EU Commission wants a coordinated response to large-scale cyber attacks

The EU Commission presented a plan on Monday to improve the EU's response to large-scale cyber attacks. With the proposal for a recommendation to the Council of Ministers, the Commission wants to update the existing EU framework for crisis management in the area of cyber security. It also aims to provide an overview of the relevant EU actors from civilian and military bodies, including NATO, and their roles. This should make it possible to predict cyber incidents more accurately and to mitigate and contain them as far as possible. The Commission wants to create the necessary capacities and instruments for this.

"A large-scale cybersecurity incident can cause a level of disruption that exceeds the response capacity of a Member State or have a significant impact" on several EU countries, the Commission explains in the draft. An escalation and transition into a real crisis is conceivable, "affecting the proper functioning of the internal market or leading to serious risks to public security". Effective crisis management is therefore crucial for maintaining economic stability and protecting European governments, critical infrastructure (critical infrastructure), citizens and companies. Such an approach also contributes to international security and stability in cyberspace.

"A comprehensive and integrated approach to crisis management should be promoted across all sectors and levels of government," the document states. If cybersecurity incidents are part of a broader hybrid campaign or crisis, the relevant stakeholders should support efforts to develop a unified picture of the situation across multiple sectors.

Comprehensively securing digital infrastructure

The security of critical digital infrastructure in particular is of fundamental importance for the resilience of the economy, society and defense, the Commission states. Companies in this sector, such as submarine cable operators, must take measures to protect the physical and environmental security of network and information systems. It is important to take into account "all risks such as system failures, human error, malicious acts or natural phenomena" and to report incidents immediately. Only on Friday, the executive body presented its own action plan for the protection and faster repair of pipelines on the seabed.

According to the initiative, "close cooperation between public and private entities, including manufacturers and open source developers, is needed to better protect companies in other critical areas such as energy, transport, health and financial services". This must be based on trust and clear procedures for the exchange of information and coordination. One key measure is the operation of a public and secure European DNS resolver service. In order to increase the resilience of other critical components such as the routing system, it is important to implement best practices and the latest available standards in a timely manner.

End-to-end encrypted communication solution required

According to the Commission, EU institutions should also "agree on an interoperable set of secure communication solutions for relevant actors" by the end of 2026. This must cover the entire spectrum of required communication modes such as voice, data, video conferencing, messaging, collaboration and document exchange. The solutions should reflect "key principles such as security interests, technological sovereignty and confidentiality". They should reflect features such as user-friendliness, integrated security, certification by European information security authorities, end-to-end encryption, authentication, availability and post-quantum cryptography.

According to the plan, more coordination is also needed to detect malicious activity in increasingly complex global supply chains. This is particularly relevant for areas in which the EU relies on technology from high-risk suppliers that are subject to the jurisdiction of a third country such as China. There, information about software or hardware vulnerabilities would have to be reported to authorities before their potential exploitability becomes public knowledge. The member states and relevant institutions should also "develop an efficient continuous cycle of cyber exercises".

The project builds on existing frameworks such as the EU cyber diplomacy toolbox, Kritis regulations and the new cyber solidarity law. Commission Vice-President Henna Virkkunen, responsible for technological sovereignty, sees the recommendation as a "decisive step towards strengthening our collective cyber resilience".

(vbr)