Tweet Cybersecurity

Closing the Gaps in EU Cybersecurity: Let’s Get It Right

Bolstering cybersecurity is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we communicate, create, and solve problems, it has also introduced new risks which must be managed.

In Brussels next week, Member States will meet in Coreper as they continue to work toward consensus on a Network and Information Security (NIS) Directive aimed at harmonizing cybersecurity laws across Europe. That is no small feat when negotiating among 28 countries. A report released this week by BSA charts just how big a task they have before them.

The BSA EU Cybersecurity Dashboard is a first-ever analysis of national cybersecurity laws and policies in the EU. It finds that an unhelpful patchwork exists in Europe when it comes to cyber protections. While some countries have strong cybersecurity legal frameworks — the UK, Germany and Estonia, for example; others still have much work to do. But the report makes clear that considerable discrepancies exist between Member States’ laws and operational capabilities, resulting in gaps and fragmentation that could put the entire Single Market at risk.

Encouragingly, the report finds that most EU Member States recognize cybersecurity should be a national priority, with a particular focus on ensuring the cyber resilience of critical infrastructure. Critical networks and infrastructure — transport, energy, banking — are where disruption would do the most harm. BSA has argued for some time that the NIS Directive should build a foundation of cybersecurity readiness in Europe by focusing on critical infrastructure, since that’s what needs protecting most.

MEP Andreas Schwab, the European Parliament rapporteur on the NIS Directive who joined BSA at the release of the EU Cybersecurity Dashboard in Brussels earlier this week, agrees. At the launch debate Tuesday, he called for a Directive that provides a “comprehensive minimum harmonization approach,” starting with critical infrastructure.

Among the gaps the report highlights is a lack of cooperation between governments and the private sector on cybersecurity. This issue was similarly called out by US President Obama at a cybersecurity summit held in California last month where he signed an executive order aimed at encouraging better information sharing between the public and private sectors in the US when it comes to cyber-attacks.

Likewise in Europe, most infrastructure is owned by the private sector, making public-private cooperation essential – yet only five EU Member States have an established framework for public-private partnerships on cybersecurity. The more communication and coordination taking place between EU governments and the private sector, the more resilient Europe will be in the face of evolving cybersecurity threats.

The EU Cybersecurity Dashboard outlines the fundamental elements of a strong legal cybersecurity framework — from establishing strong legal foundations, to engendering trust and working in partnership, to promoting cybersecurity education. These building blocks provide valuable insight for national governments who will ultimately implement cybersecurity rules and policies.

The report also provides guidance on what not to do, as some governments around the world are unfortunately using cybersecurity as justification for protectionist rules that reduce choice and undermine cyber protections. That includes avoiding country-specific cybersecurity standards, obligations to disclose sensitive information such as source code or encryption keys, data localization requirements, or preferences for indigenous providers among other unhelpful policies.

For the Member States, as they attempt to complete work on the NIS Directive before negotiations begin with the Parliament later this spring, the BSA EU Cybersecurity Dashboard could help focus their efforts on achieving a baseline level of cybersecurity preparedness across a diverse and very uneven landscape.

The NIS directive is the first-ever EU cybersecurity legislation. Its primary aim is to strengthen public sector agencies and improve pan-European coordination on cybersecurity incidents. A targeted, proportional and risk-based approach, focusing first on protecting the critical infrastructure that is essential for Member States’ economic and national security, public health and safety, is therefore the best way to achieve this. Extending the scope of the NIS Directive beyond critical infrastructure risks undermining the aim of the Directive to preserve the security of infrastructure and systems that are essential to our economy and society.

The full report, along with detailed summaries of the findings for all 28 EU Member States, is available at As national governments update their frameworks and as we collect new information, we intend to update the EU Cybersecurity Dashboard online to show progress across the relevant areas. We invite you to review the results and contact us with information regarding updates and changes.

Thomas Boué


Thomas Boué oversees the BSA | The Software Alliance’s public policy activities in the Europe, Middle East and Africa region. He advises BSA members on public policy and legal developments and advocates the views of the ICT sector with both European and national policy makers. He leads on security and privacy issues as well as broader efforts to improve levels of intellectual property protection and to promote open markets, fair competition, and technology innovation in new areas such as cloud computing.

Prior to joining BSA, Boué served as a consultant in Weber Shandwick where he advised clients on a wide range of technology and ICT-related policy issues and represented them before the EU institutions and industry coalitions. In this role, he also served as policy and regulatory adviser for both EU and US telecom operators. Prior to that Boué worked for the EU office of the Paris Chamber of Commerce and Industry where he was responsible for the lobbying activities towards the EU Institutions in the areas of trade, education, and labor, as well as for the organization and running of seminars on EU affairs for SMEs and business professionals.

Boué holds a Master of Business Administration from the Europa-Insitut (Saarbrücken, Germany), a Certificate of Integrated Legal Studies (trilateral and trilingual Master’s degree in French, English, German and European Law, from the Universities of Warwick (UK), Saarland (Germany) and Lille II (France) as well as a Bachelor of Arts in Law from the University of Lille II, France. He is based in BSA’s Brussels office.

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen − nine =