With 24 % of cyber threats affecting the public sector, it is not just necessary to raise awareness about cybersecurity for the protection of our organisations and values, but also to unite as EU institutions to protect individuals.
Whilst cybersecurity efforts cannot be confined to a month, they require continuous dedication. It is therefore important to me, and the EDPS at large, to take part in the EU’s Cybersecurity Month (ECSM) held each year in October. The annual ECSM campaign offers the opportunity for experts in the field to promote, share, and evaluate actions taken in this area. Much like the annual check-ups that one must do for their health, cybersecurity requires periodic checks too; to ensure that as EU institutions we have the ability to defend the digital environment we live in.
It is in this spirit that I took part in the European Parliament’s Cyber Days in a panel discussion on how EU institutions, their IT experts, and other relevant actors, can work towards building resilience and strengthening cybersecurity capacities together.
One cannot consider cybersecurity separate from data protection. Together, they provide a powerful set of complementary measures and tools to protect individuals’ personal data, their privacy, and the EU’s digital ecosystem as a whole. They are also instrumental to upholding EU values and democracy, which is critical ahead of the next European Parliament elections in 2024.
In essence, cybersecurity and data protection are inseparable, they are two sides of the same coin.
But, how can this be achieved practically? This was the central theme of my remarks as a panelist.
Observing the evolving regulatory landscape over the last years, one can recognise the progress made towards harmonising cybersecurity practices across the EU with, for example, NIS2 - the Directive on security of network and information systems, which came into force in January 2023 and is applicable to EU Member States. The latter represents a radical change in the EU’s cybersecurity strategy as a legal instrument providing for mandatory IT security and cybersecurity management for organisations. I can also count the Proposal on measures for a high common level of cybersecurity in the EU institutions on which the EDPS gave its advice from a data protection perspective, offering its structural contribution as the competent authority for the protection of individuals’ privacy and personal data.
These initiatives, as well as others, are an opportunity to orchestrate a structured and effective integration of privacy and data protection in cybersecurity management, serving as an example for the wider cybersecurity governance at EU level. Following the GDPR’s principle of data protection by design is important to ensure that data protection is integrated into an organisation’s cybersecurity strategy. This allows the protection of the organisation’s assets, its people and the people whose data they process. To achieve this, strong collaboration between Data Protection Officers and IT Security Departments is essential.
Combining data protection and cybersecurity is also important because for cybersecurity to protect communications and data there is often a need to process personal data. To this end, data protection and cybersecurity should act as a mutual benchmark, complementing their own standards. An EU institution that protects individuals’ privacy and personal data is an organisation that both ensures that measures are put in place to prevent cyberattacks and mitigate connected risks, and ensures compliance with EU data protection legislation, including the ePrivacy directive - the directive on privacy and electronic communications. In practice, this requires a continuous assessment of the cybersecurity measures put in place to verify whether the personal data processed to put in place these measures is necessary and whether the same objective can be pursued with less intrusive operations.
Another example of how cybersecurity and data protection can reinforce each other is the role of cryptography and encryption, which are crucial to preserve the confidentiality and integrity of personal data; they are the building blocks of advanced privacy enhancing techniques.
During the panel discussion, the correlation between Artificial Intelligence (AI), data protection and cybersecurity did not go amiss.
The duality of AI demands careful consideration. On the one hand, it may have the potential to enhance current cybersecurity solutions. On the other hand, AI, Generative AI in particular, allows for the production of (fake) pictures, videos, photos, texts, and more, which cybercriminals can exploit to steal someone’s identity as part of social engineering attacks, for example. This technology can also be used to damage individual’s reputation and to spread fake news, therefore becoming a real threat not only to individuals, but to our democratic process as well. In relation to this topic, the EDPS has contributed to various fora to raise awareness on the risks of generative AI, and we will continue to do so.
I eagerly anticipate engaging in further discussions related to cybersecurity in the upcoming month, both as part of the EU’s Cybersecurity Month (ECSM) and in ad-hoc initiatives. What remains clear, and what the EDPS stands for is a legal, strategic, and operational approach to cybersecurity that integrates by design fundamental rights, including the rights to privacy and to the protection of personal data, which are key to protecting the EU’s citizens and the EU’s data from cyberattacks. These efforts, in turn, have a direct effect on the ability to uphold individuals’ freedoms, the rule of law and democracy. EU institutions have a pivotal role to play in leading by example in this collective endeavour.