Remarks by Executive Vice-President Virkkunen on the Cybersecurity Package

As Europe becomes increasingly digital, we need to make sure our security is guaranteed also in the cyber domain.

We are in the middle of hybrid warfare. Every day, critical infrastructure in Europe is affected by cyber-attacks.

These operations span espionage, prepositioning, ransomware and disruptive operations.

They are often part of wider hybrid campaigns – combined with information operations or physical disruptions such as violations of our airspace or sabotages of critical infrastructure.

We have assessed our digital security environment and are proposing updates to our cybersecurity legislation to ensure that citizens, businesses, and our society remain secure. Specifically, we are today proposing four improvements:

• First, by ensuring that we have a strong EU Agency for Cybersecurity, ENISA; 
• Second, by ensuring that we have processes in place for derisking our ICT supply chain, while strengthening European critical infrastructure; 
• Third, by ensuring that we have a lean and efficient certification system that will make sure businesses operating in the EU market and our consumers can trust that they have access to products they use are security by design;
• And last but not least, with the proposal for the Directive amending the NIS2 Directive - simplifying the compliance with our cybersecurity rules for businesses.  

With todays proposal, we are making sure that EU Agency for Cybersecurity, ENISA is equipped to carry out all new tasks reflecting a changing security environment.

ENISA will continue to support Member States in collaboration with national cybersecurity agencies to meet our common security challenges. ENISA will serve as:

• A single entry point for incident reporting;
• Producer of early alerts of cyber threats; and
• Provide help-desk in cooperation with Europol and CSIRTs to support companies in responding and recovering from ransomware attacks.
• ENISA will also be tasked to develop a common Union vulnerability management service capacity and provide vulnerability management services to stakeholders.

Moving on to the second part of our proposal. In the recently adopted Joint Communication on strengthening EU economic security, the Commission has highlighted a number of areas where dependencies on a single or a limited number of suppliers could pose a significant security risk.

We are turning the 5G Cybersecurity Toolbox into a mandatory approach to ensure a level-playing field and non-fragmentation of the EU market.

Together with Member States, we will identify which specific components of in the ICT supply chain of our critical sectors would require targeted mitigating measures. We propose a range of possible derisking measures, including restriction for high-risk suppliers.

A few weeks ago, we proposed key simplification measures for cybersecurity under the Digital Omnibus.

Our proposal included a single-entry point for incident notifications. With Cybersecurity Package, we are making it even easier to implement and comply with our rules.  Notably, we propose targeted amendments to the NIS2 Directive to:

• Clarify certain aspects regarding the scope and definitions. This will improve legal clarity and remove compliance burden for almost 30 000 companies, including over 6 000 micro- and small-sized enterprises;
• We introduced a new category of small mid-cap enterprises that will reduce the compliance costs for over 22 000 companies;
• Finally, we aim to add measures to streamline the collection of data on ransomware attacks.

When it comes to certification, we already have a system in place, which unfortunately has not produced the expected results.

We need a framework that is more dynamic, more straightforward and more efficient. ENISA will be managing the certification schemes and making sure that standards are as global as possible.

The renewed European Cybersecurity Certification Framework will unleash the potential of cybersecurity certification and contribute to ensuring that products and services are secure-by-design.

Used as a compliance tool, the certification will allow for a major simplification effort for EU companies, to more easily demonstrate across the whole internal market with requirements from the NIS 2 Directive.

In todays world, everything is digitised and all our daily lives are dependant on safe and functional information networks. Cybersecurity has gained greater importance and become an integral part of our comprehensive security.

We need equip ourselves with robust and efficient cybersecurity tools that allow for a seamless cooperation across the EU. Because a cyber threat to one Member State is a threat to all.