important these sectors would be if they were to be severely impacted by crises of human or environmental origin. To give you an example, it concerns in particular the protection of submarine cables, which criss-cross the globe and carry the bulk of the global internet network. In a hybrid conflict, sabotaging these cables can seriously undermine the operations of several countries.
Following this recommendation, what are the next concrete steps?
The European legal and regulatory framework is expected to be strengthened with the forthcoming adoption of the NIS 2 Directive and the Cyber Resilience Act. However, this regulatory framework is not enough. Today, experience, preparation, anticipation, training, investment and innovation make a massive contribution to the protection of states. France is no slouch in this respect. With the Rugby World Cup coming up in 2023 and the Olympic Games in 2024, we have to be prepared. We will have to face up to numerous risks and attacks, guarantee the safety of goods and people and prove that our place in the top three EU countries in terms of cyber security is well deserved.
