BSA Survey of EU Cybersecurity Laws Identifies Gaps in Member States’ Cyber-Preparedness
March 2015 by BSA (Business Software Alliance)
A first-ever analysis of cybersecurity laws and policies in Europe finds gaps and fragmentation in Member States’ cyber preparedness.
The report, released by BSA | The Software Alliance, evaluates national laws, rules and policies in all 28 EU Member States against 25 criteria deemed essential for effective cybersecurity protections. It is intended to provide EU Member States with an opportunity to evaluate their countries’ policies against key metrics and maps a way forward by outlining the key building blocks for a strong cybersecurity legal framework.
“There is an uneven landscape when it comes to cyber protections across Europe. Most Member States acknowledge cybersecurity to be a priority, yet inconsistencies in their approach leave the entire Single Market vulnerable to threats,” said Thomas Boué, BSA’s director of policy – EMEA. “The Network and Information Security Directive could help to establish a stronger foundational level of cybersecurity and cyber resilience if it focuses on aligning the preparedness of Europe’s most critical infrastructure and introduces harmonized reporting and information sharing processes throughout the Single Market.”
Among the key findings of the report:
• Most EU Member States recognize cybersecurity to be a national priority – particularly with regard to critical infrastructure.
• Considerable discrepancies exist between Member States’ cybersecurity policies, legal frameworks and operational capabilities, resulting in notable gaps in overall cybersecurity protections in Europe.
• Nearly all EU Member States have established incident response teams to address cyber incidents; however, the mission and experience of those entities varies.
• There is a worrying lack of systematic public-private cooperation and collaboration on cybersecurity between EU governments and non-governmental entities and international partners.
• The report finds that France has had a national cybersecurity strategy in place since 2011, although it has a strong focus on defence and national security issues. The National Agency for the Security of Information Systems (ANSSI) is a well-established authority dedicated to information security and is integrated with the country’s computer emergency response team, CERT-FR. The cybersecurity strategy contains recommendations for closer cooperation with the private sector, but this has not been significantly developed. ANSSI has published sector-specific security measures, making France one of the few EU countries to adopt such a targeted approach to managing cybersecurity.
The report encourages EU Member States to focus on four key elements of a strong legal cybersecurity framework:
• Construct and maintain a comprehensive legal and policy framework based on a national cybersecurity strategy that is complemented by sector-specific cybersecurity plans.
• Establish operational entities with clear responsibilities for operational computer security, emergency and incident response.
• Engender trust and work in partnership with the private sector, NGOs and international partners and allies.
• Foster education and awareness about cybersecurity risk and priorities. At the same time, the report cautions European governments to avoid unhelpful protectionist regimes that can undermine, rather than improve, cybersecurity protections. Specifically, Member States should:
• Avoid unnecessary or unreasonable requirements that can restrict choice and increase costs including unique, country-specific certification or testing requirements; mandates for local content; requirements to disclose sensitive information, such as source code or encryption keys; and restrictions on foreign ownership of intellectual property.
• Refrain from manipulating standards, instead supporting industry-led, internationally recognized technical standards.
• Avoid data localization rules and ensure the free-flow of data across markets.
• Steer clear of preferences for indigenous technologies which obstruct foreign competition and harm global innovation.
The full 28-country report, as well as detailed summaries for each EU Member State, are available at www.bsa.org/EUcybersecurity.