The Internal and External Cyber Security Dimensions of the EU

Introduction

Cyber security has recently emerged as a growing need in the EU. The policy and regulatory trend associated with cyber security can be traced back to the uptake of digitalisation and the impact of it on international relations: more and more global superpowers made cyber-attacks the core of their military and power strategies, with China and Russia on top. This development had a double agenda setting effect on the EU, which, since the EU Global Strategy of 2016, started developing an external, more proper ‘cyber defence’ policy, as well as the regulatory dimension of cyber security as an internal market matter. The duplicity of policy objectives reflected on the ability of the EU to effectively implement its cyber agenda, as the cyber defence arm of it suffered from the constraints of the EU’s foreign policy – i.e. the absence of a proper supra-national mandate that allows more than soft power. As a consequence, one notes that measures related to the Digital Single Market when it comes to cyber security, and to cooperation on criminal law have been more elaborate than measures related to cyber defence.

The Internal Dimension: Markets and Personal Data

The internal dimension of the EU’s cyber security action has gathered pace in the past few years: EU institutions and governments gradually ‘imported’ the paradox of progress from the US into their policy-making, acknowledging that increasing reliance on digital infrastructure and digitalised services makes them easy targets of cyber warfare.

Compared to the US, which historically pays more attention to cyber defence and cyber security as part of the country’s intelligence, the application of the paradox of progress as a principle of EU policy-making was likely driven by two factors: personal data and market failures.

Traditionally, EU policies and regulations in the digital sphere put a strong focus on the protection of consumers, and more specifically of personal data. In 2017, the European Commission reported that, while many Europeans cared about their personal data, they also didn’t take basic cyber hygiene measures. In the present, this is confirmed by the fact that the list of top cyber threats in the EU includes social engineering that exploits human behaviour or error to gain access to information, and distributed denial-of-service (DDoS) attacks, preventing users from accessing relevant information e.g. in their bank accounts. In this sense, the first regulatory drive for a revamped internal cyber security strategy came from the adoption of the General Data Protection Regulation (GDPR) in 2016. As far as personal data is concerned, the GDPR touches upon cyber security, for example stating that “personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage…”. The GDPR also came into force together with the other major EU cyber security law – the Network Information Security (NIS) Directive, which laid down cyber security requirements for providers of essential entities, such as those operating in the energy, transport, banking and health sectors. Although not immediate, the interplay between the GDPR and the NIS Directive provided a comprehensive starting framework for the cyber security of personal data – for example whenever personal data was found in the systems of essential entities as defined by the NIS Directive – and allowed the Commission to shift the regulatory focus onto sectorial cyber security legislation.

Building on top of the GDPR, the EU passed the Cybersecurity Act (on the role of ENISA) in 2019, the Network and Information Security (NIS2) Directive and the Digital Operation Resilience Act (DORA) in 2022, and is now dealing with in-the-making legislation on Cyber Resilience Act (for IoT products) and Cyber Solidarity Act (to address cross-border incidents).

The second driver of the EU’s internal cyber strategy has been acquiring knowledge of the specificities of cyber security markets and of state-driven market failures. With national security – which usually requires private actors to disclose vulnerabilities – being de facto a monopoly, there’s an imbalance between the costs of information sharing as regards data breaches, sustained by a firm, and the benefits for the general public of knowing such information, that ultimately leads to market failures. In this context, the EU’s legislative focus shifted to incentives for safer behaviours and came to legal liability. Of the new legislation mentioned above, the NIS2 Directive and the DORA Regulation both reflect this shift, as regards liability and sectorial regulation. The NIS2 Directive expands the scope of the previous NIS Directive by including e.g. digital services providers (social media, e-commerce…), while DORA targets financial institutions and their third-party ICT service providers. Among the key features of NIS2 and DORA, both introduce legal liability for the board of administrators of in-scope entities, to properly manage the cybersecurity of their organisations in accordance with the applicable law.

The External Dimension: Digital Sovereignty

The external dimension of cyber security has a strong foreign policy angle, notably when it comes to cyber defence – rather than to cyber security. Indeed, recent EU action in this work-stream pointed at the need for Member States to “detect, defend against, recover from, and deter cyber attacks aimed at the EU and its Member States”. Nevertheless, constraints over the scope of action of the EU External Action Service as a proper foreign policy institution determined a shift in the cyber agenda towards a policy that is actionable from an internal market perspective, namely that of digital sovereignty. The concept, that can be defined as promoting the notion of European leadership and strategic autonomy in the digital field, had many applications in the digital policy-making of the EU in recent years, from the regulation of  online platforms, to the first-ever regulatory frameworks on AI and crypto-assets. In cyber security, digital sovereignty has instead mostly had very sectorial applications, dependent on the foreign actor that can be targeted. A prime example is the telecommunications sector and the relationship with China.

With 5G being an enabling technology for many applications of the Internet of Things, from connected cars to industrial robots, reliance on few suppliers is seen as an issue. The problem might be enhanced when one of the major 5G suppliers, Huawei, has opaque relationship with the EU’s ‘strategic’ rivals, China. In this sense, as stressed by Kaska et al. (2019), “China’s legal and political environment, along with its known practice of ‘public-private partnership’ in cyber espionage remain a concern”. In order to address these specific concerns, the European Commission developed, together with ENISA, a 5G cybersecurity toolbox – through which the focus shifts from 5G rollout as a technological choice, to 5G as a strategic choice (ibidem). The 5G toolbox operates along three action lines -strategic, technical and supporting actions and requires Member States to undertake risk mitigation plans in combinations of these measures. In line with the structure of internal market cyber security legislation, the toolbox (which remains a non-legislative instrument) also adopts a risk-based approach, whereby the type of measure chosen will depend on the risk tier. With the 5G toolbox being one among the many EU cybersecurity measures on telecommunications, we can observe how the 5G rollout has altered the cybersecurity landscape and deepened the digital sovereignty discourse.

Conclusions

In conclusion, and taking into account the specific cases discussed above, the EU’s cyber security policy has been strongly driven by internal market factors. Path dependency from data and consumer protection is recognisable in recent internal market cyber security legislation, while external action in the cyber domain has been steered by digital sovereignty and, at a more granular level, by market requirements when it comes to 5G rollout.

The overlap between digital sovereignty and cyber security is likely to further drive the policy EU policy agenda towards internal market legislation – for example when it comes to the ongoing debate on sovereignty of cloud services, whereby cloud providers might be required to localise their data centres in the EU.