New EU cybersecurity strategy is step forward

The European Economic and Social Committee (EESC) welcomes the proposed new package of EU cybersecurity measures but points to weaknesses in addressing Europe’s huge cyber skills gap. Critical entities also need streamlining, simplification and clearer application guidelines, in the EESC’s view.

Overall, the EESC hails the new EU cybersecurity strategy as a positive step towards protecting governments, people and businesses from cyber threats, and safeguarding economic growth – an area where the EU appears to be highly vulnerable, with the economic impact of cybercrime estimated at 0.84% of GDP, compared to 0.78% in North America.

Cybersecurity skills in dangerously short supply

However, the EESC stresses that there is a critical shortage of cybersecurity skills in Europe and that the strategy will not be sufficient to meet it. Demand for cybersecurity professionals has been growing in recent years and has been skyrocketing with the pandemic. As organisations quickly shifted their operations online and 40% of EU workers switched to remote working in 2020, an estimated 40% of EU users experienced security-related issues in 2020, with over 12% of businesses affected by cyberattacks.

The need to secure data and fend off persistent hacking incidents has become more acute and hiring cybersecurity professionals a top priority. But there are more roles open than professionals to fill them: cybersecurity job vacancies in the EU are expected to reach at least 200,000 by 2022. For the majority of European companies, and especially SMEs, the growing skills gap is a huge problem.

Clearly, the EU urgently needs trained professionals working in cybersecurity roles in both the private and public sectors for the security of individuals, businesses and the EU, said Philip von Brockdorff, rapporteur of the EESC opinion on the strategy. This is why the EESC strongly recommends a harmonised Cybersecurity Career Pathway to help address the increasing skills gap across the EU.

The United States has developed a Cyber Security Career Pathways Tool to help people considering a career in cybersecurity identify, build and navigate a relevant career path. This interactive tool helps people explore a great variety of roles, detailing tasks and required knowledge, skills and abilities (KSAs) and mapping career paths from entry to senior levels. The EESC suggests that Europe could develop an EU-wide Cybersecurity Career Pathway Tool of its own to help train a cybersecurity workforce with comparable skills in Europe, capable of moving across borders and meeting demand in this high-growth industry across the bloc.

Cybersecurity and resilience of critical entities: need for streamlining and clear definitions

In the second opinion, drawn up by Maurizio Mensi, the EESC welcomes the Commission’s two proposals to make public and private critical entities more resilient to threats from cyber and physical attacks, pointing out the need to strengthen industry and innovation capacity in an inclusive manner through a strategy based on four pillars: data protection, fundamental rights, security and cybersecurity.

However, in the interest of streamlining and simplification, the Committee calls for the two proposals to be combined into a single text, as they are closely linked and complementary (one focuses primarily on cybersecurity and the other on physical security) and some of the provisions overlap.

In addition, the EESC thinks that, given the relevance and sensitivity of the objectives pursued by the two proposals, regulations would have been preferable to directives, taking into consideration the findings of the impact assessment and the consultation carried out prior to the proposals being made, as well as the shared intention to avoid national rule fragmentation.

Finally, referring to the scope of application, the Committee points out that specific and clearer guidelines are needed to precisely identify the “critical” entities bound by the proposed directive. Commenting on this, Mr Mensi said: The criteria for distinguishing between “essential” and “important” entities in sectors identified as critical to the economy and society should be more precisely defined. We need to make sure that differing approaches at national level do not result in barriers to trade or free movement of goods and services, which could jeopardise businesses and undermine trade.

Background

The European Commission presented the new “EU Cybersecurity Strategy for the Digital Decade” in December 2020, together with two legislative proposals: the revision of the Directive on the security of network and information systems (the “NIS 2 Directive”) and a new Directive on the resilience of critical entities (CER).

The strategy is a cornerstone of the communication on “Shaping Europe’s Digital Future“, the recovery plan for Europe and the EU Security Union Strategy and aims to enhance Europe’s collective resilience to cyber threats and guarantee that all individuals and businesses are able to benefit from trustworthy and secure digital services and tools.

EESC