Juncker announces massive cyber security overhaul

The European Commission will add funds and new powers for the EU cyber security agency and introduce a range of measures to limit threats from hackers, Commission President Jean-Claude Juncker (photo) announced in his annual state of the union speech on Wednesday (13 September).

Cyber security attacks can be “more dangerous to the stability of democracies and economies than guns and tanks,” Juncker said during his address to the European Parliament.

He made a brief reference to the new cyber security proposals during his speech, which lasted more than one hour.
Juncker got to the point by citing the figure of “more than 4,000 ransomware attacks per day” in the last year and said that “80% of European companies experienced at least one cyber security incident” in that period.

Earlier this year, businesses and national cyber security authorities across the EU were shaken by large-scale hacking attacks, like the WannaCry and Petya viruses.

“Cyber attacks know no borders and no one is immune,” Juncker added.

Juncker’s speech was short on details, but shortly after he finished speaking, the Commission published a flurry of legislative documents.

They include a new proposal to overhaul ENISA (European Network and Information Security Agency), the Athens-based EU cyber security agency; a plan to create an EU-wide programme for certifying the security level of software and tech products; and a sweeping long-term cyber security strategy for the bloc.

Juncker proposes EU cyber security agency in 2017 State of the Union

ENISA’s management staff has fought for years to convince the Commission it needs a budget increase. The agency received around €11 million this year from Brussels and currently employs 84 people. They appear to have finally got what they wanted.

The Commission’s proposal gives the agency a set of new powers: it puts ENISA in charge of a new EU-wide certification scheme and asks it to coordinate between member states’ national authorities when there is a wide-scale cyber security attack.

“We got more than I thought we would. They strengthen our mandate, give us more competences and put us in charge of certification. It’s all positive,” Udo Helmbrecht, ENISA’s director, told EURACTIV.com. “They give us much more influence,” he added.

The agency plans to add 40 new staff members if its budget increase is approved.

But it’s up to member states to decide how much they want to cooperate in the revamped new system: the Commission is not forcing national cyber security agencies to share more sensitive information with ENISA or with each other.

Cyber security is a touchy area for some EU countries because many do not want to hand over sensitive information about their security vulnerabilities to other member states.

“In the end, it will be a discussion of how much member states want to do on the European level and what do they want to do on the member state level,” Helmbrecht said.

ENISA will organise regular cyber security exercises to test the new response network.

“The result will be a shift for the EU from a reactive to a proactive approach to protecting European prosperity, society and values, as well as fundamental rights and freedoms, through responding to both existing and future threats,” the strategy reads.

The Commission also asks countries to step up how they respond to criminal attacks from outside the bloc. As EURACTIV previously reported, the Commission also wants to set up a research centre to work on cyber security threats and response methods.

The Commission will start an in-depth analysis about creating a new centre, known in Brussels jargon as an “impact assessment”, later this year. It could potentially set up the body in 2018.