The EU's Cybersecurity Strategy for the Digital Decade

16.12.2020 - The EU's Cybersecurity Strategy for the Digital Decade


Cybersecurity is an integral part of Europeans’ security. Whether it is connected devices, electricity grids, or banks, aircraft, public administrations or hospitals they use or frequent, people deserve to do so within the assurance that they will be shielded from cyber threats. The EU’s economy, democracy and society depend more than ever on secure and reliable digital tools and connectivity. Cybersecurity is therefore essential for building a resilient, green and digital Europe.

Transport, energy and health, telecommunications, finance, security, democratic processes, space and defence are heavily reliant on network and information systems that are increasingly interconnected. Cross-sector interdependences are very strong because networks and information systems, in their turn, depend on a steady supply of electricity to function. Connected devices already outnumber people on the planet, and their number is forecast to rise to 25 billion by 2025: a quarter of these will be in Europe.

Digitisation of working patterns has been accelerated by the COVID-19 pandemic, during which 40% of EU workers switched to telework, with likely permanent effects on everyday life. This increases vulnerabilities to cyberattacks. Connected objects are often shipped to the consumer with known vulnerabilities, which further increases the attack surface for malicious cyber activities. The industrial landscape in the EU is increasingly digitised and connected; this also means that cyberattacks can have far greater impact on industries and ecosystems than ever before.

The threat landscape is compounded by geopolitical tensions over the global and open Internet and over control of technologies across the whole supply chain. These tensions are reflected in the increasing number of nation states erecting digital borders. Restrictions of and on the Internet threaten global and open cyberspace, as well as the rule of law, fundamental rights, freedom and democracy – the core values of the EU.

Cyberspace is increasingly exploited for political and ideological purposes, and increased polarisation at international level is hindering effective multilateralism. Hybrid threats combine disinformation campaigns with cyberattacks on infrastructure, economic processes and democratic institutions, with the potential for causing physical damage, obtaining unlawful access to personal data, stealing industrial or state secrets, sowing mistrust and weakening social cohesion. These activities undermine international security and stability and the benefits that cyberspace brings for economic, social and political development.

The malicious targeting of critical infrastructure is a major global risk. The Internet has a decentralised architecture with no central structure and a multi-stakeholder governance. It has managed to sustain exponential increases in traffic volumes while being a constant target for malicious attempts at disruption. At the same time, there is increased reliance on the core functions of the global and open Internet, such as the Domain Name System (DNS), and essential Internet services for communications and hosting, applications and data. These services are more and more concentrated in the hands of a few private companies.

This leaves the European economy and society vulnerable to disruptive geopolitical or technical events which affect the core of the Internet or one or more of these companies. The increased internet usage and changing patterns due to the pandemic have further exposed the fragility of supply chains that depend on this digital infrastructure.

Concerns about security are a major disincentive to using online services. Around twofifths of EU users have experienced security-related problems and three-fifths feel unable to protect themselves against cybercrime. One-third have received fraudulent e-mails or phone calls asking for personal details in the past three years, but 83% have never reported a cybercrime. One in eight businesses have been affected by cyberattacks.

Over half of business and consumer personal computers that have been infected with malware once are reinfected within the same year. Hundreds of millions of records are lost each year through data breaches; the average cost of a breach to a single business rose to over €3.5 million in 2018. The impact of a cyberattack often cannot be isolated, and can trigger chain reactions throughout the economy and society, affecting millions of individuals.

The investigation of nearly all types of crime has a digital component. In 2019, the number of year-on-year incidents was reported to have trebled. There are an estimated 700 million new samples of malware – the most frequent means of furthering a cyberattack15. The annual cost of cybercrime to the global economy in 2020 is estimated to be €5.5 trillion, double that of 201516. This represents the largest transfer of economic wealth in history, greater than the global drugs trade. For one major incident, the WannaCry ransomware attack in 2017, the cost to the global economy was estimated at over €6.5 billion.

Digital services and the finance sector are among the most frequent targets of cyberattacks, along with the public sector and manufacturing, yet cyber readiness and awareness among businesses and individuals remain low18, and there is a major shortage of cybersecurity skills in the workforce19. There were almost 450 cybersecurity incidents in 2019 involving European critical infrastructures like finance and energy.

Healthcare organisations and professionals have been hit especially hard during the pandemic. As technology becomes inextricable from the physical world, cyberattacks put lives and the wellbeing of the most vulnerable at risk. Over two-thirds of companies, in particular SMEs, are considered ‘novices’ in cybersecurity, and European companies are considered less well prepared than companies in Asia and America. An estimated 291 000 posts for cybersecurity professionals in Europe remain unfilled. Hiring and training cybersecurity experts is a slow process leading to greater cybersecurity risks for organisations.

The EU lacks collective situational awareness of cyber threats. This is because national authorities do not systematically gather and share information - such as that available from the private sector - which could help assess the state of cybersecurity in the EU. Only a fraction of incidents are reported by Member States, and information sharing is neither systematic nor comprehensive24; cyberattacks may be only one facet of concerted malicious attacks against European societies. There is currently only limited mutual operational assistance between Member States, and no operational mechanism is in place between Member States and EU institutions, agencies and bodies, in the event of a large-scale, crossborder cyber incidents or crisis.

Improving cybersecurity is therefore essential for people to trust, use, and benefit from innovation, connectivity and automation, and for safeguarding fundamental rights and freedoms, including the rights to privacy and to the protection of personal data, and the freedom of expression and information. Cybersecurity is indispensable to the network connectivity and the global and open Internet that must underpin the transformation of the economy and society in the 2020s. It contributes to better and more jobs, more flexible workplaces, more efficient and sustainable transport and farming, and easier and fairer access to health services.

It is also essential for the transition to cleaner energy under the European Green Deal, through cross-border grids and smart meters and avoiding unnecessary duplication of data storage. Lastly, it is essential to international security and stability and the development of economies, democracies and societies globally. Governments, businesses and individuals need therefore to use digital tools in a responsible, security-conscious manner. Cybersecurity awareness and hygiene must underpin the digital transformation of everyday activities.

The EU’s new Cybersecurity Strategy for the Digital Decade forms a key component of Shaping Europe’s Digital Future, the Commission’s Recovery Plan for Europe, the Security Union Strategy 2020-2025, the Global Strategy for the EU’s Foreign and Security Policy, and the European Council Strategic Agenda 2019-2024. It sets out how the EU will shield its people, businesses and institutions from cyber threats, and how it will advance international cooperation and lead in securing a global and open Internet.


This strategy aims to ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe. Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments –regulatory, investment and policy instruments – to address three areas of EU action –

(1) resilience, technological sovereignty and leadership,

(2) building operational capacity to prevent, deter and respond, and

(3) advancing a global and open cyberspace.

The EU is committed to supporting this strategy through an unprecedented level of investment in the EU's digital transition over the next seven years – potentially quadrupling previous levels – as part of new technological and industrial policies and the recovery agenda.

Cybersecurity must be integrated into all these digital investments, particularly key technologies like Artificial Intelligence (AI), encryption and quantum computing, using incentives, obligations and benchmarks. This can stimulate the growth of the European cybersecurity industry and provide the certainty needed to ease the phasing out of legacy systems. The European Defence Fund (EDF) will support European cyber defence solutions, as part of the European defence technological and industrial base.

Cybersecurity is included in external financial instruments to support our partners, notably the Neighbourhood, Development and International Cooperation Instrument. Preventing the misuse of technologies, protecting critical infrastructure and ensuring the integrity of supply chains also enables the EU’s adherence to the UN norms, rules and principles of responsible state behaviour.

To read more: