The document summarizes the key points of the European Union's cybersecurity strategy, including establishing an open, safe, and secure cyberspace; boosting the EU economy by €500 billion annually by completing the digital single market; and achieving cyber resilience, reducing cybercrime, developing cyberdefense capabilities, and establishing international cyber policy. It outlines the strategy's five strategic objectives and roles for the European Union Agency for Network and Information Security (ENISA) in assisting member states, private sectors, and more.

1. European Union Agency for Network and Information Security www.enisa.europa.eu
European priorities in
information security
Graeme Cooper
Head of Public Affairs Unit, ENISA
12th International InfoSec and Data Storage Conference,
26th September 2013, Sheraton Hotel, Sofia, Bulgaria

2. European Union Agency for Network and Information Security www.enisa.europa.eu 2
EU Cubersecurity Strategy - essential points
“An Open, Safe and Secure Cyberspace”
• The norms, principles and values that the EU upholds
offline, should also apply online.
• Cyberspace must be correctly protected:
– Governments have a significant role in ensuring a free
and safe cyberspace.
– The private sector owns and operates significant parts
of cyberspace and has a leading role.
• Outside the EU, governments may misuse cyberspace for
surveillance and control.
– The EU can counter this situation by promoting freedom
online and ensuring respect of fundamental rights
online.

3. European Union Agency for Network and Information Security www.enisa.europa.eu 3
Economic Arguments
• By completing the Digital Single Market, Europe could boost its
GDP by almost €500 billion a year.
• For new connected technologies to take off citizens will need
trust and confidence.
– Currently, Europeans are not confident in their ability to use
the Internet for banking or purchases.
– They are also reluctant to disclose personal information.
– Across the EU, more than one in ten Internet users has been
a victim of online fraud.
• The EU economy is already affected by cybercrime activities,
economic espionage and state-sponsored activities are new
threats.

4. European Union Agency for Network and Information Security www.enisa.europa.eu 4
The Principles
• The strategy proposes key principles to guide the EU and
international approach:
– The EU's core values apply as much in the digital as in
the physical world.
– Fundamental rights, freedom of expression, personal
data and privacy should be protected.
– The Internet should be accessible to all citizens.
– The digital world must be subject to democratic and
efficient multi-stakeholder governance.
– Ensuring security is a shared responsibility.

5. European Union Agency for Network and Information Security www.enisa.europa.eu 5
Strategic Priorities
• The Five strategic objectives of the
strategy are as follows:
– Achieving cyber resilience
– Drastically reducing cybercrime
– Developing cyberdefence policy and capabilities related
to the Common Security and Defence Policy (CSDP)
– Developing the industrial and technological resources
for cybersecurity
– Establishing a coherent international cyberspace policy
for the European Union and promoting core EU values
ENISA explicitly called upon.

6. European Union Agency for Network and Information Security www.enisa.europa.eu 6
Achieving Cyber Resilience
• Introduces ENISA and explains the policy on NIS.
• Makes reference to articles 13a & 13b.
• Introduces the legislative proposal.
• Stresses the importance of the following:
– The establishment of a cybersecurity culture to enhance
business opportunities and competitiveness.
– Reporting significant incidents to the national NIS
competent authorities.
– Exchange of information between National NIS
competent authorities and other regulatory bodies.
– Recognises that exercises at EU level are essential to
stimulate cooperation among the MS and the private
sector.

7. European Union Agency for Network and Information Security www.enisa.europa.eu 7
The Legislative Proposal
• Key points:
– Will help establish common minimum requirements for
NIS at national level.
– Requires Member States to designate national
competent authorities for NIS, set up a competent CERT
and adopt a national NIS strategy and a national NIS
cooperation plan.
– Explains the role of the CERT EU regarding the EU
institutions, agencies and bodies.
– Requires the establishment of coordinated prevention,
detection, mitigation and response mechanisms.
– Requires the private sector to develop, at a technical
level, its own cyber resilience capacities and share best
practices across sectors.

8. European Union Agency for Network and Information Security www.enisa.europa.eu 8
Achieving Cyber Resilience (1 of 2)
• In the area of cyber resilience, the EC asks ENISA to:
– Assist the Member States in developing strong national
cyber resilience capabilities.
– Examine in 2013 the feasibility of Computer Security
Incident Response Team(s) for Industrial Control
Systems (ICS-CSIRTs) for the EU.
– Continue supporting the Member States and the EU
institutions in carrying out regular pan-European cyber
incident exercises.

9. European Union Agency for Network and Information Security www.enisa.europa.eu 9
Achieving Cyber Resilience (2 of 2)
• Specifically in terms of raising awareness, the Commission
asks ENISA to:
– Propose in 2013 a roadmap for a "Network and
Information Security driving licence".
– Support a cybersecurity championship in 2014, where
university students will compete in proposing NIS
solutions.

10. European Union Agency for Network and Information Security www.enisa.europa.eu 10
European Cybersecurity Month 2013
http://cybersecuritymonth.eu/

11. European Union Agency for Network and Information Security www.enisa.europa.eu 11
Developing Resources
• There is a risk that Europe becomes excessively dependent
on ICT and on security solutions developed outside its
frontiers.
• Hardware and software components used in critical
services and infrastructure must be trustworthy, secure
and guarantee the protection of personal data.
• In order to mitigate this risk, the strategy proposes two
action areas:
– Promoting a Single Market for cybersecurity products
– Fostering R&D investments and innovation

12. European Union Agency for Network and Information Security www.enisa.europa.eu 12
Single Market for Products
• A high level of security can only be ensured if all in the
value chain make security a priority.
• The strategy aims to increase cooperation and
transparency about security in ICT products:
– It calls for the establishment of a platform to identify
good cybersecurity practices across the value chain.
• COM will support the development of security standards
and assist with EU-wide voluntary certification schemes.
– Cloud computing and data protection.
– critical economic sectors - Industrial Control Systems,
energy and transport infrastructure.

13. European Union Agency for Network and Information Security www.enisa.europa.eu 13
R&D and Innovation
• R&D should fill technology gaps in ICT security and prepare
for the next generation of security.
• The Horizon 2020 Framework Programme for Research and
Innovation will be launched in 2014:
– There are specific objectives for trustworthy ICT as well
as for combating cyber-crime.
• Specific attention will be drawn at EU level to optimising
and better coordinating various funding programmes

14. European Union Agency for Network and Information Security www.enisa.europa.eu 14
Developing Resources
• The Commission asks ENISA to:
– Develop, in cooperation with relevant stakeholders,
technical guidelines and recommendations for the
adoption of NIS standards and good practices in the
public and private sectors.
– Collaborate with Europol to identify emerging trends
and needs in view of evolving cybercrime and
cybersecurity patterns so as to develop adequate digital
forensic tools and technologies.

15. European Union Agency for Network and Information Security www.enisa.europa.eu 15
Further Involvement of ENISA
• Although ENISA is not explicitly mentioned in the other
strategic priorities, there is clearly a role for the Agency.
• The EU Internal Security Strategy explains how ENISA
should collaborate with the recently established EU Cyber
Crime Centre.
• We have a role in creating a strong culture of NIS
throughout the EU.
• This can only be achieved by bringing communities
together and ensuring that information on NIS is shared
between such communities in an appropriate manner.

16. European Union Agency for Network and Information Security www.enisa.europa.eu 16
Concluding Remarks
• Complex ICT systems keep our economies running in key sectors
such as finance, health, energy, etc.
• Many business models are built on the uninterrupted availability
of the Internet and the smooth functioning of information
systems
• EC Recognises the importance of ICT in contributing to EUs
economic growth and its role as a critical resource for all
economic sectors
• ENISA is already well established and
contributing in many of the areas
described in the EU proposal for an
EU cybersecurity strategy.

17. www.enisa.europa.eu
Follow ENISA:
European Union Agency for Network and Information Security
Thank you.
Graeme Cooper, Head of Public Affairs Unit, ENISA
ENISA
European Union Agency for Network and Information Security
Science and Technology Park of Crete (ITE)
Vassilika Vouton, 700 13, Heraklion, Greece
Athens Office
1 Vass. Sofias & Meg. Alexandrou
Marousi 151 24, Athens, Greece