The New Cybersecurity Strategy of the EU and its Implications for Latvia

On February 7, 2013 the new cybersecurity strategy of the European Union (EU) – „Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”[1] (strategy) – was published. It is the first cybersecurity strategy of the EU in the outstanding field of cybersecurity, and it is important to analyze also its implications for Latvia.

What generally differentiates this strategy from similar documents of other actors is that it stresses the core values of the EU (as underlined by inclusion of the “openness” in the title of the strategy). According to the strategy, „the same laws and norms that apply in other areas of our day-to-day lives apply also in the cyber domain”[2].

Although the strategy is the first one of the EU in this field, generally it does not propose fundamentally new activities from the previous ones for securing the cyberspace, and mostly these activities are continuation or widening of the previous ones. According to the strategy, most of the expected activities will be carried out by bodies of the EU, mainly the European Commission, in subfields of cyber resilience, cybercrime, cyberdefence, industrial and technological resources, international cyberspace policy and promotion of core values.

As it is acknowledged that “it is predominantly the task of Member States to deal with security challenges in cyberspace”[3], the limited number and character of the tasks (appeals) to the member states might seem frustrating at the first sight. However, it is important to note that the strategy was published concurrently with a proposal for a directive that aims to ensure a high common level of network and information security across the EU[4](draft directive).

From the practical point of view, the draft directive might be considered as potentially more important than the strategy itself. Firstly, after its adoption (estimated in 2015 by the European Commission)[5]it will be binding to all member states of the EU. Secondly, it proposes significant and strict requirements to practically increase cybersecurity across the EU, including adoption of national strategy and national cooperation plan, designation of national competent authority, establishment of computer emergency response team, establishment of cooperation network at the level of the EU, setting security requirements and incident notification obligation to public administrations and market operators.

However, taking note of the currently different approaches among the member states and their different capabilities, fierce discussions can be expected and their outcome is hardly predictable. Discussions can extend to 2015 when at the first half of the year Latvia will take over the Presidency of the Council of the EU. Accordingly, Latvia might have an important role in the last stages of discussions and adoption of the draft directive.

According to the European Commission, the member states of the EU „have very different levels of capabilities and preparedness, leading to fragmented approaches across the EU”[6]. However, in sense of preparedness Latvia might be considered as prepared. According to the impact assessment of the draft directive[7], although level of maturity of its market of network and information security is denoted as low (“cluster 4 – the learners”) (however, according to a report from 2009)[8], Latvia has established its national computer emergency response team (CERT.LV)[9], it is in process of joining the EGC group[10], it has adopted a strategy (National Security Concept (2011))[11], a separate strategy in process of adoption[12]), it has a contingency/cooperation plan. In addition, it has to be underlined, a special law (Law On the Security of Information Technologies (2010)[13]) has been adopted, establishing system of protection of the critical infrastructure, determining operation of CERT.LV with a strong mandate, establishing basic security requirements for all state institutions, local government institutions, undertakings of electronic communications, establishing the National Information Technologies Security Council.

In contrast to different other member states of the EU, some of which have not yet fully established their computer emergency teams and have not adopted their strategies, Latvia, in general, is prepared to fulfill the requirements proposed by the draft directive and to further foster its preparedness. Because of the transnational character of threats and interconnectedness in the cyberspace, Latvia can benefit from equalization of capabilities among the member states of the EU.

[1] Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions „Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace. European Commission, High Representative of the European Union for Foreign Affairs and Security Policy. Brussels, 07.02.2013. JOIN(2013) 1 final.

[2] Ibid. p.3.

[3] Ibid. p.4.

[4] Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union. Brussels, 07.02.2013 COM(2013) 48 final. 2013/0027 (COD). European Commission.

[5] Ibid. p.35.

[6] Ibid. p.3.

[7] Commission Staff Working Document „Impact Assessment.Accompanying the document „Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union. European Commission. Strasbourg, 07.02.2013. SWD(2013) 32 final. p.23-24.

[8] The European Network and Information Security Market. Scenario, Trends and Challenges. A study for the European Commission, DG Information Society and Media. Final Study Report. IDC EMEA. 04.2009. p.23.-25.

[9] Information Technologies Security Incidents Response Institution (CERT.LV).

[10] European Government CERTs (EGC) group.

[11] Par Nacionālās drošības koncepcijas apstiprināšanu. Saeima. 10.03.2011.

[12] Projekts „Pamatnostādnes „Latvijas Informācijas tehnoloģiju drošības stratēģija 2013.-2018.gadam””.

[13] Informācijas tehnoloģiju drošības likums. Saeima. 28.10.2010.

Publicēts 19. februāris, 2013

Autors Māris Andžāns