Cybersecurity for Micro, Small & Medium Enterprises
The Key Players for EU cybersecurity ENISA – European Union Agency for Cybersecurity
Established in 2004 by the EU regulation 460/2004 (repealed by Regulation (EU) No 526/2013), ENISA is one of the many agencies of the European Union and it is tasked with the important responsibility to foster an EU-wide culture of IT security, digital proficiency, cyber-resilience and cyber-readiness. The information and security network that the agency contributes to is designed for the benefits of EU societies as a whole, with reference to citizens, businesses, public sector and labour market. Since its formal establishment, and following the Cybersecurity Act, ENISA’s role is to assist the European Commission, Member States and the EU communities in embracing and adopting the newest cybersecurity standards in view of present and future threats. ENISA – organisation and constituent bodies
As per Regulation (EU) 2019/881, ENISA is composed by the following bodies: • Management Board: it ensures the agency’s compliance with its statue and founding regulation • Executive Board: it represent the decision-making body and instructs the management board on decisions to be adopted • Executive Director: the ED manages the agency and he/she’s responsible for his/her duties independently • National Liaison Officers Networks: the NLOs bridges and mediate the communication between the agency and each member state • Advisory Group: it includes an external group of experts that sustains ENISA in the planning and development of work programmes, STKH management and strategic objectives • Ad hoc working groups: the ED selects external experts to tackle specific scientific/technical matters (i.e., draft and consolidation of a multinational scale assessment) ENISA – areas of interest
ENISA’s areas of interest are many, but they can be essentially broken-down into 7 main clusters of activities: • Empowering Communities – ENISA brings together national and international STKH that are of relevance for cybersecurity and enhances their synergies so as to upscale more easily new cybersecurity models • Cybersecurity policy – ENISA provides for evidence-based qualitative and quantitative phenomena that can better inform new policies on IT, innovation and development • Operational Cooperation – ENISA strengthen the axis between the many socio-economic actors that can have an impact (or are impacted by) new ground breaking development in the domain of ICT, and most importantly, cybersecurity. • Capacity Building – ENISA provides for user friendly and intuitive on cybersecurity at free disposal for all citizens, and/or private businesses • Trusted Solutions – ENISA monitors and evaluates new digital products and services tackling cybersecurity solutions for societies, markets and economies • Foresight – ENISA contributes to develop new mitigations strategies the exposure of EU societies and economies to cyberthreats • Knowledge – ENISA represent a vibrant hub for professionals and experts to exchange best practices
why you should care about ENISA?
As a formal representative of the private sector, why should you even bother with ENISA? • First or all, if there is any new horizon in the landscape of cybersecurity, ENISA will represent your most comprehensive source of information. No other platform has many resources as ENISA to get a better “grasp” on cybersecurity-related phenomenon at EU level
• In second stance, ENISA provides for users (i.e., business owners) a large set of resources to strengthen and foster their comprehension of cybersecurity and their own cyber-resilience/awareness/responsiveness such as crisis simulation, tools and training materials, reports and studies
Please, take your time to explore the platform and familiarize with all available resources. ESCO – European Cybersecurtiy Organisation
The European Cybersecurity Organization (ESCO) is among the top EU stakeholders in the domain of IT security and cyber-readiness. The main goal of the organization remains to promote an EU-ecosystem devoted to foster research and awareness in the domain of cybersecurity. • ESCO is a privileged partner of both the European Commission and ENISA, bridging private an public institutions operating at international and national level • ESCO supports the implementation of key cybersecurity strategies aimed at sustain the “cyber-transition” of public and private organizations • ESCO assists EU bodies and agencies in developing new policies and recommendations that find application at national level ESCO´s areas of interest
ESCO’s areas of interest are allocated to specific working groups (WG): • WG1 – Standardization, certification and supply chain management • WG2 – Market deployment, investments and international collaboration • WG3 – Cyber resilience of economy, infrastructures and services • WG4 – Support to SMEs, coordination with countries and regions • WG5 – Education, training, awareness and cyber ranges • WG6 – SRIA and cybersecurity technologies More in general, ESCO tackles all transversal domains of references to help the emergence of a robust EU-spread cybersecurity culture.
Further support material from ESCO
Each WG is responsible for the publication and promotion of an extensive number of reports providing for numerous useful information. ESCO’s analysis are robust and reliable, users can access them for free and gain some really useful insights and the many different interest areas tackled by ESCO. Please, feel free to navigate the Publications section as well as all the other activities carried out by the organization. EU policies and programmes for cybersecurity EU cybersecurtiy strategy
On December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy launched the new EU’s Cybersecurity Strategy for the Digital Decade (2019-2024). The strategy represent a key component of three other EU long-term priorities (Shaping Europe's Digital Future, the Recovery Plan for Europe and the EU Security Union Strategy) responding to the need of fostering technological readiness and competitiveness of EU societies and economies. EU’s cyber resilience is at the very core of the new cybersecurity strategy and allows EU’s Member States to adopt, embrace and implement new performance standards to guarantee a safe digital environment for their citizens and businesses. The strategy rests on three key pillars: resilience, operational capacity, international cooperation
RESILIENCEResilience, technological sovereignty and leadership is the very first strand of the new cybersecurity strategy. With that, the European Commission wants to promote new quality standards for the security of IT networks of critical national infrastructures and services such as financial and public health systems. Of particular interest is the education and training dimension as under this pillar the European Commission foreseen dedicated support measures to SMEs and private organisations such as: • Research and innovation
• Workforce upskilling
• Nurturing of new cybersecurity talents
OPERATIONAL CAPACITYBy operational capacity we mean the adequacy and effectiveness of EU’s Members States in assessing, preventing/discouraging and responding to cyberthreats. In that sense, both the European Commission and the High Representatives remarks with particular emphasis the primary objective to safeguard from malicious attacks all critical infrastructures of modern societies and ones impacting of democratic processes, supply chains infrastructures, etc. New transnational capacity building programmes are also encouraged among Member States as one of those instrumental means to build a new EU cyber ecosystem.
INTERNATIONAL COOPERATIONA renewed strategy on cybersecurity will be tackled and implemented in cooperation with international stakeholders in view of a global stability. The European Commission plans to intensify the dialogue with third countries and large international organizations that can be of paramount support to establish a global community-centered agenda for IT security. These groups of interest will represent the institutional partners of the European Commission throughout this unprecedented 7-year programming of actions and support means. The NIS Directive
The NIS directive is one of the most important piece of legislation regulating for a high common level of cybersecurity and information system across the European Union. Adopted in 2016, the directive gives each Member State certain degrees of “autonomy” for its application at national level, in consideration of specific circumstances and contextual factors. Citizens can monitor the status of implementation of the directive by consulting the state-of-play of its transposition.
The pillars of NIS directive• NATIONAL CAPABILITIES
EU’s Members States are required to develop certain standards of cybersecurity performance in terms both of capabilities and support networks (i.e., National CSIRT - Computer Security Incident Response Team). • CROSS-BORDER COLLABORATION EU’s Member States are required to establish robust and long-term institutional collaborations with external parties of interest such as CSIRTs and the NIS cooperation group – of which ENISA is a part of. • NATIONAL SUPERVISION OF CRITICAL SECTORS EU’s Member States are required to perform in-depth ex-post and ex-ante supervision of the cyber-readiness of critical services and infrastructures.
At the beginning of 2021, the European Commission launched the proposal to revise the NIS directive as a way to address concretely the new wave of cyberthreats that impacted global markets and societies in the last few years. Cyber-attacks, besides being among the fastest-growing form of crime worldwide, are also growing in scale, cost and sophistication. The latest forecast is that global ransomware damage costs would reach US$20 billion by 2021, 57 times more their amount in 2015 […] Given the growing number and cost of cyber-attacks, spending on information security is also increasing worldwide. The global security market is currently worth around US$150 billion, a figure that many predict will rise to US$208 billion in 2023 and US$400 billion in 2026. Source: European Parliament, the NIS2 directive At the moment, the NIS2 directive is going through the ordinary policy making process of EU institutions (an on-going revision of carried out by influential groups of interest and policy makers). Shaping Europe´s digital future
The EU’s strategic programme for the 2019-2024 period includes six main priorities (i.e., “pillars”): • A European Green Deal • A Europe fit for the digital age • An economy that work for people • A stronger Europe in the world • Promoting our European way of life • A new push for European democracy Specific sub-actions are envisioned for each one of these pillars, cybersecurity falls under A Europe fit for the digital age for both pillar’s strands: Shaping Europe’s digital future and Europe’s Digital Decade: digital targets for 2030. Support for research and innovation
Research, innovation and IT development in the field of cybersecurity is a top concern of the Horizon Europe programme for the period 2021-2027 – the largest EU programme for research and innovation with a total budget of €95.5 billion Cybersecurity falls under the cluster of Civil Security for Society, along with disaster-resilient societies, protection & security. Projects under this strand of co-financing are expected to meet one (or more) of the following impacts (pp. 114-115 of the guide): • Strengthened EU cybersecurity capacities and European Union sovereignty in digital technologies • More resilient digital infrastructures, systems and processes • Increased software, hardware and supply chain security • Secured disruptive technologies • Smart and quantifiable security assurance and certification shared across the EU • Reinforced awareness and a common cyber security management and culture Support for capacity building
Cybersecurity represents a major area of interest of the DIGITAL Europe Programme. The programme tackles both the need of new and technologically advanced infrastructures, skill-gaps and human development of professionals deployed in the sector. Concrete objectives are as follows: • advanced cybersecurity equipment, tools and infrastructures, together with Member States
• knowledge, capacity and skills related to cybersecurity, best practices
• deployment of effective cybersecurity solutions, paying special attention to public authorities and SMEs
• capabilities within Member States and the private sector in support of the NIS Directive
• resilience, risk-awareness, at least basics levels of cybersecurity
• enhancing synergies and coordination between stakeholders and policy makers
Source: Cybersecurity in the DIGITAL Europe programme – Operational Objectives Key takeaways
• ENISA – EU agency tasked with the role to foster an EU-wide culture of IT security, digital proficiency, cyber-resilience and cyber-readiness
• ESCO – EU key player tasked with the role to promote an EU-ecosystem devoted to foster research and awareness in the domain of cybersecurity
• EU cybersecurity strategy, three key pillars: resilience, operational capacity, international cooperation
• NIS directive, three key pillars: national capabilities, cross-border collaboration, national supervision of critical sectors
• Research and innovation: Horizon EUROPE Capacity building: Digital EUROPE |
EU, Institutions, Policy Making, Policy Makers, NIS, ENISA, ESCO
Objectives/goals• to mainstream and showcase what are the current and future horizons for cybersecurity at EU level in terms of policies and programmes, strategies and legislations
• to provide an overview on institutional setting of relevance (i.e. what is ENISA and what do they do?) and supporting networks
In the context of this module, readers have the opportunity to familiarise with sources and resources from EU institutions to remain updated on latest trends on cybersecurity, scale and scope of cyber hygiene domain in EU, training and education opportunities, evidence-based support material, new emerging dynamics on cybersecurity that are of relevance for businesses and organisations.