The EU Cyber Security strategy document provides a schematic of the structure and interrelationships of key influencers of EU PACS policy (Figure 8.2). A triad emphasis on Network and Information Security (NIS), Law Enforcement, and Defence exists – with each tranche having differing yet overlapping scopes of focus. A range of agencies exist at the Pan-EU levels, overseeing individual institutes at national levels across member states. Stakeholders in industry and academia also interact with these three areas depending on specific commercial and research interests.


policy legislation agencies

Figure 8.2 - Structure of the EU PACS Domain (source: EU Cyber Security Strategy)


Within the Network and Information Security (NIS) tranche, the two key agents are the EU Commission (through DG Connect) and ENISA (European Union Agency for Network and Information Security). The European Commission Directorate General for Communications Networks, Content & Technology (DG Connect), is responsible for managing the Digital Agenda for Europe, their mission aiming to ensure that information technology is utilised to drive economic growth and job creation .
ENISA represents Europe’s primary cyber security agency. It is the principle agency responsible for supporting the European Commission, the Member States and the private sector to address, respond and ultimately prevent cyber security problems. ENISA assists the European Commission in preparing, updating and drafting legislation related to NIS. It also acts as a ‘hub’ for exchange of information, best practices and knowledge in the field of Information Security . As the central agency dealing with cyber security, ENISA acts as a facilitator and information exchange for Computer Emergency Response Team (CERTs) both within and outside EU boundaries. For PACS innovators, the ENISA website contains documentation, reports, strategies and guides to help understand EU policy and strategy in the cyber security domain.

The central CERT-EU ( for the EU institutions, agencies and bodies is another unit within the NIS arm of EU policy, and was formed in September 2012 following a successful pilot programme. The CERT-EU team is composed of IT security experts from the main EU Institutions and cooperates closely with other CERTs based both within and outside EU member states, as well as with specialised IT security companies. Besides incident response, CERTs will also provide other security services for customers, such as alerts and warnings, consulting and advisory services and security training. As of January 2014, there were 42 countries included in the ENISA CERT inventory with over 200 CERTs currently active [ENI14].
The NIS Public-Private Platform was announced in the Cybersecurity Strategy of the European Union. It shares the same objective as the Cybersecurity Strategy and the NIS Directive, building on the work of its predecessor, the European Public-Private Partnership for Resilience (EP3R); namely to foster the resilience of the networks and information systems which deliver the services provided by private organisations and public administrations in Europe. The NIS Platform will help implement the measures set out in the NIS Directive and ensure a harmonised application across the EU. The work of the Platform will draw from international standards and best practices.

At the first meeting of the NIS Platform on 17 June 2013, it was decided to set up 3 working groups; (1) WG1 on risk management, including information assurance, risks metrics and awareness, (2) WG2 on information exchange and incident coordination, including incident reporting and risks metrics for the purpose of information exchange; and (3) WG3 on secure ICT research and innovation. WG3 is particularly focussed on identifying key challenges and corresponding desired outcomes in terms of innovation-focussed, applied, but also basic research in cyber security, privacy and trust; proposing new ways to promote truly multi-disciplinary research fostering collaboration among researchers, industry and policy makers. WG3 also aims to co-ordinate PACs research agendas across Europe, including industry research roadmaps and national research and innovation programmes of the member states.

EU Technology Strategy initiatives influencing PACs Policymaking: As part of the Digital Agenda for Europe (, a broad number of overarching macro-ICT initiatives s may also impact on PACs policymaking; key examples at the EU-level include initiatives around cloud computing strategy , improved data driven economy , and (3) Internet of Things among others. The European Cloud Computing Strategy outlines actions to deliver a net gain of 2.5 million new European jobs by 2020 through the use of cloud computing – focusing on areas such as (a) development of safe and fair contract terms and conditions, (b) cutting through vast numbers of competing standards, and (c) establishing a European Cloud Partnership. In relation to future networks, Internet of Things – An Action Plan for Europe [EUR09] outlines some of the key benefits for European society in adopting a network of interconnected objects.

EU Cyber Security Strategy Development
In February 2013, the EU Commission published a key strategic document, entitled “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace” . This strategy sets out the EU policy on the governance of cyberspace and the challenges to be addressed to secure the domain with the ultimate aim to grow the digital economy and ensure appropriate EU defence and cyber resilience. The strategy looks to strike a balance between the needs of societal, defence, law enforcement and industrial stakeholders, and implies the need for many actors to take the responsibility and meet key challenges ahead.
Five key goals within the cyber security strategy include :
1. Achieving cyber resilience.
2. Drastically reducing cyber-crime.
3. Developing an EU Cyber Defence Policy and capabilities in the framework of the Common Security and Defence Policy.
4. Fostering the industrial and technological resources required to benefit from the Digital Single Market.
5. Enhancing the EU's international cyberspace policy to promote EU core values.

Point 1 is crucial as it calls for multi-stakeholder engagement between public and private sector actors to achieve greater cyber resilience. It also calls for the development of requisite legislation and standards, and a multi-pronged approach to developing a resilient network and information security environment across Europe. At the core of this is a belief that public private partnerships are a necessity to ensure pan-European network and information security. Close cooperation across the various stakeholders becomes even more critical when analysing how to coordinate information exchange around a highly volatile environment (the internet) across twenty eight Member States. Since network and information systems are privately owned it is vital to get Internet Service Provider (ISP) buy in. Thus the strategy highlights the need to incentivise private sector organisations to share information.

Improving EU PACs Market Competitiveness and Quality of Solutions: Point 4 is particularly relevant from an innovator’s perspective – particularly developments around creating appropriate incentives to stimulate appropriate PACS market behaviour, and to strengthen the competitive position of European PACs vendors. It is acknowledged that while Europe has excellent research and development capacities, many of the global leaders providing innovative ICT products and services are located outside the EU. In particular it highlights the need for greater public-private partnership among PACs stakeholders, such that they can identify ever-improving cybersecurity practices across the value-chain. This was a key motivator towards setting up the NIS Public-Private Platform in June 2013. Other key initiatives suggested to improve innovation potential within the EU PACs marketplace include:
• Create appropriate incentives for market actors to carry out appropriate risk management and adopt best security standards and solutions. Within this, framing of appropriate standards and incentives is crucial. Another incentive mentioned in the strategy is labelling indicating adequate cybersecurity performance which could then be used as a unique selling point [EUR13].
• Establish improved EU-wide certification schemes to carry out appropriate risk management and adopt security standards and solutions, building on existing EU and international initiatives
• Promote adoption of coherent approaches among EU member states to avoid disparities causing local disadvantages for businesses.

The commercialisation of Research and Development is also addressed in the strategy. R&D is seen as an important component to developing an indigenous internal market and also as a way of promoting trustworthy ICT. The latter looks to support research into cyber security, ranging from cryptology to biometrics research . This message is highlighted in Digital Agenda 2020 that preceded the strategy and the Horizon 2020 Framework Programme for Research and Innovation that has followed it.
National-Level cyber security strategies within Europe: most European countries have defined and updated their national cyber security strategies in recent years, with present strategies and initiatives tracked and assessed by several recent ENISA case studies in particular [ENI14] [ENI12]. Much of this analysis has played a key role in identifying the need for a harmonised EU cyber security strategy, and in informing its content. Typical points covered in existing cyber security strategies include (1) definition of cyber security governance frameworks, (2) definition of appropriate platforms to enhance public-private partnerships), (3) clearly outlining necessary policy and regulatory measures and defined roles, (4) goals and means around creating improved national capabilities and legal frameworks around cybercrime, (5) structured identification of key national critical infrastructures, and explicit plans for protecting them, and (6) defining a systematic and integrated approach to national risk management, (7) provisioning appropriately for training, awareness and skills development.

Other cross-cutting Initiatives: Several other cross-cutting strategic initiatives at EU-level that are worth noting for PACs innovators. These include:
• The European Programme for Critical Infrastructure Protection (COM(2006)786) - aims to improve protection of critical infrastructure in the EU, achieving it by implementing key legislation set out in communications
• Electronic identification and trust services (eIDAS) - boost trust and convenience in secure and seamless cross-border electronic transactions by promoting the widespread use and uptake of electronic identification and trust services (eIDAS services) .
• Regulatory framework for electronic communications - aims to establish a harmonised framework for the regulation of electronic communications networks and services, thereby increasing competitiveness in the telecoms and networks-related industry sectors
• Cloud Service Level Agreement Standardization Guidelines - aims to provide a set of SLA standardisation guidelines for cloud service providers and professional cloud service customers, while ensuring the specific needs of the European cloud market and industry are taken into account. 

Selected PACs Strategy initiatives in the US and Other Regions

Key selected PACs strategy initiatives in the US and other regions are indicated in Table 8.2.

US “Strategy for Cyberspace”: The US White House released their International Strategy for Cyber-space in May 2011, describing a set of activities across seven interdependent areas involving collaboration involving government, international partners, and the private sector:

  • “Economy”: Promoting International Standards and Innovative, Open Markets.
  • “Protecting Our Networks”: Enhancing Security, Reliability, and Resiliency.
  • “Law Enforcement”: Extending Collaboration and the Rule of Law.
  • “Military”: Preparing for 21st Century Security Challenges.
  • “Internet Governance”: Promoting Effective and Inclusive Structures.
  • “International Development”: Building Capacity, Security, and Prosperity.
  • “Internet Freedom”: Supporting Fundamental Freedoms and Privacy.

NIST Critical Infrastructure Protection Framework: In February 2013, President Obama issued a formal executive order (13636) requesting formal support for improving critical infrastructure cybersecurity. The order called for the development of a voluntary, risk-based Cybersecurity Framework - a set of standards, guidelines and practices to help organisations manage cyber risks. NIST was charged with developing this framework in conjunction with public sector bodies (including the Department of Homeland Security, Office of National Counter Intelligence & National Security Agency) and private sector organisations. 

In response, NIST conducted four cybersecurity workshops, and it consulted with more than 3,000 individuals and organisations on best-practices for securing IT infrastructure prior to releasing the framework in February. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organisation’s risk management processes. The framework has been designed for application across any organisation regardless of size. Following on from the Executive Order, the framework offers a methodology to protect privacy and civil liberties to help organisations incorporate those protections into a comprehensive cybersecurity program [NIST14]. This has become an even more critical aspect to cyber security in the US since the PRISM scandal broke.

The framework is described as a “living document” and future areas for improvement have already been prescribed, for example in (1) authentication, (2) automated indicator sharing, (3) conformity assessment, (4) data analytics, (5) international aspects, impact and alignment (6) privacy, and (7) supply chains and interdependencies.

ITU Global Cybersecurity Agenda:  In May 2007, the International Telecommunication Union (ITU) launched the Global Cybersecurity Agenda (GCA) [20] to provide a framework within which an international response to the growing challenges to cybersecurity can be coordinated and addressed. The GCA is based on international cooperation and strives to engage all relevant stakeholders in a concerted effort to build confidence and security in the information society. Key GCA strategic pillars (or work areas) include (1) legal measures; (2) technical and procedural measures; (3) organisational structures; (4) capacity building; and (5) international co-operation. The ITU also established a generic model for individual countries to consider when implementing, elaborating or renewing cyber security strategies [ITU11].

OECD Policies for Information Security & Privacy: published in 2009, it provides a compendium of OECD policy and strategy recommendations from 1980 to 2008 [OECD09]. It covers a number of critical issues including critical infrastructure protection and telecommunications security.

NATO’s Policy on Cyber-Defence: outlines NATO members approach to cyber defence. Whilst principally concerned with defence of military networks, the principles outlined in the policy have a wider applicability.

 Table 8.2 – Key Selected PACS strategy initiatives in the US and other regions

Return to Policy Framework and Legislation


[ENI12] National Cyber Security Strategies, ENISA,

[ENI14] ENISA – CERT Inventory - Inventory of CERT teams and activites in Europe, June 2014

[EUR09] "Internet of Things – An Action Plan for Europe "

[EUR13] Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions—Cybersecurity Strategy of the European Union: An Open, Safe, and Secure Cyberspace” pg.12 - Issued February 7, 2013,

[ITU11] ITU National Cybersecurity Strategy Guide (Annex 2) Technical Solutions, published September 2011,

[OECD09] OECD Policies for Information Security & Privacy, 2009 -



Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework


Joomla! Debug Console


Profile Information

Memory Usage

Database Queries