The EU aims to address cybercrime by supporting the development of robust cybersecurity measures and frameworks at national and EU levels. This includes fostering collaboration among member states and stakeholders to enhance protection for networks, systems, and services, countering rising cyber threats and ensuring a secure digital environment.
The fight against cybercrime requires the collaboration of many actors and communities to be successful. In this respect, it is important to address and counter the rise of cybercrime and to prepare a concerted and coordinated response with relevant stakeholders.
Where it is suspected that an incident is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities, on the basis of applicable criminal proceedings rules in accordance with Union law, to report incidents of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable that coordination between the competent authorities and the law enforcement authorities of different Member States be facilitated by the European Cybercrime Centre (EC3) and ENISA.
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Directive - 2022/2555 - EN - EUR-Lex, Recital (107)
Cyber security is a continuously changing topic that requires constant training and education. Promoting and developing education and training on cybersecurity and cybersecurity skills development, aimed at citizens, stakeholders and entities is also a requirement of NIS2 Directive that needs to be incorporated into the National Strategies of the EU MS. The development of cybersecurity skills refers to the process of acquiring and enhancing the knowledge, abilities, and expertise needed to protect networks, systems, and data from cyber threats. This involves training individuals in various technical, operational, and strategic areas of cybersecurity to ensure they can effectively prevent, detect, and respond to security incidents.
Based on the European Commission communication on Cybersecurity Skills Academy, Member States should adopt, as part of their national cybersecurity strategies, specific measures in view of mitigating the cybersecurity skills shortage, identifying and better channeling efforts to close the skills gaps and ultimately ensuring a proper implementation of their obligations under the NIS2 Directive.
Communication on the Cybersecurity Skills Academy | Shaping Europe’s digital future
Directive - 2022/2555 - EN - EUR-Lex Art7, 2(f)
A cyber security strategy should seek for the right balance between these two concepts. Moreover, the European Commission has provided the regulatory tools to support the Member States in facing this challenge. For this reason, every Member State should take seriously into account the right of citizens’ privacy. Finally, privacy is a horizontal issue that cuts across most of the activities relevant to cyber security strategy.
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Crisis management is defined as ‘an institutional and organisational design process’, a ‘[broad] structure [that] encompasses decision-makers [with specific roles and actions]’. In general terms, crisis management is understood as ‘making and effecting difficult decisions under difficult circumstances. With NIS2, MS have to develop a specific framework for cyber crisis management – including processes for business continuity and disaster recovery, designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Member States shall ensure that those authorities have adequate resources to carry out, in an effective and efficient manner, the tasks assigned to them. Member States shall ensure coherence with the existing frameworks for general national crisis management
However, because cyber crises tend to have a transboundary nature, any cyber crisis management framework must remain part of an overarching crisis management for overall coherence. This overarching crisis management framework is an integral part of the cybersecurity strategy and it set the structures for preparing, responding and recovering from major incidents that involve critical infrastructure.
In addition, MS should organise regular exercises and crisis management simulations as part of their preparedness processes to respond to large-scale cyber crisis, often including of cross-border nature.
Organising Exercises and Simulations: National cybersecurity strategies should incorporate regular cybersecurity exercises to test emergency plans, identify vulnerabilities, and improve sector cooperation. These exercises foster resilience by simulating real-world threats, from cyber-attacks to natural disasters, and ensure that national response teams can effectively coordinate across sectors and borders.
References https://www.enisa.europa.eu/publications/ccc-study
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Engaging in cooperation and information sharing with partners abroad is important to better understand and respond to a constantly changing threat environment. Given the importance of international cooperation on cybersecurity, the CSIRTs should be able to participate in international cooperation networks in addition to the CSIRTs network established by the NIS2 Directive.
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Directive - 2022/2555 - EN - EUR-Lex Recital 45, art 11 (1)
Incident Preparedness and Response (IPR) is a critical strategic objective that focuses on establishing frameworks, protocols, and cooperation mechanisms to effectively manage and mitigate cybersecurity incidents. This objective encompasses a proactive approach to cybersecurity threats, integrating key activities such as incident handling, reporting, analysis, and response coordination at national and international levels. Central to IPR is the role of national/governmental CSIRTs (Computer Security Incident Response Teams), which serve as the main coordinating bodies for incident management, ensuring collaboration among public and private sector stakeholders. The strategy should identify the measures ensuring preparedness for, responsiveness to and recovery from incidents, including cooperation between the public and private sectors.
Directive - 2022/2555 - EN - EUR-Lex Recitals (4, 28, 94, 102,116), art21
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
A Coordinated Vulnerability Disclosure (CVD) process needs to be established in line with Article 12(1) of NIS2 Directive, outlining a structured approach for reporting vulnerabilities to manufacturers or service providers. This process should allow them to diagnose and address the vulnerabilities before any detailed information is disclosed to third parties or the public.
Member States, in cooperation with ENISA, must develop and implement a national policy to facilitate CVD. This policy should provide a clear framework for managing vulnerability reports effectively. Additionally, the challenges faced by vulnerability researchers, particularly regarding potential criminal liability under national law, need to be addressed as part of the policy.
Given that vulnerability researchers may be exposed to criminal or civil liability in some jurisdictions, Member States are encouraged to adopt protective guidelines. These should include measures to prevent the prosecution of information security researchers and to provide exemptions from civil liability for their research activities. This will help foster a secure environment for vulnerability research, ultimately enhancing the cybersecurity posture of the nation.
Directive - 2022/2555 - EN - EUR-Lex Recitals (58, 60), Art7
Art19, art.21
Member States must ensure that essential and important entities take suitable steps to protect the security of the systems they use for operations or service delivery. These steps should reduce risks and minimize the impact of incidents on their services and their users.
Member States should promote the integration of relevant advanced technologies aiming to implement state-or-the-art cybersecurity risk-management measures. The measures should be based on the latest technology and relevant European or international standards, considering the cost of implementation. They must provide a level of security that matches the risks faced by the entity. When deciding on the right measures, factors such as the entity’s risk exposure, size, and the potential severity of incidents, including their wider impact, should be taken into account.
Directive - 2022/2555 - EN - EUR-Lex, Art7 2(e), Art 19 1(a), Art 21
Member States need to establish incident reporting mechanisms and ensure that essential and important entities report significant incidents without undue delay to their CSIRTs or, where applicable, to the competent authorities, as defined in NIS2. This includes incidents that have a major impact on the provision of their services. If necessary, these entities must also notify their service users about incidents that are likely to adversely affect the delivery of services. Member States must also ensure that entities provide sufficient information to help the CSIRT or competent authorities assess the potential cross-border impact of the incident. In addition, if an entity reports a significant incident to the competent authority, the Member State must ensure that the authority forwards the notification to the CSIRT without delay.
In the case of cross-border or cross-sector incidents, Member States must ensure that their single points of contact receive the relevant information in a timely manner.
Member States shall establish mutual assistance processes. When an entity operates in multiple Member States or has systems located in different Member States, the authorities involved must cooperate and assist each other as needed. This includes informing and consulting each other about any supervisory or enforcement actions taken, one authority can request another to take specific supervisory or enforcement actions, authorities must assist each other by providing support proportionate to their resources to ensure effective and consistent measures.
The assistance can include information sharing, inspections, or audits. Authorities may refuse assistance only if they lack competence, if the request is disproportionate, or if it threatens national security or public safety. Before refusing, they must consult with other authorities, and, if needed, with the Commission and ENISA. Member States may also carry out joint supervisory actions by mutual agreement.
Directive - 2022/2555 - EN - EUR-Lex Art.37, Art 19 1(d)
One of the key elements of a cyber security strategy is that Member States need to establish a mechanism to identify relevant assets and perform a national risk assessment, with a specific focus on critical information infrastructures. Risk assessment is a scientific and technologically based process consisting of three steps: risk identification, risk analysis and risk evaluation. The scope of the assessment is to coordinate the use of resources and to monitor, control, and minimize the probability and/or impact of unfortunate events that might put at risk the critical services and ultimately the objectives of the vision. Risk assessments can provide valuable information for developing, executing and evaluating a strategy. The assessment can be conducted on different levels. Risk assessment on a national level allows gaining a holistic understanding about risk to the nation as a whole. By carrying out a national risk assessment and aligning the objectives of the strategy with national security needs, it is possible to focus on the most important challenges with regard to cyber security. Sectorial risk assessment allows considering more sector-specific risks to critical infrastructure and service providers. Risk assessment can be conducted by a national authority, sectoral authorities or by operators of CII on different levels.
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Directive - 2022/2555 - EN - EUR-Lex Art 7, 1(d)
Information-sharing among private and public stakeholders is a powerful mechanism to better understand a constantly changing environment. Information-sharing is a form of strategic partnership among key public and private stakeholders. Owners of critical infrastructures could potentially exchange information with public authorities on mitigating emerging risks, threats, and vulnerabilities while public stakeholders could provide on a 'need to know basis’ information on aspects related to the status of national security, including findings based on information collected by intelligence and cyber-crime units. Combining both views give a very powerful insight on how the threat landscape evolves. In this sense, Information Sharing and Analysis Centers (ISACs) and public-private partnership (PPPs) can be an effective tool, to pool expertise and resources of the private and public sector. In addition, as part of their national strategy, Member States shall also include relevant procedures and appropriate information-sharing tools to support voluntary cybersecurity information sharing between entities in accordance with Union law.
https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng, Art7 2(d), Art 19 1(e) and Art 29
Research and development in cyber security is needed in order to develop new tools for deterring, protecting, detecting, and adapting to and against new kinds of cyber-attacks. NIS2 mandates MS in supporting academic and research institutions to develop, enhance and promote the deployment of cybersecurity tools and secure network infrastructure.
In addition, Member States should encourage the use of any innovative technology, including artificial intelligence and post quantum cryptography, the use of which could improve the detection and prevention of cyberattacks, enabling resources to be diverted towards cyberattacks more effectively. Member States should therefore encourage in their national cybersecurity strategy activities in research and development to facilitate the use of such technologies, in particular those relating to automated or semi-automated tools in cybersecurity, and, where relevant, the sharing of data needed for training users of such technology and for improving it. The use of any innovative technology, including artificial intelligence, post quantum cryptography, etc., should comply with Union data protection law, including the data protection principles of data accuracy, data minimisation, fairness and transparency, and data security, such as state-of-the-art encryption. The requirements of data protection by design and by default laid down in Regulation (EU) 2016/679 should be fully exploited.
Directive - 2022/2555 - EN - EUR-Lex Art7, 2(g), 2(e), recital 51 on AI
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Member States shall address the cybersecurity of the supply chain for ICT products and ICT services used by essential and important entities for the provision of their services, as well as strengthen the cyber resilience of small and medium size enterprises (SMEs). This entails carrying out coordinated security risk assessments of critical supply chains and taking measures which are state-of-the art and where applicable relevant to European and international standards to protect network and information systems and the physical environment of those systems from threats, risks and vulnerabilities. Baseline security requirements, that define the minimum-security level which all organisations should comply with. Such requirements can be based on existing security standards or frameworks and good practices widely recognised by the industry.
Moreover, this can be achieved also in establishing strong policies and providing guidelines for cybersecurity requirements in public administration procurement procedures, including in relation to cybersecurity certification, encryption and the use of open-source cybersecurity products;
https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng Art7, 2(a), (b), Art 19 and art 21 1(d)
Active Cyber Protection (ACP): As part of their national cybersecurity strategies, Member States should adopt policies on the promotion of active cyber protection as part of a wider defensive strategy. Based on NIS2 Directive, ACP involves the prevention, detection, monitoring, and mitigation of network security breaches through both internal and external capabilities. ACP includes tools and services such as self-service checks, detection tools, and proactive measures to enhance the ability to share threat intelligence and improve the overall security posture of the country.
Directive - 2022/2555 - EN - EUR-Lex, art7, 2(j), Recital (57)
CG WS9 paper.
Cyber security is a continuously changing topic that requires constant user awareness raising. Raising awareness about cyber security threats and vulnerabilities and their impact on society has become vital.
Through awareness-raising, individual and corporate users can learn how to behave in the online world and protect themselves from typical risks. Awareness activities occur on an ongoing basis and use a variety of delivery methods to reach broad audiences.
Security awareness activities may be triggered by different events or factors, which may be internal or external to an organisation. Major external factors could include: recent security breaches, threats and incidents, new risks, updates of security policy and/or strategy. Among the internal factors are new laws, new governments etc.
Promoting and developing initiatives to raise awareness, as well as offering guidance on good cyber hygiene practices and controls, aimed at citizens, stakeholders and entities is also a requirement of NIS2 Directive that needs to be incorporated into the National Strategies of the EU MS. Also strengthening the cyber hygiene baseline of small and medium-sized enterprises, in particular those excluded from the scope of this Directive, by providing easily accessible guidance and assistance for their specific needs shall be addressed within the National Cybersecurity Strategies of the Member States.
Directive - 2022/2555 - EN - EUR-Lex Art7, 2(f), 2(i)
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Art19, art21
The protection of critical sectors is an integral part of many cyber and information security strategies. Cybersecurity covers a broad spectrum of ICT-related security issues, of which the protection of critical sectors is an essential part. National strategies should include objectives and priorities related to the protection of critical sectors in particular those referred to Annexes I and II of the NIS2 Directive. In addition, as part of their national strategy, Member States shall also adopt specific policies, related to sustaining the general availability, integrity and confidentiality of the critical sectors including, the public core of the internet and where relevant, the cybersecurity of undersea communications cables.
https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng, Art7 2(d), Art 19 1(a), Art 21
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
In February 2020, the Commission set out its vision for the digital transformation of the EU in the communication “Shaping Europe’s digital future”, with the aim of delivering inclusive technologies that work for people and respect the fundamental values of the EU. In particular, the communication states that promoting the digital transformation of public administrations throughout Europe is crucial. In that sense, building trust in government in relation to digital identity and trust in public services is of paramount importance. This is even more crucial when considering the fact that public sector transactions and data exchanges are often of sensitive nature.
NCAF: https://www.enisa.europa.eu/publications/national-capabilities-assessment-framework
The cyber security strategy will succeed only if a clear governance framework is in place. A governance framework defines the roles, responsibilities and accountability of all relevant stakeholders. It provides a framework to achieve the objectives and priorities of the strategy and related polices, as well as the effectiveness of the implemented cybersecurity measures, with particular attention to those related to important and essential entities. This framework also offers dialogue and coordination of various activities undertaken in the lifecycle of the strategy, also underpinning the cooperation and coordination at the national level between the competent authorities, the single points of contact, and the CSIRTs under NIS2 Directive, as well as coordination and cooperation between those bodies and competent authorities under sector-specific Union legal acts. In particular, it should include enhanced coordination with the competent authorities under Directive (EU) 2022/2557 for the purpose of information sharing on risks, cyber threats, and incidents as well as on non-cyber risks, threats and incidents and the exercise of supervisory tasks, as well as performing an assessment on the level of capabilities including the available, financial, technical and human resources, and the effectiveness of the exercise of the tasks of the competent authorities (including CSIRTs). A list of the various authorities and stakeholders involved in the implementation of the national cybersecurity strategy should be included.
Directive - 2022/2555 - EN - EUR-Lex Art7, 1 (b), 1(c), Art 19 1(b)
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
There are different ways how governments can ensure that businesses implement appropriate security measures. One way is to make certain standards mandatory by law. However, governments can also apply softer steering measures, for example promoting and developing education and training on cybersecurity, cybersecurity skills, awareness raising and research and development initiatives, as well as guidance on good cyber hygiene practices and controls, stakeholders and entities. One key objective within the national strategy is to strengthen the resilience of small and medium-sized enterprises (SMEs), in particular those excluded from the scope of the NIS2 Directive, by providing easily accessible guidance and assistance for their specific needs.
https://www.enisa.europa.eu/publications/ncss-good-practice-guide
Directive - 2022/2555 - EN - EUR-Lex Art7 2(f), 2(i)