Part 2: EU – A Regulatory Superpower and A Pioneer in Cybersecurity?

Another of the themes of the 2023 Cyber Security Nordic event was the survival of the EU and Europe in the growing environment of cyber risks. The fair was represented from EU decision-making bodies in the form of MEP Henna Virkkunen, as well as from operational functions with the presence of Juhan Lepassaar, Executive Director of ENISA, The European Union Agency for Cybersecurity. The panel discussion, which was attended by Finland’s Cyber Ambassador Tarja Fernandez, Deputy Cyber Security Director Stefan Lee and CEO Peter Sund of FISC, was titled “How Europe Tackles Cyber Threats”. On the second day of the fair, privacy activist Max Schrems spoke with criticism of the data transfer practices between the EU and third countries, especially the United States, relating to the transfer of personal data of EU citizens.

Even if the EU representatives were not guilty of blindly praising the Union, simply listening to the EU representatives would easily give the impression that things are going well. The speeches covered extensively the EU’s cybersecurity strategy and regulation, such as the NIS2 and CER directives. Attention was also paid to the Cyber Resilience Act, which specifies the obligations of smart device manufacturers, one of the objectives of which is to ensure the cybersecurity of different devices throughout their life cycle, and the Cyber Solidarity Act, or CSA, which increases cyber solidarity among member states.

The directives and acts were presented as mainly positive, although the problems encountered by each directive and act were also examined. The speeches highlighted the image of the EU as a regulatory superpower that, when implementing new regulations, also sets rules for the rest of the world. On the other hand, it is also relevant to ask when, for example, regulation poses problems or barriers for the growth of companies. The question, which has not been fully answered, was whether there might already be too much regulation, which would contribute to the detriment of small and medium-sized enterprises.  The speeches also touched on the EU’s preparedness and general situational picture with regard to cyber threats. Both Virkkunen and Lepassaar pointed out the increase in ransomware, denial-of-service attacks and cyberattacks on critical infrastructure. In this sense, the EU’s cyber situational picture corresponds to the views of international experts and experts from various security companies on prevailing trends.

The panel discussion pointed out that, in fact, looking at all statistics, cyber threats and their harms have also increased in Europe and within the EU. In this sense, perhaps we should not be talking about a real success for Europe. On the other side of the coin, it should be noted that the trend of increasing the number of threats is global. It must be credited to the EU’s advantage that it has reacted relatively quickly and, at least from a regulatory point of view, the EU can be considered light years ahead of the rest of the world. On the other hand, the EU itself is allegedly trying to circumvent the regulations it has created.

The stone in the shoe has been the agreement on the transfer of personal data between the EU and the United States, which has already twice been overturned by the Court of Justice of the EU with the so-called Schrems I and Schrems II decisions. The matter took a new turn last July when the European Commission’s new adequacy decision on the US level of data protection entered into force. Speaking at the fair, data protection activist Max Schrems, after whom previous judgments have been named, also commented on the summer decision and considered it likely that the latest decision will also be tested in court. According to Mr Schrems, it appears that the changes made are relatively small, and US law still does not provide the necessary protection for EU citizens’ personal data. The speech easily gave the impression that this was a deal made between EU Commission President von der Leyen and US President Biden. The truth about the state of cybersecurity in Europe and also about regulation can be found somewhere between negative and positive. The important thing would be to maintain consistency, not to over-regulate and to comply with our own regulations. The increase in cyberattacks and the speed of change in the threat perception are also realities to which both the EU and the rest of the world must adapt. In this context, the importance of an up-to-date situational picture cannot be overemphasised. The options presented in the speeches for tackling the problems included increased cooperation not only within the EU, but also with other partners such as the United States, Ukraine and NATO. At the same time, citizens’ cyber skills and the operational capabilities of organisations should be taken care of.

References

Henna Virkkunen; MEP: Current EU cyber affairs. Cyber Security Nordic 2023 Event.

Juhan Lepassaar; Executive Director, The European Union Agency for Cybersecurity, ENISA: A Trusted and Cyber Secure Europe: threats and actions. Cyber Security Nordic 2023 Event.

Max Schrems; European Center for Digital Rights, NOYB: Data transfers from the EU to third countries in this current political situation. Cyber Security Nordic 2023 Event.

Tarja Fernandez; Ambassador of Cyber Affairs, Ministry for Foreign Affairs of Finland; Peter Sund; CEO, FISC; Stefan Lee; Deputy Director of National Cyber Security of Finland: Panel: How Europe tackles cyber threats. Cyber Security Nordic 2023 Event.