Implications of the EU’s declarations relating to cyber security and access to the Digital Single Market

The European Union governance structure is empowered to adopt measures with the aim of establishing or ensuring the functioning of the Internal Market in accordance with the relevant provisions of the Treaties. In view of the huge fragmentation of the market for information and communication technologies (ICT), ICT security products and solutions, EU action is needed to achieve a single market in this field, which is also a prerequisite for a well-functioning digital economy.

There are several challenges that need to be faced in order to achieve the goal of a Digital Single Market in the EU. The current 28 EU member states have not been able to compete on a level playing field be-cause of strong leverage of their member state’s own supplier base versus the competition often from outside the EU bloc.

The status of cybersecurity in the EU
Cyberspace is borderless by nature and is increasingly complex, with cyber attacks ranging from denial of service, data breaches and data theft to spying, surveillance and terrorism. In general these are only increasing across all industry sectors and are driving the strong development of countermeasures and investment by technology vendors, industry and governments from all nations. In addition to the threat and need to manage cyber threats, the other key realisation is that strong cyber trust and security is criti-cal to a smoothly functioning trading marketplace. The area of cyber security solutions is a strong growth market. Indeed, the global cybersecurity market is expected to grow to a value of $80-120 billion by 2018. The challenge has been to invest in and to coordinate the EU’s own home grown solutions and vendors, who have struggled to compete with ICT providers from outside their country (and mostly out-side the EU).

The top five vendors control 20.4% of the total market (and they all come from outside the EU).

The EU market has been dominated by a small group of global vendors competing with a high number of smaller European suppliers. The top five vendors control 20.4% of the total market (and they all come from outside the EU). EU suppliers remain mostly national or regional players. Their cumulative market share was estimated at around 16.5% of the total EU Network Information Service (NIS) market reve-nues. The fragmentation of the cyber security supply industry in Europe is a key reason for the recent EU initiatives in terms of cybersecurity regulations.

How to prevent cyber attacks
A key set of takeaways for the cyber practitioner include that cyber security covers a broad set of attack vectors of devices, software applications, networks and data centres and databases that are typically spread across multiple vendors and cloud computing services. “Not one person can know everything” – this is a fast moving area of people and technology developments – there is a need to keep on top of it and a need to have a “joined up approach” between enterprises, public authorities and citizens to drive adoption. “Attack from many sides” – many types of attack potentially come from many gaps opened up in cyber attacks. Lessons from past cyber attacks: The size of data breaches – millions of records and the number of threat points – for example the Russian bank attacks of 2015 was malware introduced by stealth. Zero day attacks (in other words a vulnerability not having been the subject of any known publi-cation implies that no protection exists) are likely to rise in number and cyber is becoming more sophisti-cated.

The need to harmonise the European market
The key is to establish partnerships to manage knowledge and awareness in the EU and other countries and in industry. The rate of change in cyber technology and cyber attacks needs a responsive and progressive approach to keep ahead and to be able to lead the market. The use of EU legislation will move ahead to seek to establish the foundations of a joined up and coordinated response.

Doing nothing would maintain the EU status quo of largely national approaches and would not serve to create a well-functioning European market for cybersecurity products and services.

Article 25 in the Regulation of the European Parliament and of the Council establishing Horizon 2020 provides the legal framework for the establishment of a public-private partnership, the contractual agreement should specify the objectives of the partnership, respective commitments of the partners, key performance indicators and outputs. There needs to be an EU-wide
approach to cyber security and the currently limited cooperation among member states needs to be strengthened; and key sectors of the economy would be subject to security obligations following an approach aimed at harmonising the internal market. It is therefore very likely that the implementation of the business requirements under the NIS Directive (network information service) will lead to increased demand for cyber security solutions.
Doing nothing would maintain the EU status quo of largely national approaches and would not serve to create a well-functioning European market for cybersecurity products and services. The EU would thus be unable to respond to growing demand for network information services by EU providers and this would be a missed opportunity for Europe to become a global leader in the field of cybersecurity. For the EU member states, this is the direction of travel for the strategy to deal with the nature of a cyber security world that is borderless and to underpin modern global and local economies across all sectors. Non-EU countries and EU countries both have a vested interest in making this work.