Palo Alto Networks welcomes the European Commission’s release on 16 December of a set of proposals related to cybersecurity, including a new cybersecurity strategy and a proposal for revision of the Directive on Security of Network and Information Systems (NIS 2). The European Commission recognises that cybersecurity is essential to economic activity and growth, as well as to user confidence in online activities. It also understands that bold steps are needed to ensure that Europeans can securely benefit from innovation, connectivity and automation.
These documents are the result of extensive consultations with stakeholders and come at a critical time. Much has changed since the original NIS Directive was negotiated in 2016, and since the last major set of cybersecurity strategy and legislative proposals was released by the European Commission in 2017. All sectors of the EU’s economy continue to become more digitally dependent and interdependent. Key changes include:
These and other changes have increased the level of critical risk to governments and industry. At the same time, cyber-threats continue to evolve and become more automated and sophisticated, with adversaries unfortunately taking advantage of the global health crisis to launch a plethora of COVID-19-themed cyberattacks in 2020.
We will be carefully reviewing this package of proposals in more detail in the coming weeks, but there are a few aspects worth commending based on an initial assessment.
The new cybersecurity strategy includes a range of proposals to improve cyber resilience both in the EU and externally. The European Commission’s proposal to build a network of Security Operations Centres (SOCs) across the EU that would leverage artificial intelligence (AI) and machine learning to improve threat and incident detection, analysis and response speeds is important and timely. Preventing successful cyberattacks manually with an ever-more-scarce specialised workforce, while the number of daily alerts is overwhelming security teams, makes the automation of SOCs inevitable.
We also support the objectives and actions on 5G security, which will be imperative to help mitigate new risks stemming from the growing attack surface that 5G network infrastructures will create. We particularly appreciate the call for ENISA and Member States to work with all stakeholders to better understand new 5G security technologies and capabilities as well as threats. The strategy’s 5G security proposals build upon related activities in the EU, including the EU’s 5G Toolbox of Risk Mitigating Measures and the latest ENISA publication, 5G Supplement to the Guideline on Security Measures under the EECC of 10 December 2020, which acknowledges that 5G’s utilisation of new technologies like network virtualisation, network slicing and edge computing are prone to specific vulnerabilities that may require additional security controls.
We appreciate the proposal to further develop Europol’s role as the centre of expertise on cybercrime to support national law enforcement authorities, as well as increased funding and mandate for CERT-EU. Both entities play critical roles supporting cybersecurity efforts throughout the EU. The focus on improving cybersecurity of EU institutions, bodies and agencies will be important to shield these organisations from cyberattacks.
Finally, we commend the emphasis on the EU’s international cooperation, such as via cyber diplomacy in international relations, increased bilateral dialogues on cybersecurity, and cyber capacity-building in third countries. Cybersecurity threats are global, and effective policies to counter them also must be global.
Throughout the strategy, the Commission reinforces the importance of cooperation with the multi-stakeholder community, notably by regular exchanges with the private sector, academics and civil society. This approach is welcome and will be essential to developing these proposals that we have highlighted – and others – effectively.
As the Commission stated upon publishing the draft NIS 2, the original NIS Directive paved the way for significant changes in mindset and institutional and regulatory approaches to cybersecurity in many EU Member States. The proposed NIS 2 has a number of important elements.
We support the effort to update and strengthen the NIS Directive’s cybersecurity risk management requirements with a list of focused measures. The emphasis on incident prevention, detection and response; risk analysis and information system security policies; internationally accepted risk management standards; cybersecurity governance and supply chain security are important and useful additions. Like their peers around the world, EU governments want more assurance regarding the integrity of the information and communications technologies (ICT) products and services that they, and the critical infrastructure entities in their countries, procure and use. The draft provides a very constructive approach for supply chain risk management – guiding entities to consider the cybersecurity practices of their suppliers, including secure development practices – and we encourage EU co-legislators to further build on these proposals, such as by promoting transparency in how companies manage risks to their supply chains and how ICT vendors, including in the 5G and IoT space, can demonstrate adherence to best practices.
We also support the intention to prepare secondary guidance on these security requirements. It is important to clearly inform businesses of the steps they can take to manage their cybersecurity risks. Our experience to date is that many companies do not know how compliant they are with NIS, nor even what criteria they should assess themselves against. Guidance will be crucial to ensuring consistent implementation of NIS 2, as well as to meeting the European Commission’s goals to improve and align the security requirements across Europe. It will be important to involve stakeholders in the development of this guidance.
NIS 2 seeks to promote voluntary cyberthreat information sharing by directing Member States to ensure that entities covered by NIS 2 can share cyberthreat information among themselves to improve cybersecurity. European policymakers have long acknowledged the value of voluntary cyberthreat information sharing in understanding threats, protecting information and networks, and preventing successful cyberattacks. Leveraging the NIS Directive to promote more sharing and to address barriers that might preclude organisations from participating in voluntary threat-sharing relationships is very welcome.
Finally, we would like to highlight the proposal related to domain names and registration data (WHOIS data). Maintaining accurate and complete databases and providing lawful access to such data – in compliance with EU data protection law insofar as it is related to personal data – is essential to ensure the security, stability and resilience of the Domain Name System (DNS). WHOIS data plays a strong role in facilitating cybersecurity research, threat detection, analysis and mitigation, which in turn contributes to a high common level of cybersecurity within the EU.
These are only some of the many important policies and activities proposed in the European Commission’s cybersecurity package. We commend the European Commission for continuing to take steps to improve cybersecurity in the EU. As the European Commission stated in the new strategy, the EU’s economy, democracy and society depend more than ever on security, reliable connectivity and digital tools. Palo Alto Networks looks forward to examining these proposals closely and providing more detailed analysis, and to working with the European Commission, European Parliament and European Council in the coming months to help them refine these proposals to best realise the goal of improving the EU’s cybersecurity.
Sebastian Gerlach is senior director, EMEA Policy, for Palo Alto Networks.