Continuing Signs of Progress on Cybersecurity Policy in the EU

By Danielle Kriz, Sr Director, Global Policy, Palo Alto Networks

On April 5–6 in The Hague, the Dutch government hosted its International NCSC One Conference 2016, an annual cybersecurity event it has held since 2008. Nearly 1,000 people from government, industry, and academia attended the conference, including from across Europe, the United States, Russia, and Japan. The theme of this year’s One Conference, “Protecting Bits & Atoms,” was chosen to focus on the increasingly connected physical and digital worlds.

The Netherlands is aggressively focusing on cybersecurity. In fact, as European companies and governments have paid growing attention to cybersecurity in recent years, the Dutch are emerging as leaders on cybersecurity matters in the EU, lending their support to activities at the EU level, as well as globally.

The Dutch have made cybersecurity a priority for their EU Presidency, which runs from January through June 2016. The government expects the EU Network and Information Security (NIS) Directive, the text of which was preliminarily agreed to in December, to go into effect on its watch. As of this writing, the latest expectations are that the Directive will be adopted by the European Council in May and published in the Official Journal of the European Union in June. At that point, its implementation clock starts ticking. After three years of activity in Brussels to finalize the Directive, Member States, such as the Netherlands, now will take a larger role, working with European policymakers to make the Directive a reality through its implementation.

The Dutch are eager to help industry and governments prepare for the Directive. A full track of the One Conference was devoted to EU policies, providing the European Commission with a platform to explain the forthcoming requirements on industry – namely risk management, security, and incident notification. The Dutch National Cyber Security Centre (NCSC) pulled together Member State national Computer Security Incident Response Teams (CSIRTs) in a public “meet and greet” to share best practices and kickstart the CSIRT coordination network laid out in the NIS Directive. Although CSIRTs in Europe are not new, not all Member States currently have them, and the NIS Directive instructs Member States to set them up and for them to coordinate via a secretariat hosted by the European Union Agency for Network and Information Security (or, as it’s more commonly known, ENISA).

The Dutch also plan to pull their peers together in May, when the Ministry of Security and Justice will host a meeting on cybersecurity for high-level officials from the Member States, as well as industry, called “Enabling partnerships for a digitally secure future for EU.” The purpose of the meeting is to examine best practices in cybersecurity and to discuss future developments in terms of strengthening European cooperation. One of the meeting’s themes is public-private partnerships.

These efforts are not new; the Netherlands’ actions in cybersecurity have been building. In April 2015, the country held the Global Conference on Cyberspace, which defined global challenges and opportunities related to the Internet. Coming out of that conference, the Dutch launched the Global Forum on Cyber Expertise (GFCE), a forum for cyber capacity building. In the GFCE over 50 organizations and states work together on practical initiatives to strengthen cybersecurity, fight cybercrime, protect online data, and support e-governance.

Not only are the Dutch efforts welcome and important, but their approach is essential. The Netherlands views public-private partnerships as the path to more effective cybersecurity. Patricia Zorko, Deputy National Coordinator for Security and Counterterrorism in the Ministry of Security and Justice, appealed to One Conference attendees to share their expertise. She urged organizations to make cybersecurity a priority in their boardrooms, reflecting the Dutch government’s belief, and that of a growing number of organizations in Europe, that cybersecurity must be seen as much more than an IT issue.

The Dutch government points out that The Hague has a unique ability to play a pivotal role in cybersecurity. The city already is the “International City of Peace and Justice” (it is the United Nations' second city, after New York), and the Dutch see themselves extending that mission into helping keep cyberspace resilient and facilitating a thriving global digital economy. Having witnessed and participated for years in discussions about cybersecurity public-private partnerships, it is inspiring when those partnerships begin to crystallize and result in concrete actions, such as the Global Forum on Cyber Expertise. Palo Alto Networks looks forward to supporting initiatives and policies in the Netherlands, and throughout the EU to increase our collective, global cyber resilience.