European Union

On 1 and 2 October 2020, the European Council adopted conclusions on COVID-19, the Single Market, industrial policy, digital and on external relations.

The Council removed Agila Saleh and Nuri Abu Sahmein from the list of individuals and entities subject to restrictive measures in relation to the Libyan conflict.

Source : © European Union, 2020 - EP

Rule of law deficiencies in member states mean EU funds may be used to undermine European values. MEPs are demanding new tools to tackle the problem.

Source : © European Union, 2020 - EP

Rule of law deficiencies in member states mean EU funds may be used to undermine European values. MEPs are demanding new tools to tackle the problem.

Source : © European Union, 2020 - EP

Eva Saeva, Postgraduate Researcher at Newcastle Law School

The COVID-19 pandemic hit the world hard. While medical researchers are racing to find a vaccine, malicious actors are exploiting the new range of possibilities to interfere with IT devices. Cybersecurity has become a prominent feature of the pandemic, especially in the health sector.

Photo: Virus, Yuri Samoilov via Flickr, yuri.samoilov.online

This blog explores how the European Union has dealt with the impact of the pandemic on the health sector across its Member States and whether the present cybersecurity legislative framework was sufficient to protect it. It examines how existing legislation applies to attacks against this critical infrastructure (CI) sector and will identify key takeaways in terms of the EU’s legal cybersecurity preparedness to act in times of crisis.

The current legal framework for cybersecurity is built upon the three pillars identified in the 2013 ‘EU Cybersecurity Strategy’: law enforcement, network and information security (NIS), and defence. The Directive on Attacks against Information Systems (2013), regulating illegal activities, such as access to information systems or data interference, belongs to the first pillar. The second, NIS, is the most developed pillar and includes legal instruments, such as the NIS Directive (2016, to be reviewed later this year), the Cybersecurity Act (2019) and the proposal for a Regulation establishing a Cybersecurity Competence Centre and Network. The least developed pillar is (cyber) defence and as such the EU has relatively weak powers in this particular field. The most relevant measure here is the Cyber Diplomacy Toolbox, adopted in 2017. Cybersecurity is also found in various sectorial legislative measures such as the European Electronic Communications Code (2018), the Recommendation on Cybersecurity for 5G networks (2019), the White Paper on Artificial Intelligence (2020), among others.

The measures analysed in this blog will be the NIS Directive and the Cyber Diplomacy Toolbox because of their relevance to the COVID-19-related cyberattacks seen across Member States.

The NIS Directive, the first EU overarching cybersecurity law, aims to achieve a high common level of security of network and information systems in the Union. It applies to attacks targeting the CI sectors, including the health sector. It establishes the criteria for identifying operators of essential services (OESs) in each sector. According to article 5(2), these are entities which provide services “essential for the maintenance of critical societal and/or economic activities”, that the service depends on network and information systems and an incident “would have significant disruptive effects on the provision of that service”. This means not all hospitals or medical centres would qualify as OESs. But, for example, the biggest hospital in a large city would. However, which institutions are the OESs in a given sector, as identified by the Member States, is not publicly accessible information.

The Directive also sets security requirements for the OESs. Article 14 (1) and (2) imposes obligations for OESs to adopt risk management, as well as preventive measures for incidents that could affect the security of their systems.

The COVID-19 pandemic was the first large-scale cybersecurity-resilience challenge some Member States had to encounter. The correct implementation and enforcement of the NIS Directive was tested. Even though health institutions across various (current and former) Member States were targeted (Italy, the UK, France), the March and April attacks in the Czech Republic provide the most relevant case study.

The March 2020 attack targeted a hospital in Brno, the second largest city in the Czech Republic. It reportedly brought IT systems to a complete halt. Daily work was thus affected, new patients had to be re-routed to different hospitals and operations postponed. At the time of the attack, the hospital was also performing COVID-19 testing. While there is no certainty that this hospital was identified as an OESs under the NIS Directive, it certainly meets the criteria. In which case, Czech officials failed to correctly implement and enforce the security requirements listed above.

A month later, the health sector in the Czech Republic suffered another series of attacks. While “unsuccessful”, and although Czech officials never officially attributed the attack to a foreign state, it was reported Russia might be behind them. The allegations were officially labelled “fake news” by Russian officials. However, if foreign interference indeed took place, this would have additional legal implications as it might have constituted wrongful act under international law. According to the Cyber Diplomacy Toolbox, the EU has reaffirmed the recommendations for States not to “conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure”, adopted by the UN Group of Governmental Experts’ 2015 report. The Toolbox further states that even though attribution of an attack to a foreign actor is a sole responsibility of the state, there could be a joint EU diplomatic response.

In terms of the EU reaction, in his declaration on 30 April 2020, the High Representative Borell referenced cyberattacks on the health sector, stating that the EU and its Member States condemned “malicious behaviour in cyberspace”. In June, Commission’s President von der Leyen seemingly pointed a finger at China, stating attacks on hospitals “cannot be tolerated”. Neither statement referenced the Czech attacks specifically. No mention was made of the consequences of a failed implementation of the cybersecurity law. No mention of the possibility of a foreign interference within the territory of an EU Member State. No mention of an EU-level response in support of a targeted Member State. And while the Union has remained silent, on 17 April 2020, the US Secretary of State Pompeo explicitly referenced the Czech attacks, declaring that anybody engaging in such activities against allies should “expect consequences”, implicitly undermining the EU’s authority and making it seem unprepared to respond.

The COVID-19 pandemic and the pressure it put on the health sector have exposed the shortcomings of the overall EU approach to cybersecurity. While norms exist, enforcement is key – both at Member State and at EU level. If the EU wants to be a leader in promoting the regulation of cyberspace, including the protection of CI sectors or responsible State behaviour, it needs to be more assertive when its Member States fall victim to cyberattacks. The lack of reaction questions the willingness of the EU to enforce its own measures.

The post Cybersecurity and the EU: lessons from the COVID-19 crisis appeared first on Ideas on Europe.

Entry into office of new Members at the Court of Justice of the European Union
Entrée en fonctions des nouveaux membres à la Cour de justice de l’Union européenne

Joint Statement of the Co-Presidents of the ACP - EU Joint Parliamentary Assembly on maintaining the Joint Assembly in the future Partnership Agreement.
Committee on Development

Source : © European Union, 2020 - EP

Joint Statement of the Co-Presidents of the ACP - EU Joint Parliamentary Assembly on maintaining the Joint Assembly in the future Partnership Agreement.
Committee on Development

Source : © European Union, 2020 - EP

In a debate with Council President Charles Michel on the past and forthcoming European Summit, MEPs called for clear-cut decisions, not watered-down compromise.

Source : © European Union, 2020 - EP

In a debate with Council President Charles Michel on the past and forthcoming European Summit, MEPs called for clear-cut decisions, not watered-down compromise.

Source : © European Union, 2020 - EP

État luxembourgeois (Droit de recours contre une demande d’information en matière fiscale)
DFON
The right to an effective remedy guaranteed by the Charter of Fundamental Rights of the European Union requires that persons who hold information that is requested by the national administration, in the context of a cooperation procedure between Member States, must be able to bring a direct action against such a request. Nevertheless, Member States may deny the taxpayer subject to the tax investigation and the third parties concerned by the information in question the right to bring such a direct action, provided that there are other remedies enabling them to obtain an incidental review of that request

Jobcenter Krefeld
Freedom of movement for persons
Un ancien travailleur migrant et ses enfants bénéficiant d’un droit de séjour au titre de la scolarisation des enfants ne peuvent pas être automatiquement exclus de prestations sociales de base prévues par le droit national au motif que ce travailleur est tombé au chômage

Commission v Hungary (Enseignement supérieur)
Freedom of establishment
The conditions introduced by Hungary to enable foreign higher education institutions to carry out their activities in its territory are incompatible with EU law

Bank Refah Kargaran v Council
Law governing the institutions
The Court of Justice upholds the judgment of the General Court dismissing Bank Refah Kargaran’s action for damages for the harm suffered as a result of the restrictive measures adopted concerning it

La Quadrature du Net and Others
Approximation of laws
The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security

Tuesday, 6 October

Source : © European Union, 2020 - EP

MEPs stressed that Council’s recent proposals did not go far enough to create a practical instrument linking the EU’s funds to the respect of rule of law.
Committee on Budgets
Committee on Budgetary Control

Source : © European Union, 2020 - EP

From 9.15, MEPs are to assess the results of the special European Council meeting, in particular on escalating tensions between Turkey and its EU neighbours.

Source : © European Union, 2020 - EP

Source : © European Union, 2020 - EP