A native Estonian, Juhan Lepassaar is no stranger to cybersecurity and the inner workings of the European Union. Between 2014 and 2019 he was the head of cabinet of Andrus Ansip, Vice-President for Digital Single Market in the Juncker Commission. In this role he was also involved in the preparation and the subsequent legislative phases of the Cybersecurity Act, which significantly strengthened the competences of the European Union Agency for Cybersecurity, which he currently heads.
2020 made it painfully clear that Europe’s entire digital infrastructure and economy depend on open and secure access to the internet. The increase in cybersecurity attacks during the COVID-19 pandemic is just the most recent illustration of why the EU and its Member States need a professionalised, agile and well-resourced cybersecurity agency. Luckily, the EU Cybersecurity Act (CSA), which granted ENISA a permanent mandate and more resources and responsibilities, entered into force in June 2019. According to Lepassaar, the CSA made a real qualitative difference for ENISA: ‘It was the right proposal in the right place at the right time. The additional tasks, the permanent mandate and the resources to go with them not only fortified trust in the Agency, but are enabling us to attract additional talent from all over the EU.’
A success story of European cybersecurity
ENISA was born from the need for an EU-level agency that can strengthen the overall level of cybersecurity across the EU and can contribute to the implementation of certain EU cybersecurity policies and goals. Created in 2004 with a temporary mandate, it was not clear that the Agency might become a centrepiece of a larger EU cybersecurity architecture and a global benchmark. But it did.
Over the years, ENISA has built up its reputation by supporting EU Member States in the development of their national cybersecurity strategies; providing trainings and exercises involving national cyber emergency response teams (CERTs), a host of national authorities and key private stakeholders; and institutionalising the European cybersecurity community through concrete initiatives. Throughout its existence, more responsibilities were gradually allocated to of the Athens-based organisation, which now has over 100 staff, and more resources supported its expansion. ENISA’s priorities are strongly aligned with the key cybersecurity challenges outlined in the recently adopted EU Cybersecurity Strategy and defined in the Agency’s strategic objectives and the multiannual work programme for 2021–2023.
I asked Lepassaar about some of his priorities for the coming years. ‘On the issues side, I am currently mostly occupied with fulfilling ENISA’s role in the preparation and uptake of the cybersecurity certification schemes in the area of Common Criteria, cloud services, 5G and beyond; defining and fulfilling ENISA’s role in the Competence Centre & Network initiative; working with Member States to implement 5G cybersecurity mitigation measures; and helping the EU institutions in their negotiations to strengthen EU cyber resilience through the update of the NIS Directive (NIS2).’
The NIS2 proposal is a highly anticipated follow-up to the 2016 Network and Information Security Directive, which enforced security standards on national operators of essential services and pushed Member States to increase their national capabilities. The NIS2 proposal furthermore strengthens and extends the role of security operations centres (SOCs), the 2016 NIS Directive having created a similar collaboration mechanism between national Computer Security Incident Response Teams (CSIRTs) in the form of a CSIRT Cooperation Group. According to Lepassaar, ENISA is well placed to support this development, should this be one of the final negotiation conclusions. ‘In this context, the Agency is already assisting EU Member States with their incident response capabilities by providing different tools and materials such as a guide on how to set up CSIRTs and SOCs. Using AI, there is a potential of boosting the capacity of public and private SOCs in identifying and reacting to cyber threats.’
ENISA has also emerged as one of the key players in the development of the 5G Toolbox, which Lepassaar sees as a highly successful effort at ensuring EU-coordinated actions in areas very closely linked to national security – so much so that many policy areas are now asking for their own toolboxes. In his opinion, ‘thanks to this toolbox, Member States have been able to achieve a high level of common understanding on 5G risks and shared commitments and have therefore avoided a fragmentation of action’. A cybersecurity risk assessment made by ENISA provided the impetus for the Member States to implement a set of well-defined common and targeted mitigating measures. The real challenge lies in moving from paper to action. Lepassaar thinks that once most of the proposed measures are implemented throughout the Union, citizens will be able to enjoy more secure 5G networks.
A European cybersecurity workforce
The Cybersecurity Act not only granted ENISA a permanent mandate and more responsibilities; it also allowed ENISA to attract additional talent from across Europe. ENISA has created a working group on cybersecurity skills to address workforce shortages and skills gaps that many of the EU Member States are struggling with. Lepassaar told me that the skills gap is ‘a major concern for both economic development and security, especially in such a rapid digitisation phase of the economy. Never before were EU citizens so active online, for school, for work and simply to stay in touch, which has become even more apparent during the COVID-19 pandemic.’
Lepassaar believes that a continuous understanding and tackling of threats within this evolving cyber landscape will be vital for securing the digital decade, for which we need a competent workforce. The ENISA working group aims to promote harmonisation in the ecosystem of cybersecurity education, training and workforce development, and helps in the development of a common European skills framework. But development of the right competences in cybersecurity is a broader problem. Lepassaar notes that they need to be built at all levels and that talent in cybersecurity should be fostered. This is why ENISA organises events such as the hackfest and European Cybersecurity Challenge to encourage young people to pursue a career in cybersecurity. ENISA has acted as a hub for European cybersecurity awareness by leading the European cybersecurity month since 2012. Under Lepassaar’s lead, the Agency will also soon create an expert group on Cybersecurity Awareness Raising.
Geopolitics of cybersecurity
As international politics increasingly plays a role in debates about cybersecurity, I wonder how ENISA’s priorities align with the vision presented by the ‘Geopolitical Commission’, in particular the push for strategic autonomy and digital sovereignty as flagship ideas? Lepassaar notes that ‘European cybersecurity policy initiatives already aim to promote European cybersecurity capabilities and thereby reduce dependencies. In implementing these initiatives, ENISA subscribes to these concepts, whether they are called “technological sovereignty” or “strategic autonomy”. We increase the EU’s technological autonomy and sovereignty through concrete actions that improve cybersecurity.’
In terms of technological sovereignty, he sees the EU as a leading player in its own right, in particular in the contested area of 5G. ‘European industries produce, deploy and export leading-edge and – from ENISA’s perspective – above all trusted technologies, and continue to build-up their own supporting ecosystems.’ He stresses that the 5G Toolbox experience shows that the EU needs to define and stick to its own path, rather than standing between other forces. ‘The certification of 5G networks is but one of the actions the EU is already engaged in to mitigate the cybersecurity risks of the 5G technology. Such a coordinated approach of the EU in cybersecurity is an essential strength in this area and a global benchmark. Maintaining a strong resolve to keep cybersecurity a priority will be beneficial for the EU not only in the long run but equally in the short and medium run.’
Overall, Lepassaar stresses, ENISA’s main focus remains EU-domestic, knowing that cybersecurity does not stop at national or EU borders. This is why external cyber capacity building is high on the EU agenda, with several multimillion euro projects currently being implemented worldwide. In 2018 the EU even funded development of Operational Guidance for international cooperation on cyber capacity building. Development of an EU External Cyber Capacity Building Agenda and setting up a Cyber Capacity Building Board are part of the EU’s new cybersecurity strategy adopted in December 2020. ENISA’s core mandate and range of activities have focused more on the EU and less on external engagements. According to Lepassaar, ‘it is possible for ENISA to support the EU’s external policies and projects, but only where this makes sense and does not deviate from the Agency’s core mandate’. It is something that ENISA’s Management Board will need to decide upon.
In general, Lepassaar does not seem too worried about the impact of geopolitics on cybersecurity. He notes with satisfaction that there is a broad consensus among Member States and across all political parties that a more cybersecure EU is a better EU overall. Despite the highly diverse picture within the EU in terms of cybersecurity capacities, everyone seems to be on the same page when it comes to securing Europe. European unity might be a challenge for many policy areas, but this is less the case for cybersecurity, from what Lepassaar tells me.
As we reach the end of our discussion, I am struck by Lepassaar’s optimism about the direction in which things are heading. Is there anything on his wish list for the coming years: more money, more people, more competences? He tells me ‘ENISA should remain open and flexible to respond to the needs of EU institutions and Member States wherever it can add value and strengthen cybersecurity in and for the EU’: a perfect diplomatic answer for someone leading a European agency in an area that requires a lot of diplomacy.
About the Author
Nathalie van Raemdonck
Nathalie van Raemdonck is a doctoral researcher at the Vrije Universiteit Brussels where she focuses on platform governance, the organic spread of misinformation and online radicalization. Prior to joining academia, she was an Associate Analyst at the EU Institute for Security Studies and worked at the Centre for Cybersecurity Belgium and the Cyber Emergency Response Team. Follow her on Twitter @eilah_tan