Challenges to effective EU cybersecurity policy

The objective of this briefing paper, which is not an audit report, is to provide an overview of the EU’s complex cybersecurity policy landscape and identify the main challenges to effective policy delivery. It covers network and information security, cybercrime, cyber defence and disinformation. The paper will also inform any future audit work in this area.

We based our analysis on a documentary review of publicly available information in official documents, position papers and third party studies. Our field work was carried out between April and September 2018, and developments up to December 2018 are taken into account. We complemented our work by a survey of the Member States’ national audit offices, and through interviews with key stakeholders from EU institutions and representatives from the private sector.

The challenges we identified are grouped into four broad clusters: i) the policy framework; ii) funding and spending; iii) building cyber-resilience; iv) responding effectively to cyber incidents. Achieving a greater level of cybersecurity in the EU remains an imperative test. We therefore end each chapter with a series of ideas for further reflection by policy-makers, legislators and practitioners.

We would like to acknowledge the constructive feedback received from the services of the Commission, the European External Action Service, the Council of the European Union, ENISA, Europol, the European Cybersecurity Organisation, and national audit offices of the Member States.