Out-Law News | 20 Sep 2017 | 5:00 pm | 1 min. read
Last year there were more than 4,000 ransomware attacks per day in the EU and 80% of European companies experienced at least one cybersecurity incident. The economic impact of cyber-crime has risen five-fold over the past four years alone, the Commission said.
The propose cybersecurity agency would build on the existing European Agency for Network and Information Security (ENISA). It would organise annual pan-European cybersecurity exercises and ensure better sharing of threat intelligence and knowledge through Information Sharing and Analyses Centres.
The agency would help implement the Directive on the Security of Network and Information Systems which contains reporting obligations to national authorities in case of serious incidents, the Commission said.
The agency would also help put in place and implement the proposed EU-wide certification framework to ensure that products and services are secure.
"Just as consumers can trust what they eat thanks to EU food labels, new European cybersecurity certificates will ensure the trustworthiness of the billions of devices that drive today's critical infrastructures, such as energy and transport networks, but also new consumer devices, such as connected cars," it said.
The certificates will be recognised across member states, to reduce the administrative burden and cost for companies, the Commission said.
A new cybersecurity emergency response fund may be considered in future for countries that have implemented all the cybersecurity measures required under EU law. The fund would provide emergency support to help member states affected by cyber attacks.
Mariya Gabriel, commissioner for the digital economy and society said: "We need to build on the trust of our citizens and businesses in the digital world, especially at a time when large-scale cyber-attacks are becoming more and more common. I want high cybersecurity standards to become the new competitive advantage of our companies."
Cybersecurity expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com said: "The proposed certification may go some way towards addressing an issue that organisations and regulators are currently grappling with, which is the lack of any commonly accepted cyber standards against which organisations can be measured."
"Threat intelligence and information sharing are vital to reducing cyber risk, and the proposed information sharing and analysis centres would help in that," Birdsey said.
"I would query, however, how the fund would work in practice, particularly when private companies are targeted and affected by cyber attacks," he said.
The Commission launched a public-private partnership on cybersecurity last year that it hopes will attract €1.8 billion of investment by 2020. It will invest an initial €450 million in the partnership and expects organisations including national, regional and local government bodies, research centres and academia to invest three times as much.