What will the EC’s new cyber security package do?

The European Commission (EC) has announced a new cyber security package designed to strengthen support services, defences and responses to such threats.


Published last month, the EC’s proposals span a 92-page document, which can be broadly divided into two main strategic categories:

  • The development of a Cyber Security Act; and
  • A communication to effectively implement the approved Network and Information Security (NIS) Directive.

Let’s take a closer look at the EC’s package of reforms, as well as industry opinions on what the changes could mean for European cyber security.

What do the proposals set out to achieve?

The EC said its initiatives hope to achieve six aims:

  • Increase cyber security capabilities and preparedness of member states and businesses;
  • Improve cooperation and coordination across member states, EU agencies, bodies and institutions;
  • Advance EU-level capabilities to support member states’ actions, especially with regards to cross-border cyber issues;
  • Boost awareness of cyber security problems among businesses and citizens;
  • Avoid fragmentation of certification schemes, security requirements and evaluation criteria in the EU; and
  • Enhance cyber security assurance of ICT products and services.

The European Confederation of Institutes of Internal Auditing (ECIIA) came out in support of the EC’s objectives.


“ECIIA welcomes the strengthening of cross-border efforts to tackle the growing threat of cybercrime,” said Henrik Stein, ECIIA president.


“A more standardised certification system for ICT products across Europe could help improve assurance and transparency in the market.”

ENISA powers strengthened

The raft of recommendations is designed to drive cyber security resilience and harmonisations, according to the EC.


A key element of the Cyber Security Act Regulation is the reorganisation and strengthening of the European Union Agency for Network and Information Security (ENISA).


The organisation was established in 2005 and had its mandate and powers enhanced four years ago. Nevertheless, the new Act will widen the agency’s responsibilities further.


ENISA will become the EU Cybersecurity Agency and will support member states in implementing several policies, including the Cybersecurity Blueprint for cyber crisis cooperation and ICT security certification functions.


Writing for Lexology, Ignasi Guardans and Alessandro Di Mario of law firm K&L Gates said ENISA would work with both public and private sector organisations.


“On the one side, it will contribute to the improvement of public authorities’ capabilities and advising them in R&D, including in the context of the contractual public-private partnership on cyber security,” they explained.


“It will also facilitate cooperation among member states in dealing with cyber security emergencies and reinforce the existing preventive operational capabilities.”

A focus on the NIS Directive

The EC’s cyber security package also has several references to the NIS Directive, which received final approval in July 2016 after three years of debate.


Under the directive, member states will have to adopt national strategies to ensure the security of their networks and information systems. This includes building strong cyber resilience strategies.


The EC considers the NIS Directive a crucial part of its EU cyber security progress, and ENISA’s purview will also include informing member states on how best to adhere to the guidance set out in the legislation.


“The NIS Directive is a first essential step with a view to promoting a culture of risk management, by introducing security requirements as legal obligations for the key economic actors,” the EC’s cyber package paper stated.


The new proposals must still follow the normal legislative process in the EU, which means any amendments need to be discussed by the European Parliament and the EC before confirmation.


Nevertheless, they indicate that significant change could be on the horizon for cyber security regulations across the continent. With Brexit discussions ongoing, the UK’s responsibilities with regards to the reforms remain hazy, although the country may implement policies that align with any legislation that arises in Europe in order to remain compliant.


Our 2017 Compensation and Market Trends Report combines our review of the prevailing conditions in the security & resilience recruitment market together with the results of our latest employer survey.