The EU should do more to deter cyber-attacks from malicious actors targeting the bloc’s critical infrastructure and essential services, according to a draft EU Council response to the European Commission’s new cybersecurity strategy.

The document, obtained by EURACTIV, is currently being debated by representatives from EU member states in the EU Council, after having been drawn up by the Portuguese Presidency of the EU at the start of the year.

Honing in on the efficacy of the bloc’s 2017 cyber diplomacy toolbox, which broadly outlines how EU nations should respond when facing cyber attacks, the EU council document states that further discussions should be held on the scope of the measures, with a view to further “preventing and countering cyberattacks with systemic effects that might affect our supply chains, critical infrastructure and essential services.”

Earlier this year, the EU had executed provisions outlined in its cyber diplomacy toolbox, imposing restrictive measures against six individuals and three entities responsible for the ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’ attacks.

As a potential extension to such punitive measures, the text also notes how future reflection should be made to the “interactions” between the cyber diplomacy toolbox and the possible use of various EU treaty articles.

This includes Article 42.7 of the Lisbon Treaty – the mutual defence clause –, and Article 222 – the solidarity clause –, which allow EU nations to offer assistance to other countries on the bloc when they are faced with attacks, terrorist threats and require assistance.

France was the first EU nation to formally invoke Article 42.7 of the treaty in the wake of the terrorist attacks in Paris in 2015, in a bid to contract support from EU partners for ongoing operations against the Islamic State in Syria.

From the EU Council drafts seen by EURACTIV, it appears now that EU nations are beginning to consider cyberattacks under the same terms as general terrorist activity, with regards to calls for joint support from partners on the bloc.

Commission’s cyber strategy

The Council document comes in response to the Commission’s Cybersecurity Strategy for the Digital Decade, presented in mid-December. It is dated February 16, and was recently sent to EU delegations after being debated over in the Council Horizontal Working Party on cyber issues.

EU member states appear to be largely in support of the Commission’s plans, calling for greater deterrent to block harmful cyberattacks against critical infrastructure.

The Commission’s strategy had proposed a revision of the Security of Network and Information Systems Directive (NIS 2), adding new sectors to the scope of minimum cybersecurity requirements as well as attempting to further harmonise sanctions regimes for cyber attacks across EU member states.

As part of these plans, certain “essential and important entities” across critical public and private sectors such as hospitals, energy grids, railways, data centres, public administrations, research labs, and manufacturing of critical medical devices and medicines, will be obliged to adopt appropriate cybersecurity risk management measures as well as new reporting obligations.

Related to this are plans for the Commission to expand the scope of the 2008 European Critical Infrastructure directive, with the introduction of a Critical Entities Resilience (CER) Directive, which now would earmark ten sectors as “critical,” including energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space.

Threat landscape amid coronavirus

As the EU continues to reel from the impacts of the coronavirus pandemic, attention has increasingly focused on the vulnerability of certain “essential services,” highlighted in the Council documents.

Last year, members of the NATO alliance released a statement condemning “destabilising and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals, and research institutes.”

NATO’s comments came after an April statement from the Commission’s foreign affairs chief Josep Borrell, who said “malicious cyber activities” had been recorded across Europe’s healthcare sector, including phishing and malware distribution campaigns, scanning activities and distributed denial-of-service (DDoS) attacks.

A week before, authorities in the Czech Republic reported attacks on critical national infrastructures, with the National Cyber and Information Security Authority (NÚKIB) issuing a cybersecurity warning.

This week, two French hospital groups have been infected with the crypto-virus RYUK ransomware, resulting in the transfer of a number of patients to other sites.

Source: from