EU4Digital: Improving Cyber-Resilience in the EAP-Countries
Cybersecurity incidents generate a significant cost for the global economy and undermine trust in the digital society. With the evolution of cybercrime to an affordable crime-as-a-service-based business model that supports the entire cybercrime value chain and drives the digital underground economy, the range of threat vectors has multiplied significantly. At the same time, cyber tools are used to pursue particular political, economic, financial and strategic interests, including through disinformation campaigns or hybrid operations targeting critical financial, energy, or transportation infrastructure. As cyber threats began to have a stronger societal impact, the understanding of resilience has shifted from a purely technical account to one that concerns also strategic and operational dimensions across the whole range of policy areas. Due to the multi-dimensional nature of threats in cyberspace, they require flexible and adaptable governance models to counter them, accompanied by comprehensive and crosscutting policies that engage the many levels and with different actors, institutions and individuals involved. Consequently, the focus on risks and vulnerabilities in the context of building cyber resilient states and societies addresses security not merely as an objective in itself but rather as means towards achieving broader developmental objectives. Information security is paramount to the protection of fundamental rights of citizens as enshrined in the Charter of Fundamental Rights of the EU, as well as the fight against cybercrime and the protection of democracy and the rule of law.
The project takes place within the framework of the overarching EU4Digital Program through which the EU support the harmonization of digital markets in the Eastern Partnership (EaP) countries. Against this background, this regional action focusses on further developing the approximation of all EaP Partner countries to the EU basic pillars on cybersecurity, taking into account the different level of advancement between the EaP countries.
The objective of the project is to develop technical and cooperation mechanisms that increase cybersecurity and preparedness against cyber-attacks, in line with the EU standards. The project combines three components:
- Strengthen the national cybersecurity governance and legal framework across the EaP countries, in line with the EU NIS Directive: The main purpose of this Component is to strengthen governance systems and legal frameworks, including cybersecurity strategies and implementation documents, in line with the NIS Directive (tailored approximation), and to reinforce public-private partnerships and networks with civil society for their formal and structured involvement and participation. The EaP countries will also be supported in their efforts to increase public awareness about cyber hygiene.
- Develop frameworks for the protection of operators of essential services (OES) and critical information infrastructure (CIIP) in the EaP countries, in line with the EU’s relevant policy and legal frameworks: The main purpose of this component is to strengthen protection frameworks for critical information infrastructure (CII) and OES, in line with the NIS Directive, including the identification of owners/service providers of CII and OES, technical advice and measures for risk management at CII and OES, and the development of notification and information sharing frameworks on major incidents in CII.
- Increase the operational capacities for cybersecurity incidents management in the EaP countries: The main purpose of this component is to strengthen operational capabilities for cybersecurity incident management of national/governmental Computer Emergency Response Teams (CERTs) at three levels, namely capacity development within the respective CERTs and action planning towards full operational status; cooperation between CERTS and owners/service providers of CII and OES in the respective EaP countries and establishment of a reporting, monitoring and threat assessment mechanism, and cooperation between CERTs in the EaP countries, as well as regional and international cooperation on cyber incident response, mitigation and management.