EU Cybersecurity Policy: A Model for Global Governance

Print Friendly, PDF & Email
Image by br1dotcom/Flickr.

While only 6 percent of all cyber incidents reported in 2011 were perpetrated with malicious intentions, there is still an important vacuum of data regarding cybercrimes. In this context, the European Union (EU) established the European Cybercrime Centre in January as part of the Europol. This important event raises the question of the effectiveness of the instruments established by the European Union to address cybersecurity. The mode of governance developed by the European Union is coherent and comprehensive but now the international community must support and adopt this model for it to be effective.

The European Union has structured its mode of governance around three pillars that parallel the economic and social opportunities of the Internet and both categories of cyber threats: cybercrimes, such as online bank robbery, and attacks on critical infrastructures through the development of online viruses, such as Flame and Stuxnet that were used to break down Iranian nuclear facilities.

The first pillar, established in 2005, is the European Network and Information Security Agency (ENISA), which identifies the causes of and protects against cyber incidents on critical infrastructures in Europe. The ENISA has already demonstrated its capabilities by organising the first pan-European cybersecurity exercise in 2012, which tested the preparedness of financial institutions, government organisations and telecommunication companies to combat a cyberattack. Additionally, the ENISA published its first report on annual incidents that occurred in 2011, framing the causes and consequences of all reported cyber incidents. Under the second pillar, launched in 2010 with the Digital Agenda for Europe by the EU Commissioner for Information Society and Media Neelie Kroes, the European Union adopted a series of laws and initiatives that promote the development of social and economic opportunities in the digital world, such as protecting intellectual property, developing broadband coverage, roaming harmonization, E-Commerce, eID, and eSignatures. The third pillar, under the supervision of EU Commissioner for Justice and Home Affairs Cecilia Malmström, completed the protection against cyber threats by establishing the European Cybercrime Centre. The centre is responsible for pooling and sharing information, raising awareness, and supporting investigations on cybercrimes.

The European Parliament, assisted by the European Data Protection Supervisor, is also an essential actor of the EU’s cybersecurity governance because it balances the three pillars and guarantees that citizens remain the first beneficiaries of the Internet. Through negotiations with the United States, the European Parliament has already played a key role in the protection of civil liberties and fundamental freedoms in several controversial cases, such as the Passenger Name Record (PNR) and the Anti-Counterfeiting Trade Agreement (ACTA). In these negotiations, the European Parliament ensured the balance between economic opportunities, citizens’ rights, and the prevention of cyber threats.

The mode of governance developed by the European Union has the potential to become a model for the rest of the world because it balances both control and freedom of information and economic opportunities and national security. The outcome, however, of the World Conference on International Telecommunications in December 2012 shows the rest of the world does not recognize the effectiveness of the EU mode of governance. It, therefore, is necessary for the European Union to actively promote its mode of cybersecurity governance at the international level.

To do so, the European Union should, first, continue to demonstrate the effectiveness of its current policy, especially through close cooperation between the Cybercrime Centre and the ENISA. This will provide a clear understanding of the different threats that the European Union is facing and ways to prevent them. Second, through increasing the power of independent and specialized advisory bodies, such as the European Data Protection Supervisor, the European Union should ensure that the European Parliament is able to resist external lobbying. Third, the European Union should overcome its ideological conflicts over privacy when negotiating with the United States in protecting against cyberattacks by increasing transparency and having members of the European Parliament present during negotiations. The European Union should also overcome the transatlantic divergence over the militarization of cybersecurity by further developing a cybersecurity agenda within NATO. Finally, the European Union should increase its visibility during multilateral negotiations by participating actively in related meetings at the International Telecommunication Union and during the UN General Assembly’s Governmental Group of Experts on the Developments in the Field of Information and Telecommunications in the Context of International Security.

The EU’s mode of governance appears to fit all positive and negative aspects of the digital world, by ensuring coherence and check-and-balance mechanisms between security, economic opportunities, civil liberties, and fundamental freedoms. While it has failed to promote its vision through bilateral, regional, and multilateral negotiations, the European Union should concentrate its efforts on becoming a model for the rest of the world by demonstrating its effectiveness against cyberthreats and its clear balance between opportunities and civil rights.

This is a cross-post from Atlantic Community.


For additional reading on this topic please see:

Transatlantic Cybersecurity
Where Cyber-Security is Heading
Internet Governance in an Age of Cyber Insecurity


For more information on issues and events that shape our world please visit the ISN’s featured editorial content and Security Watch.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.