Digital transformation and cybersecurity: more opportunities… but more vulnerabilities
Digital transformation has long been a strategic priority for the European Union (EU), a commitment only reinforced by the Covid-19 pandemic. Over the past 20 years, technological progress has drastically changed many aspects of our daily life, including the appearance of many Information Communication Technology (ICT) products. These have made everything “smarter” and more “connected” – in ways unimaginable only a few years ago.
At the same time, network and information systems (NIS) have become vital. Their reliability and security are essential – both for the economy and for society at large. While progress has delivered unprecedented opportunities for businesses and individuals, it’s also brought new and serious challenges. Chief among these is the threat of cyber attack, especially in critical sectors, an issue that businesses are ever-more exposed to – and policymakers ever-more focused on.
Securing the EU’s single market: How Europe is rising to the challenge
Responding to the challenge, the EU has championed a range of initiatives aimed at strengthening cybersecurity within the single market. By the early 2000s, the European Commission was already highlighting the importance of better NIS cybersecurity resilience. As a result, it developed a proposal for an EU mechanism to foster collaboration and information sharing about NIS risks and incidents, as well as secure cross-border services and systems. By 2016, the proposal had been adopted, becoming what is now known as the NIS Directive – the first EU-wide legislation aimed at improving cybersecurity resilience.
In parallel, by 2005, the Commission had recognized the paramount role played by ICT-product cybersecurity in fostering the EU’s economic growth. While this area has seen ongoing development, in the past 18 months, it has taken center stage once again. In December 2020, the European Council highlighted the need to take a more holistic approach to product cybersecurity – by addressing aspects like safety, availability, and confidentiality. And in June 2021, recognizing the fragmentation risk to the single market from a patchwork of national cybersecurity regulations, the European Parliament tasked the Commission with exploring the need for horizontal legislation that would place mandatory cybersecurity requirements on ICT products by 2023.
Helping the EU build evidence-based options for the future: How did Wavestone help?
Against this backdrop, the Commission identified a requirement to gather information capable of supporting and guiding thinking on EU cybersecurity policy interventions in the coming years. Wavestone’s strategic experience and expertise in digital made it a strong candidate to help the drive for a more cyber-resilient EU. Over 2020 and 2021, the Commission asked Wavestone to meet this need by carrying out two studies.
The first, which saw Wavestone partner with two other companies, supported a review of the NIS Directive. Specifically, Wavestone evaluated the existing legal and policy framework applied to NIS security and assessed its actual impact. In the light of this, it also recommended potential new policy concepts and measures that could be included in a revised framework.
The second study consisted of an exploratory impact assessment. This investigated the need for cybersecurity requirements to be applied to ICT products. Here, Wavestone led a consortium of four companies to define the problem, categorize the products, and assess the levels of risk in each product category. In addition, the study developed a set of essential cybersecurity requirements that could be applied to the entire ICT-product lifecycle, and considered possible EU policy options and their potential economic and social impacts on the single market.
In both studies, Wavestone supported the Commission’s need for solid evidence. It carried out an extensive data-collection exercise that included desktop research on policy, legal and academic documents, and consulted stakeholders through interviews, focus groups and workshops. As a result, Wavestone was able to help build up a comprehensive picture for the Commission, including views and insights from a range of stakeholders across the EU – from national competent authorities, to industry and consumer associations.
What does the future hold?
On both the cybersecurity of NIS and ICT products, Wavestone delivered a series of key insights. These will help the European Commission make evidence-based decisions on future policy and better implement the 2020 EU Cybersecurity Strategy. In particular, the Commission has already adopted a proposal to update the NIS Directive (into its NIS 2 version). This will address the weak spots of the existing directive, better adapt it to today’s needs, and help to future proof it.
In addition, in her last State of the Union address, the Commission President, Ursula von der Leyen, highlighted the EU’s ambition to become a world leader in cybersecurity. She again stressed the need for a common European cyber defense policy and that legislation on shared standards and requirements (through a European Cyber Resilience Act) should be seen as integral to such a policy.