1. INTRODUCTION / CONTEXT
Every day, cybersecurity incidents cause major economic damage to European businesses and
the economy at large. Such incidents undermine the trust of citizens and enterprises in the
digital society. Theft of commercial trade secrets, business information and personal data,
disruption of services - including essential ones - and of infrastructures result in economic
losses of hundreds of billions of euros each year.1 They can also have consequences for
citizens’ fundamental rights and for society at large.
The 2013 Cybersecurity Strategy of the European Union2 (EU Cybersecurity Strategy), and its
central deliverable – the soon-to-be adopted Network and Information Security (NIS)
Directive3 – as well as Directive 2013/40/EU on attacks against information systems form the
core policy response so far of the European Union to these cybersecurity challenges. In
addition, the EU also has specialised entities at its disposal such as the European Union
Agency for Network and Information Security Agency (ENISA), the European Cyber Crime
Centre (EC3) at Europol, and the Computer Emergency Response Team (CERT-EU).
Recently, a number of sectoral initiatives have also been launched (e.g. in the energy and
transport field) to increase cybersecurity in various critical sectors.
In spite of these positive achievements, the EU remains vulnerable to cyber incidents. This
could undermine the digital single market and economic and social life as a whole. Their
impact can also go beyond the economy. In the case of hybrid threats4, cyberattacks can be
used in a coordinated manner with other activities to destabilise a country or challenge
political institutions.
Against this background, the handling of a large-scale cyber incident involving multiple
Member States simultaneously could be challenging for the EU. In synergies with the
Communications on countering Hybrid Threats as well as on Delivering the European Agenda
on Security5, the Commission is looking at ways to address the evolving cybersecurity reality
and assess additional measures that may be necessary to improve the EU’s cybersecurity
resilience and incident response.
Furthermore, the Commission is also addressing cybersecurity industrial capacities in the EU.
Even though the whole value chain of digital technologies may not be mastered in Europe,
there is a need to at least retain and develop certain essential capacities. Supply of products
and services that provide for the highest level of cybersecurity is an opportunity for the
cybersecurity industry in Europe and it could become a strong competitive advantage. The
global cybersecurity market is expected to be among the fastest growing segments of the ICT
sector6. Making the EU a leading player in this field needs to be supported by a strong culture
of data security, including for personal data, and an effective response to incidents. This will
1
Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime II; Center for Strategic and International Studies;
June 2014.
2
JOIN(2013) 1.
3
COM(2013) 48.
4
JOIN(2016) 18.
5
COM(2016) 230.
6
See SWD(2016) 216.
2