While there has been no radical change in cyber threats since the beginning of the war in Ukraine, attacks have become more intense and sophisticated, said Juhan Lepassaar, executive director of the EU cybersecurity agency, ENISA, on Monday (26 September).
Only one significant cyberattack with spillover effects has been recorded since February 2022: the Viasat attack, which had the spillover effect of affecting the operation of thousands of windmills in Germany.
However, the cost of ransomware attacks is increasing, with skills shortages and the protection of critical sectors of particular concern.
“This should not mean that we can lower our guard. The overall threat landscape remains challenging,” ENISA’s Lepassaar said during a parliamentary hearing in the Industry, Research and Energy Committee.
Ransomware attacks are the prime threat, followed by social engineering and malware. “With state-sponsored actors focusing more on impactful attacks by aiming at supply chains, the cost of ransomware might be well over €250 billion by 2031,” the agency chief added.
A major issue, according to Lepassaar, is that, in many cases, the affected organisations do not report the attacks to the relevant authorities. In 2021, zero cases of cross-border relevance were reported by member states, although a majority of cases affected several countries.
“The reason why they are not reporting is that they don’t know. The reason why they don’t know is they don’t share. So it is a vicious circle that we need to somehow crack at the Union level,” Lepassaar said.
To minimise the risks of cyberattacks, the agency chief suggested focusing on investments to combat the shortage of skilled workers and to increase investments in critical sectors, citing healthcare in particular.
At the end of October, the European cybersecurity month, ENISA will publish its yearly EU threat landscape report for 2022.
Cybersecurity certification scheme
The ENISA chief also pointed out that the EU is raising more awareness regarding the threats and that there are multiple legislative files and projects aiming to improve cybersecurity currently in the making.
Most recently, on 15 September, the Commission presented its draft for the Cyber Resilience Act to address vulnerabilities in connected devices through a security-by-design approach.
Further, the Cybersecurity Certification Scheme for Cloud Services (EUCS) has advanced, where ENISA has presented a draft this summer that has incited a controversy concerning its sovereignty requirements on European data localisation and foreign law immunity.
Liberal MEP Bart Groothuis, the rapporteur of the Networks and Information Security 2 Directive, reiterated the call for a political discussion during Monday’s hearing. “We need a political debate because it is against the risk-based approach that we put forward in NIS 2.”
While ENISA’s mandate is purely technical, multiple member states, including Estonia, Netherlands, Greece – and now also Germany – called for political discussions and criticised that the scheme’s requirements would restrict competition even if non-EU companies could provide the same or even higher cybersecurity levels.
An EU diplomat told EURACTIV that the likelihood of such political discussions occurring at the Council level is increasing.
Meanwhile, ENISA is meant to present a new draft of the scheme, on which the European Cybersecurity Certification Group (ECCG), composed of representatives of national cybersecurity certification authorities, will have to issue an opinion. Here, member states will have the chance to voice their opinions on these requirements.
Previously, the scheme’s drafting process has been described as non-transparent by many players, “with industry stakeholders and the other member states left in the dark and now being asked to accept a new version of the scheme as fait accompli,” as a DIGITALEUROPE spokesperson told EURACTIV.
Following the ECCG’s opinion, ENISA will hand the draft over to the Commission, which will then draft the implementing act. It remains to be seen whether ENISA will incorporate the ECCG’s opinion expected for the end of November.
[Edited by Nathalie Weatherald]