Intelligence sharing key to cyber security in Europe, says EU Commission cyber expert

Cyber security regulations are a mechanism for innovation rather than something that stifles it, according to Despina Spanou, the European Commission’s principal advisor for cyber security coordination.

Speaking at the VivaTech conference in France last week (13 June), Spanou talked about the importance of everyone implementing and following legislation and regulations around cyber security.

She said the EU Commission has undertaken stress tests and exercises showing that many of the major cyber attacks that have taken place in other parts of the world affecting critical infrastructure “have spared Europe because of the built-in resilience and preparedness we have in our critical infrastructure systems”.

She added that the European Union’s (EU) landmark cyber security bill, NIS2, which came into force in 2023, as well as its predecessor NIS1, have led to all sectors in a country’s economy being prepared.

Spanou referred to the Colonial Pipeline ransomware attack against a US fuel pipeline operator in 2021, saying it showed that EU regulations work, as the US administration quickly took a similar approach.

“The impact of the Colonial Pipeline in Europe was limited thanks to the fact that we were prepared. So, I think we have evidence that it works,” she said. “We see how collaboration can also have an impact on avoiding the domino effect.”

Spanou also wanted to make it clear that regulation isn’t there to stifle innovation.

“We innovate through regulation, meaning that the regulations are not just the rules, they’re also the financing programmes, they’re investment programmes. It’s about the level playing field in Europe,” she said.

“But then you need to couple it with encouraging the market to move forward. And the key will be where do we invest? In Europe, we need to invest where the capabilities in other parts of the world are less, where we are stronger.

We innovate through regulation, meaning that the regulations are not just the rules, they’re also the financing [and] investment programmes

“We keep launching financing programmes for the use of artificial intelligence (AI), for cyber security, for the implementation of NIS2 and, eventually, the EU Cyber Resilience Act.”

The latter was originally touted in 2021. Building on the EU’s Cybersecurity Strategy and Security Union Strategy, it aims to provide the basis of a worldwide standard for connected devices and software.

To those countries yet to implement NIS2, Spanou said it was in their interest to do so.

“It’s in your risk/benefit analysis. You can decide you will always pay the ransom and not create a more resilient system, or you can implement a robust system and save yourself from becoming constantly vulnerable,” she said.

Failure to comply with NIS2 comes with hefty sanctions. Non-compliance with the regulation’s cyber security risk management and reporting obligations could see organisations fined a minimum of €7,000,000 (or 1.4% of the global annual revenue) up to a maximum of €10,000,000 (or 2% of the global annual revenue). In either case, the company will be fined whichever amount is higher.

“Yes, there are sanctions and fines for not implementing or reporting to governments when you suffer a cyber attack. This is not about punishment, this is about learning from this process and creating a level playing field,” she said, adding that with all member states interconnected, it’s important not to have a weak link.

Spanou also said that the European Union Vulnerability Database (EUVD), which went live in May this year, also helps collaboration.

The EUVD, launched by the European Union Agency for Cyber Security (Enisa), aims to provide “aggregated, reliable and actionable” information on newly disclosed cyber security vulnerabilities in IT products and services.

“It’s available to everyone, and we hope it will also change the way we act on the security culture, and we don’t just talk about it anymore. We are in a culture of intelligence sharing,” said Spanou.