1. Principles
    1. EU's core values apply as much in the digital as in the physical world
    2. Protecting fundamental rights, freedom of expression, personal data and privacy
    3. Access for all
    4. Democratic and efficient multi-stakeholder governance
    5. A shared responsibility to ensure security
  2. Priorities
    1. Achieving cyber resilience
      1. Proposal of legislation
        1. Establish common minimum requirements for NIS at national level which could oblige Member States to
          1. Designate national competent authorities for NIS
          2. set up a well-functioning CERT
          3. adopt a national NIS strategy and national NIS cooperation plan
        2. Set up coordinated prevention, detection, mitigation and response mechanisms, enabling information sharing and mutual assistance
        3. Improve preparedness and engagement of the private sector
        4. Commission
          1. [Comission] Launch an EU-funded pilot project early in 2013 on fighting botnets and malware
        5. ENISA
          1. [ENISA] Examine in 2013 the feasibility of ICS-CSIRT for the EU
          2. [ENISA] Continue supporting Member States & EU institutions in carrying out regular pan-European cyber incident exercises
          3. [ENISA] Assist Member States in developing strong national cyber resilience capabilities
        6. European Parlamient
          1. [European Parliament] Adopt the proposal for a Directive on a common high level of NIS across the Union
        7. Industry
          1. [Industry] Take leadership in investing in a high level of cybersecurity and develop best practices and information sharing at a sector level and with public authorities
      2. Raising awareness
        1. Ensuring cybersecurity is a common responsibility. End users play a crucial role: they need to be made aware of the risks the face
        2. ENISA
          1. [ENISA] Propose in 2013 a roadmap for a NIS driving licence as a voluntary certification programme to promote enhanced skills and competence of IT professionals
        3. Commission
          1. [Comission] Organise a cybersecurity championship in 2014 where university students will compte in proposing NIS solutions
        4. Member States
          1. [Member States] Organise a yearly cybersecurity month
          2. [Member States] Set up national efforts on NIS education and training by introducing:
          3. training on NIS in schools by 2014
          4. training on NIS and secure sw development and personal data protection for computer science students
          5. NIS basic training for staff working in public administrations
        5. Industry
          1. [Industry] Promote cybersecurity awareness at all levels; industry should reflect on ways to make CEO and Boards more accountable for ensuring cybersecurity
    2. Drastically reducing cybercrime
      1. Strong and effective legislation
        1. The EU and the Member States need strong and effective legislation to tackle cybercrime
        2. The EU is also about to agree on a Directive on attacks against information systems, especially through botnets
        3. Commission
          1. [Commission] Ensure swift transposition and implementation of the cybercrime related directives
          2. [Commission] Urge those Member States that have not yer ratified the Council of Europe's Budapest Convention on Cybrecrime
      2. Enhanced operational capability to combat cybercrime
        1. Commission
          1. [Commission] Through its funding programmes, support Member States to identify gaps and strengthen their capability to investigate and combat cybercrime
          2. [Commission] Coordinate efforts to identify best practices and best available techniques including with the support of JRC to fight cybercrime
          3. [Commission] Work closely with the recently launced European Cybercrime Centre within Europol and with Eurojust
      3. Improved coordination at EU level
        1. Commission
          1. [Commission] Support the recently launched European CyberCrime Center as the European focal point in the fight agains cybercrime
          2. [Commission] Support efforts to increase accountability of registrars of domain names and ensure accuracy of information on website ownership
          3. [Commission] Build on recent legislation to continue strengthening the EU's efforts to tackle child sexual abuse online
        2. Europol
          1. [Europol] Initially focus in the areas of child sexual abuse, payment fraud, botnets and intrusions
          2. [Europol] On a regular basis produce strategic and operational reports on trends and emerging threats to identify priorities and target investgitative actions
        3. European Police College
          1. [CEPOL] Coordinate the design and planning of training courses to equip law enforcement with the knowledge and expertise to tackle cybercrime
        4. Eurojust
          1. [Eurojust] Identify the main obstacles to judicial cooperation on cybercrime investigations and to coordination between Member STates
        5. Eurojust & Europol
          1. [Eurojust & Europol] Cooperate closely, inter alia through the exchange of information
    3. Developing cyberdefence policy and capabilities
      1. [High Representative]
        1. [HR] Assess operational EU cyberdefence requirements and promote the development of EU cyberdefence capabilities
        2. [HR] Develop the EU cyberdefence policy framework to protect networks within CSDP missions and operations
        3. [HR] Promote dialogue and coordination between civilian and military actors in the EU
        4. [HR] Ensure dialogue with international partners, including NATO, other international organisations and multinational Centres of Excellence
    4. Develop the industrial and technological resources for cybersecurity
      1. There is a risk that Europe not only becomes excessively dependent on ICT produced elsewhere, but also on security solutions developed outside its frontiers
      2. It is key to ensure that hardware and software components produced in the EU and in third countries that are used in critical services and infrastructure and increasingly in mobile devices are trustworthy
      3. Promoting a single market for cybersecurity products
        1. A high level of security can only be ensured if all in the value chain make security a priority
        2. The private sector needs incentives to ensure a high level of cybersecurity; for example, labels
        3. A Europe-wide market demand for highly secure products should also be stimulated
          1. First, this strategy aims to increase cooperation and transparency about security in ICT products
          2. create the favourable market conditions for the development and adoption of secure ICT solutions
          3. as well as possibly establish voluntary EU-wide certification schemes building on existing schemes in the EU and internationally
        4. Commission will support the development of security standards and assist with EU-wide voluntary certification schemes in the area of cloud computing
          1. European Standardisation Organisations (CEN, CENELEC and ETSI)
          2. Cybersecurity Coordination Group (CSCG)
          3. expertise of ENISA
        5. Commission
          1. [Commission] Launch in 2013 a public-private platform on NIS solutions to develop incentives for the adoption of secure ICT solutions and the take-up of good cybersecurity performance
          2. [Commission] Propose in 2014 recommendations to ensure cybersecurity across the ICT value chain
          3. [Commission] Examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities
        6. ENISA
          1. [ENISA] Develop technical guidelines and recommendations for the adoption of NIS standards and good practices in the public and private sectors
        7. Public and private stakeholders
          1. [Stakeholders] Stimulate the development and adoption of industry-led security standards, technical norms and security-by-design and privacy-by-design principles by ICT product manufacturers and service providers
          2. [Stakeholders] Develop industry-led standards for companies' performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the market
      4. Fostering R&D investments and innovation
        1. Support a strong industrial policy, promote a trustworthy European ICT industry, boost the internal market and reduce European dependence on foreign technologies
        2. Efforts to translate R&D results into commercial solutions by providing the necessary incentives and putting in place the appropriate policy conditions
        3. Commission
          1. [Commission] Use Horizon 2020 to address a range of areas in ICT privacy and security
          2. [Commission] Establish mechanisms for better coordination of the research agendas of the European Union institutions and the Member States, and incentivise the Member States to invest more in R&D
        4. Member States
          1. [Member States] Develop, by the end of 2013, good practices to use the purchasing power of public administrations to stimulate the development and deployment of security features in ICT products and services.
          2. [Member States] Promote early involvement of industry and academia in developing and coordinating solutions
        5. Europol & ENISA
          1. [Europol & ENISA] Identify emerging trends and needs in view of evolving cybercrime and cybersecurity patterns
        6. Public and private stakeholders
          1. [Stakeholders] Develop, in cooperation with the insurance sector, harmonised metrics for calculating risk premiums
    5. Establish a coherent international cyberspace policy and promote core EU values
      1. Commission and High Representative
        1. [Commission] Work towards a coherent EU International cyberspace policy to increase engagement with key international partners and organisations
        2. [Commission] Support the development of norms of behaviour and confidence building measures in cybersecurity
        3. [Commission] Support the promotion and protection of fundamental rights, including access to information and freedom of expression
          1. a) developing new public guidelines on freedom of expression online and offline
          2. b) monitoring the export of products or services that might be used for censorship or mass surveillance online
          3. c) developing measures and tools to expand Internet access, openness and resilience
          4. d) empowering stakeholders to use communication technology to promote fundamental rights
        4. [Commission] Engage with international partners and organisations, the private sector and civil society to support global capacity-building in third countries to improve access to information and to an open Internet
        5. [Commission] Utilise different EU aid instruments for cybersecurity capacity building, including assisting the training of law enforcement, judicial and technical personnel to address cyber threats
        6. [Commission] Increase policy coordination and information sharing through the international Critical Information Infrastructure Protection networks
  3. Roles and responsibilities
    1. All actors, from NIS competent authorities must take responsibility both nationally and at EU-level and work together to strengthen cybersecurity
    2. Given the complexity of the issue and the diverse range of actors involved, centralised, European supervision is not the answer >>National governments are best placed to organise the prevention and response
    3. three key pillars— NIS, law enforcement, and defence
    4. Coordination
      1. National level
        1. Member States should have structures to deal with cyber resilience, cybercrime and defence
        2. coordination at national level should be optimised across ministries
        3. Information sharing between national entities and with the private sector should be encouraged
        4. establishing national NIS cooperation plans to be activated in the case of cyber incidents
      2. EU level
        1. Coordination and collaboration will be encouraged among ENISA, Europol/EC3 and EDA in a number of areas where they are jointly involved
        2. These agencies together with CERT-EU, the Commission and the Member States should support the development of a trusted community
        3. Informal channels for coordination and collaboration will be complemented by more structural links
        4. EU military staff and the EDA cyber defence project team can be used as the vector for coordination in defence
      3. International
        1. engage in policy dialogue with international partners and with international organisations such as Council of Europe, OECD, OSCE, NATO and UN
    5. EU support in case of major cyber incident or attack
      1. prevention, detection and response to cyber incidents should improve and Member States and the Commission should keep each other more closely informed about major cyber incidents or attacks
      2. NIS directive proposes that national or Union NIS cooperation plans be triggered, depending on the cross-border nature of the incident
      3. If the incident seems to relate to a crime, Europol/EC3 should be informed
      4. If the incident seems to relate to cyber espionage or a state-sponsored attack, or has national security implications, national security and defence authorities will alert their relevant counterparts
      5. A particularly serious cyber incident or attack could constitute sufficient ground for a Member State to invoke the EU Solidarity Clause
      6. If the incident seems having compromised personal data, the national Data Protection Authorities or the national regulatory authority pursuant to Directive 2002/58/EC should be involved
      7. Finally, the handling of cyber incidents and attacks will benefit from contact networks and support from international partners