WIXLIB

EU Cybersecurity DashboardA Path to a Secure European CyberspaceBUSINESS SOFTWARE ALLIANCEA

EU Cybersecurity Dashboard A Path to a Secure European CyberspaceCONTENTSEXECUTIVE SUMMARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2KEY FINDINGS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Legal Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Operational Entities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Public-Private Partnership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Sector-Specific Cybersecurity Plans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6EUROPEAN UNION CYBERSECURITYMATURITY DASHBOARD (2015). . . . . . . . . . . . . . . . . . . . . . . . . . 8EUROPEAN UNION CYBERSECURITYCOUNTRY SUMMARIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

EXECUTIVE SUMMARYThe promise of today’s interconnected world is immeasurable.Technology has become integral to virtually every sector of the globaleconomy, including banking, communications and the electrical grid.The benefits that stem from that promise, however, face very real threats.Attackers — in ever greater numbers and withincreasing sophistication — see, in the growingpromise of our tech-connected world, opportunitiesto steal or cause major disruption or destructionby exploiting vulnerabilities. Unfortunately, astechnology’s benefits expand and evolve, so too willthe threats. Countering those threats and ensuring theresilience of our cyber-enabled systems will requireflexibility and an ability to evolve as well.For governments, protection from cyber-attacks —as well as the ability to both mitigate the harms ofany such instances and to address all newly emergingthreats — can be found in the cybersecurity policiesthey adopt and execute. Three elements must bepresent: the proper legal and policy frameworks alongwith the appropriate public input and the necessaryinfrastructure needed to implement those frameworks.Laws, rules, institutions and appropriate structure tofacilitate cooperation with relevant stakeholders arethe key foundations that support countries, as well asnon-governmental actors in their effort to protect theirsystems and prevent, mitigate and respond to cyberattacks.www.bsa.orgSuch policy and legal frameworks and appropriateimplementation structures must be stable and clear,but they need also to remain flexible. They musttake into account and be able to adjust to theevolving threat environment that is inherent in thetechnology arena.The purpose of this report — the first-of-its-kindBSA EU Cybersecurity Dashboard — is to providegovernment officials in each of the EU Member Stateswith an opportunity to evaluate their country’s policiesagainst these metrics, as well as their Europeanneighbors.The most important takeaways of the report can besummarised as follows: Most EU Member States recognise that workingtoward cybersecurity and cyber resilience —with particular focus on the protection of criticalinfrastructure — should be an important nationalpriority. Considerable discrepancies exist betweenMember States’ cybersecurity policies, legalframeworks and operational capabilities, creatingnotable cybersecurity gaps across Europe.1

EU Cybersecurity Dashboard A Path to a Secure European CyberspaceIn addition to this report, the detailed results of the research are available online— at www.bsa.org/EUcybersecurity. While 27 EU Member States have establishedoperational entities, such as computer emergencyresponse teams (CERTs), the mission andexperience of those entities vary greatly. One notable gap is the lack of systematiccooperation with non-governmental entities andpublic-private partnerships: a well-establishedframework in place for such partnerships existsin only five EU Member States. This leaves alarge area untapped for effective, voluntarycollaboration between governments and theprivate sector that owns and operates the majorityof commercial critical infrastructure services inEurope. Achieving a coherent approach and commonbaseline level of cybersecurity in the EU willrequire a sustained effort. The Network andInformation Security (NIS) Directive and itsimplementation presents an opportunity tofocus on protecting Member States’ most criticalservices and assets. Doing so would enable theNIS Directive to play a key role in closing Europe’scybersecurity gap.This year’s report, thus, highlights some fundamentalchallenges as well as significant opportunities forimproving cybersecurity across the EU. If EU MemberStates can align their approach to cybersecurity andbring their capabilities to a comparable, coherentbaseline level, it will be a major step towards achievinga true Digital Single Market in the EU.Cybersecurity and cyber resilience are oftenthought of as a funding challenge, but primarilyit is a management one. Getting the right policy,legal and operational frameworks in place, improvingcollaboration with various relevant stakeholders’communities, effectively sharing meaningfulcybersecurity information and prioritising theprotection of critical infrastructures are key stepswhich will increase cybersecurity and cyberresilience of all EU Member States.In addition to this report, the detailed results of theresearch are available online — at www.bsa.org/EUcybersecurity.Just as cybersecurity is an ever-evolving field, thisreport is also intended to be a living document. Asnational governments and decision makers updatetheir frameworks to address the remaining gaps, thiswebsite will be updated to show progress acrossthe relevant areas. We invite you to review theseresults and contact BSA The Software Alliance withinformation regarding any relevant changes.METHODOLOGYThis study is based on an assessment of twentyfive criteria across five themes. (See results,pages 8–9.) Each of the criteria are given a“Yes”, “No”, “Partial”, or “Not Applicable”status. There are no overall rankings or scores inthis study.This analysis is the result of desk-based researchon publicly available information, and did notinvolve direct interviews with national agencies.Where possible we have included links to furtherinformation and resources. These are availableon our homepage.The research period concluded on 1 January2015 and general information in the report iscorrect up to that date.For detailed information on the methodologyused, please visit our website www.bsa.org/EUcybersecurity.2BSA The Software Alliance

THE BUILDING BLOCKS OF A STRONG LEGALCYBERSECURITY FRAMEWORKConstruct Solid Legal FoundationsGovernments should enact and keep up-to-date acomprehensive legal and policy framework, based ona solid national cybersecurity strategy. This frameworkshould be built upon the following key principles. Risk-based and prioritised: Cyber-threats come inmany shapes and magnitudes with varying degreesof severity. Establishing a hierarchy of priorities —based on an objective assessment of risk — withcritical assets and/or critical sectors at the top isan effective starting point from which to ensurethat cyber protections are focused on those areaswhere the potential for harm is greatest. Technology-neutral: A technology-neutralapproach to cybersecurity protection is vital toensure access to the most secure and effectivesolutions in the marketplace. Specific requirementsor policies that mandate the use of certaintechnology only undermine security by restrictingevolving security controls and best practices andpotentially creating single points of failure. Practicable: Any strategy is only as effective as it isadoptable by the largest possible group of criticalassets and implementable across the broadestrange of critical actors. Overly burdensomegovernment supervision of private operators, ordisproportionately intrusive regulatory interventionin their operational management of cybersecurityrisk would most often prove counterproductive,diverting resources from effective and scalableprotection to fragmented administrativecompliance. Flexible: Managing cyber risk is a cross-disciplinaryfunction and no one-size-fits-all approach exists.Each industry, system and business faces distinctchallenges, and the range of actors must haveflexibility to address their unique needs. Respectful of privacy and civil liberties: Securityrequirements should be duly balanced with theneed for protection of privacy and civil liberties.Ensuring that requirements and obligations areproportionate, do not represent more intrusion infundamental rights than what is strictly necessary,follow due process and are supported by adequatejudicial oversight are all important considerationsto address in any cybersecurity framework.www.bsa.orgEstablish Operational Entities with KeyResponsibilities for SecurityGovernments should set up operational entities tosupport the prevention of cybersecurity incidents andto ensure response to them. A core component of thisis the establishment of operational computer security,emergency and incident response teams.Engender Trust and Work in PartnershipNo country or government can address cybersecurityrisk in isolation. Collaboration with non-governmentalentities as well as with international partners and alliesis a crucial component of an effective approach tocybersecurity. Partnering with the private sector: Mostinfrastructure is owned by the private sector,making effective public-private cooperationessential. Cooperation also improves theeffectiveness of risk management by improving thesharing of information, experience and perspectiveof multiple sources. Particular efforts are neededto foster trust and avoid legal obstacles that mayhinder it. Global rather than isolated: Given that cyberthreats are global, effective cybersecurity policiesand strategies need to maintain an internationaloutlook, building on joint efforts with partners andallies. They should also leverage international,voluntary and market-driven standards in orderto maximise pan-regional and global informationsharing and protection.Foster Education and Awareness AboutCybersecurity RiskPeople, process and technology are equally importantto ensuring cybersecurity. Even the best technologywill be ineffective if not used appropriately. Awarenessraising, education and training about clearlyarticulated cybersecurity priorities, principles, policies,processes and programs are essential components ofany cybersecurity strategy.3