Improving capacity and cybersecurity cooperation in the context of existing and proposed EU legislation

Cyberspace has become a critical domain, and countries, organisations and individuals rely on a secure and operational cyberspace to conduct business and social endeavours. As a result, cybersecurity has become very important in ensuring that the cyberspace domain is protected both from existing and newly emerging threats.

The European Union (EU) is at the forefront of ensuring that there are the necessary legislative and operational frameworks that support the implementation of measures that enhance cybersecurity within the bloc. The EU started legislating as early as 2013, and enacted directive 2013/40/EU, also known as the EU directive on attacks against information systems.

This directive was one of the first steps towards cybersecurity in the EU and the objectives included defining offences, establishing penalties for any offences carried out, and laying down measures for effective investigation and prosecution of cybercrimes related to attacks against information systems.

It also addressed jurisdictional issues which ensured that cybercriminals can be prosecuted regardless of where the attack originated from within the EU.

Furthermore, it facilitates extradition between member states for these offences and ensures that legal persons, such as companies and organisations, can be held liable for offences committed for their benefit. Directive 2013/40/EU sought to improve cooperation between law enforcement agencies and enhanced the overall cybersecurity of the European Union.

In its efforts to strengthen its cybersecurity capabilities and resilience against cyber threats, the EU developed the network and information security directive (Directive (EU) 2016/1148).

The purpose of this directive was to harmonise the approach to cybersecurity across member states and aimed to improve the overall cyber readiness and protection of critical infrastructure and essential services from cyber-attacks. The main objectives included enhancing cybersecurity of critical entities; identifying entities that were essential for the maintenance of critical societal and economic activities; establishing national network and information security (NIS) strategies; setting up incident notification and reporting requirements for identified essential service providers and digital service providers; and promote collaboration and information sharing.

The NIS2 directive (Directive (EU) 2022/2555) is a further improvement on the previous directive, widening the scope from entities that are essential for the operation of societal and economic activities to a wider range of entities such as the public service.

On March 27th of 2019, the EU Cybersecurity Act was adopted. The act was the next step by the EU towards achieving a more consistent and robust cybersecurity landscape across the EU. By establishing common standards and certifications, it sought to protect consumers, businesses, and critical infrastructures from cyber threats and enhance trust in digital products and services within the EU market.

The latest EU initiative to further enhance cybersecurity is the drafting of the Cyber Resilience Act. The purpose of this act is to regulate software and hardware products that are not yet covered by other EU legislation to ensure their security and resiliency. The products mainly being affected by this legislation are system software and embedded software usually operating at the hardware level, firmware level, and services level (such as operating systems etc.). The act has two main objectives to ensure the development of resilient and secure software, and proper functioning of the internal market:

1. Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle.
2. Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements. Four specific objectives were set out:
   • Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle.
   • Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
   • Enhance the transparency of security properties of products with digital elements.
   • Enable businesses and consumers to use products with digital elements securely.

With these acts and directives, the EU is sending a message that cybersecurity is a very important domain for the EU and that it will support actions towards improving the security posture of the EU cyberspace.

All these directives and acts need to be implemented and thus the EU has invited member states and the private sector to come up with initiatives that will support this legislation framework. Through the Digital Europe framework, funds have been made available to provide action grants in the field of cybersecurity.

One of the topics included in this funding is the DIGITAL-ECCC-2023-DEPLOY-CYBER-04-EULEGISLATION — Support for the implementation of EU legislation on cybersecurity and national cybersecurity strategies which has the objective of capacity building and improvement of cooperation on cybersecurity at a technical, operational and strategic level, in the context of existing and proposed EU legislation on cybersecurity such as the NIS2 directive (Directive (EU) 2022/2555), the Cybersecurity Act and the proposed Cyber Resilience Act, and the directive on attacks against information systems (Directive 2013/40). The outcomes expected from this call are:

1. Incident management solutions reducing the overall costs of cybersecurity for individual member states and for the EU, better compliance with NIS2 (Directive (EU) 2022/2555) and higher levels of situational awareness and crisis response in member states.
2. Organisation of events, workshops, stakeholder consultations and white papers.
3. Enhanced cooperation, preparedness, and cybersecurity resilience in the EU.
4. Support actions concerning certification.

The National Cybersecurity Coordination Centre for Malta (NCC), under the auspices of the Malta Information Technology Agency (MITA), aims to promote EU funding opportunities within Maltese territory and provide technical assistance to Maltese entities to apply for EU-funding calls. In this manner, the NCC encourages interested parties to participate in this funding initiative and apply for the funds to contribute towards the improvement of cyber security in the EU. More information on this call for proposals is available on the NCC-MT website – https://ncc-mita.gov.mt/funding-calls/.  

This article is co-funded by the European Union.