Responding to cyberattacks: a European approach 

Cyberattacks and cyberthreats have become increasingly prominent in the news. Every month there is at least one major cyberattack featured in European mass media, while thousands go unnoticed and unreported. If cyber threats and cyberattacks are becoming an everyday reality, how can society respond, and who is responsible for that response?  

The literature 

As part of the CYBERSPACE project, Trilateral Research conducted a systematic literature review of over a hundred policy documents, academic books and articles from European and North-American authors in the field of cybersecurity. A general observation was that the literature covers ‘threats’ more than ‘responses’. This is not surprising, as cybersecurity and cyberthreats are a moving target. The majority of the literature thus focuses on the constant evolution and changes in threats and comparatively less attention is given to lasting and evolving responses to cyber threats. 

However, the literature does offer some solutions, mostly in the form of cyber-defence and cyber-offence (which is sometimes also referred to as ‘active defence’) against threat actors. In the majority of cases, the literature positions the responsibility for such actions against threat actors with the state, and this narrative is more prevalent in the North-American literature. We observed a slight bias in the literature towards defence over offence. In addition to these high-level, state-owned responses, ‘honourable mentions’ in the literature on responses to cyber-attacks also include: 

  • regulating and legislating the cyber domain 
  • market incentives for increased cybersecurity 
  • information sharing, and raising awareness among business and citizens of cyber threats 
  • upskilling of the workforce 
  • investing in cybersecurity research. 

However, when the ‘theory’ is compared to actual policy initiatives in Europe, specifically in the United Kingdom (UK) and the European Union (EU) as a whole, the responses are more nuanced and diverse. 

The CYBERSPACE project focuses on the European Union response to cyberattacks. A key finding is that the EU is moving towards an ‘all-of-society’ approach to tackling cyberattacks and cybersecurity. In comparison, the UK matches the EU’s approach, but is even more explicit in its National Cyber Strategy 2022 about its ‘whole-of-society’ approach, as well as more open to developing offensive cyber capabilities, which the EU as a whole is lacking. 

Cyber-defence cooperation 

The EU and the UK aspire to develop strong cyber-resilience against external attacks. Given the asymmetric nature of cyberattacks (meaning that small groups of non-state actors or state-sponsored actors can have a major impact on national economies and security) the EU and UK have to ensure offensive actions are proportionate and do not endanger international relations. The main top-level response in the form of cyber defence is cooperation between states and the development of cyber-defence capabilities. The UK developed its National Cyber Force, linked to the Ministry of Defence and Intelligence Services, while the EU is developing a slightly more ambitious, cross-sectoral Joint Cyber Unit, that also includes cooperation with Law Enforcement, cyber-diplomacy and the network of European crisis response teams. 

Legislation and governance 

The EU has been a forerunner when it comes to regulating and legislating cybersecurity in its internal market. The key legal document that shaped the EU’s cybersecurity policy was Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union (NIS Directive). This Directive was implemented into national legislation in all EU Member States and formed the basis of national cybersecurity legislation and strategies. The law established national governing bodies for cybersecurity, a network of information sharing and reporting of cyberattacks and duties for critical infrastructure operators.  

This Directive was revised and published in 2022 as the NIS2 Directive. It entered into force on January 16th 2023 with all Member States expected to implement it into national law by October 17th 2024. The revised law made extensive changes. The new Directive extended the scope of entities considered as ‘critical’, introduced financial penalties for non-compliance with the law and introduced stricter requirements for company boards to be involved with cyber-risk management. The new legislation will put businesses under a lot of pressure to prepare for the implementation starting October 2024. 

The most recent piece of legislation is first of its kind in the world and is currently awaiting final adoption by the European Parliament and the Council of Ministers. The law in question is the Cyber Resilience Act, which sets out and regulates horizontal cybersecurity requirements for hardware and software products with digital elements placed in the EU single market. Besides cybersecurity requirements, the Regulation imposes fines for products that are non-compliant and placed in the EU’s single market. 

Other major laws at the EU level include the Cybersecurity Act from 2019, which strengthened and extended the mandate of the European Union’s Agency for Cybersecurity (ENISA) and introduced EU-wide cybersecurity certification schemes as a market incentive for business to improve their cybersecurity. 

Market incentives and certification 

Following the Cyber Security Act and the widening of ENISA’s mandate, the EU worked on developing a set of cybersecurity certification schemes for EU businesses. The idea behind the certification schemes was to harmonise cybersecurity certification criteria and processes across EU member states. This would allow, for example, a cybersecurity product or company to be certified in Ireland and recognised in the Spanish market as cybersecure, without the need for re-certification in Spain. Spearheaded by ENISA and in consultation with cybersecurity experts and relevant stakeholders, ENISA developed three initial EU certification schemes, for cybersecurity ‘common criteria’, for cloud services and for 5G networks and applications. Currently, only the European Common Criteria-based cybersecurity certification scheme (EUCC) has been launched on January 31st 2024. The Common Criteria refers the Common Methodology for Information Technology Security Evaluation, and corresponding standards, respectively, ISO/IEC 15408 and ISO/IEC 18045. 

Upskilling, innovation and an all-of-society approach 

The EU is certainly leading with regard to regulating cybersecurity at market level, and is closely followed by the UK in terms of cyber-resilience. Arguably, the United States is also following similar trends in terms of cyber-resilience, the focus on cyber-defence and critical infrastructure. The latest example of a comprehensive initiative was Executive Order on Improving the Nation’s Cybersecurity from 2021. However, where the US is more notably falling behind is in matching the EU’s and UK’s ‘all-of-society’ strategy to cybersecurity. Namely, the EU’s revised Cybersecurity Strategy from 2020, subsequent revisions of EU Member States’ national cybersecurity strategies and the current UK’s National Cybersecurity Strategy all explicitly mention an ‘all-of-society’ or ‘whole-of-society’ approaches to responding to cyberattacks. In essence, the European ecosystem recognised that the responsibility to protect from cyber attackers is shared by all members of society, both public and private sectors, as well as ordinary citizens. In practice, the ‘all-of-society’ approach complements the existing types of responses listed above with additional investment in education, awareness, upskilling of the workforce and innovating businesses, all with the aim to increase cybersecurity across all of society. The Biden-Harris administration only revealed a National Cyber Workforce and Education Strategy, to “unleash the USA’s cyber talent” in July 2023, which we see as a positive step forward. 

The following table summarises the EU’s responses to cyberattacks and how these compare to the responses prescribed by the literature.  

Table 1: How do EU responses to cyberattacks line up with measures from the literature?  

Author: Nikola Tomić, Trilateral Research

Image: Sources from