Jochen Michels, Director of Public Affairs, Europe, Kaspersky
In June 2024, some 350 million EU citizens were called upon to elect the new European Parliament. In mid-July 2024, the first plenary session of the 10th parliamentary term was held in Strasbourg. Important personnel decisions were made, committees were established, and Ursula von der Leyen was elected as President of the EU Commission for a second term. It will be interesting to see what digital and cybersecurity policy priorities the new Commission, the new Parliament, and the Council will set. Kaspersky has drawn up some ideas and recommendations for EU cybersecurity policy and would like to contribute these to the discussion.
Over the past five years, the European Union has made significant progress in both legislative and non-legislative cybersecurity domains, including key achievements such as the NIS2 Directive, the Cyber Resilience Act (CRA), and the Artificial Intelligence (AI) Act. These initiatives, along with others, enhance the cybersecurity and resilience of citizens, the economy, and society, providing a critical foundation for successful and trust-based digitization. Moving forward, it is essential for stakeholders from politics, administration, science, industry, and civil society to collaborate in implementing these initiatives uniformly, promptly, and efficiently. Prioritizing the cyber resilience of both public and private entities, as well as the cybersecurity of digital products, should remain a continuous policy focus in the new legislative term.
1. Transparency as a Cornerstone for Supply Chain Security
NIS2 and the CRA introduce a broad range of transparency criteria for products, services, and companies to strengthen supply chain security. To significantly increase trust, transparency initiatives should be developed and supported, while universally applicable transparency standards for cybersecurity providers should be established. These standards can extend beyond the requirements of NIS2 and the CRA, encompassing source code scrutiny and software/hardware development processes. Furthermore, cybersecurity providers should develop ethical principles for coordinated vulnerability disclosure, establish bug bounty programs, subject their processes and products to regular external evaluations, and publish transparency reports detailing their collaboration with law enforcement and other public authorities. Kaspersky launched a global transparency initiative in 2018 and has continually refined it; therefore, Kaspersky is eager to share its insights with the cybersecurity ecosystem and contribute to the formulation of shared transparency principles.
2. Balancing Technical and Non-Technical Risk Factors to Enhance Cybersecurity
A combination of rigorous competition and trust-based collaboration reinforces security and resilience in Europe. Therefore, all entities adhering to European and national legislation and competently contributing to the safeguarding of citizens, businesses, and societies in Europe should be afforded equal market access. In addition to technical criteria for assessing provider trustworthiness, non-technical risk factors also merit consideration. Transparent risk analyses should incorporate comprehensible criteria, including factors such as a company's transparency, protection mechanisms against unauthorized influence, presence in Europe, participation in international initiatives, and collaborative engagement within the cybersecurity ecosystem.
3. Fostering Multistakeholder Cooperation Across the Cybersecurity Ecosystem
To sustainably fortify cybersecurity and resilience, it is imperative to facilitate the exchange and accessibility of information among cybersecurity vendors, industry stakeholders, and governmental entities. A better understanding of the cyber landscape enables the implementation of tailored protection measures. Multistakeholder collaboration should be ingrained in the initiation of new cyber initiatives, including the expedited development of new EU cybersecurity certification schemes, ensuring their viability and quality. Furthermore, Europe must bolster its digital sovereignty and competitiveness by enacting legislation, establishing reliable standards, and ensuring harmonization to prevent fragmentation, thereby facilitating product compliance and the seamless functioning of the Single Market. EU legal requirements must be effective, proportionate, and aligned with globally recognized best practices.
4. Harmonized Implementation of NIS2 and the CRA
Achieving a consistently high level of cybersecurity across the EU Internal Market demands a synchronized implementation of NIS2 and the CRA. Collaboration among the EU Commission, ENISA, national authorities, and industry is paramount to avoid regulatory disparities. To provide timely legal clarity for affected entities, the EU Commission should expedite the adoption of delegated and implementing acts, particularly those crucial for NIS2 and the CRA implementation. Robust harmonization fortifies cybersecurity and fosters a secure, reliable digital Single Market.
5. Addressing the Cybersecurity Skill and Gender Gap in the Digital Economy
Numerous surveys and studies, including the Eurobarometer survey released in May 2024, highlight the urgent need to enhance cybersecurity awareness, skills, and competencies in Europe. To address this, concerted efforts are needed to sustainably bolster awareness and skills. This involves fostering collaboration among the public sector, industry, educational and research institutions, and funding training initiatives, particularly tailored for SMEs. Synergies between different educational and training schemes should be emphasized, and the impact of the EU Cybersecurity Skills Academy should be amplified. Moreover, initiatives aimed at promoting women in cybersecurity must be intensified to narrow the gender gap and address the skills shortage. Additionally, educational policy reforms are imperative, including compulsory computer science modules, enhanced collaboration between schools and industry, and the establishment of additional computer science chairs at universities.
6. Intensive Monitoring of Emerging Technologies for Cybersecurity Implications
The cyber threat landscape evolves dynamically, significantly influenced by emerging technologies. Thus, meticulous analysis of these technologies and their potential impact on cybersecurity is crucial for policy measures, both regulatory and non-regulatory. Establishing a permanent working group, with potential sub-working groups, at ENISA to identify risks and mitigation strategies in areas like AI, quantum computing, or 6G is recommended. A multi-stakeholder approach ensures targeted utilization of collective expertise and shared know-how. National initiatives, when possible, should be internationalized and consolidated at the European level to harness synergies. Public-private partnerships (PPPs) should be encouraged and funded at the EU level to research the impact of new technologies on cybersecurity and develop solutions.
7. Develop Ethical Principles for AI in Cybersecurity
To leverage AI in cybersecurity responsibly, the industry should spearhead the development of ethical principles through a multistakeholder initiative. These principles should include transparency, ensuring users are informed of AI usage; safety, prioritizing resilience and security in AI development; and human control, as human expertise and monitoring are still needed for safe automated systems. The indispensability of human expertise and oversight in safe automated systems must be recognized. Moreover, individuals' right to privacy must be respected, and AI in cybersecurity should be confined to defensive purposes. Continuous dialogue among stakeholders is crucial for sharing best practices in the ethical application of AI.