President. – The next item is the joint debate on

– the Council and Commission statements on the recent cyberattacks on EU institutions and on sensitive national public and private institutions (2021/2713(RSP)), and

– the oral question to the Commission on the EU’s cybersecurity strategy for the Digital Decade by Cristian-Silviu Buşoi, on behalf of the Committee on Industry, Research and Energy (O-000037/2021 – B9-0024/21) (2021/2568(RSP)).

  Ana Paula Zacarias, President-in-Office of the Council. – Madam President, Commissioner Hahn, honourable Members, with a growing digitalisation of our lives we are also witnessing an increase in the number of cyberattacks on the Union and on its Member States. These attacks are becoming more frequent and are having a growing impact in our daily lives. We have seen very recent examples of the significant impact of these attacks on critical services for our society and on the functioning of important public and private entities such as our healthcare services during the COVID-19 pandemic.

We must increase our resilience and improve our cybersecurity, which is of utmost importance for ensuring proper functioning of our society, of our democracies, of our economies. This was also called for by the European Council in June 2019 and reiterated this February. I therefore welcome the new EU cybersecurity strategy for the Digital Decade, which the Commission and the High Representative presented at the end of last year. It shows ambition, with a comprehensive set of measures such as legislative proposals, investment and policy instruments, and it has a comprehensive view. The Commission and the High Representative will present a report on its implementation now on 23 June.

The recent Council conclusions on this cybersecurity strategy highlight a number of actions for the coming years related to digital and cybersecurity skills in the workforce, as well as the availability of financial instruments, in particular to support SMEs. We are also seeking to build on the EU’s cyberdiplomacy efforts and increase the effectiveness of the EU cyberdiplomacy toolbox.

While much work has already been done, or is under way, much more still needs to be done. The new directive on measures for a high common level of cybersecurity, the so-called NIS2 Directive, will be an important cornerstone of our cybersecurity and, as co-legislators, I hope we can ensure a swift adoption. In the Council, we hope to be in a position to start negotiations by the end of this year.

I also look forward to the future legislative proposals on common rules on information security and common binding rules on cybersecurity for all EU institutions, bodies and agencies, which the Commission has announced and which are expected in October this year. In due time, the Commission will also present its concept on the Joint Cyber Unit, a platform that would help to better protect the EU from the most serious cyberattacks. We also need to enhance cooperation and information-sharing amongst the various cybercommunities within the EU and explore how we can better link the various existing initiatives, structures and procedures.

The EU institutions are taking steps to reinforce their security culture and resilience, including by improving their assessment of security threats to the institutions, and promoting security awareness amongst the EU staff. The EU institutions, bodies and agencies are also actively working on securing their communication and information systems.

Cybersecurity is undoubtedly one of the biggest challenges for the years to come. It will require adapted, coordinated and innovative responses in all Member States and in all of our institutions. The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing every day and generating financial losses, undermining our citizens’ confidence and causing major damage in the Union economy and society. Our cybersecurity preparedness and resilience are therefore now more essential than ever. We need to work on this together. Thank you very much for your attention.

  Johannes Hahn, Member of the Commission. – Madam President, cybersecurity is a major global risk and cyber—enabled threats are becoming increasingly widespread, impactful and pervasive. The Commission welcomes the much stronger focus on cyber resilience.

As announced in the cybersecurity strategy of last December, the Commission will consider a comprehensive approach to address the growing importance of the internet of secure things, in coherence with Union law such as product safety. It could include new horizontal rules for all connected products and associated services placed on the internal market. In addition, the Network Code and the Initiative on the Protection of Critical Energy Infrastructure could address the residual physical and cyber risks affecting energy systems.

The Commission, with the European Union Agency for Cybersecurity (ENISA), is working on such cybersecurity certification schemes, which could become mandatory for essential and important entities under the recent proposal for a network and information system, the so-called NIS 2. This certification scheme could also be instrumental in enhancing the strategic autonomy of our cybersecurity supply chain. Being a directive, NIS 2 only applies to Member States, but the EU institutions are also an important target and attacks are growing dramatically in both number and in sophistication. The COVID—19 pandemic and the shift to teleworking has only exacerbated the situation. The cyber maturity varies a lot amongst institutions, bodies and agencies, but since our systems are all interlinked, the weakest link poses a large risk to all of us.

We are therefore preparing a proposal for a regulation on cybersecurity for the EU institutions, bodies and agencies, which is expected for October this year. Here we will set out a common framework for cyber standards, a joint governance structure, and we will reinforce the mandate and financing of CERT-EU, the computer emergency response team of the Union institutions, bodies and agencies.

The strategic importance of the internet is yet another issue highlighted by the COVID—19 crisis. The Commission is fully committed to increasing the security and resilience of the open internet. It’s a task that cannot be handled by a single organisation alone. Our cybersecurity strategy sets out several key actions in this regard. We aim at reinforcing the security of internet critical infrastructure, in particular the global domain name system, the root server system. We will also be collaborating with ENISA, Member States, EU DNS root server operators and the multi—stakeholder community in preparing contingency plans for extreme scenarios that could affect the integrity and availability of the internet, without forgetting that the developed internet standards and good practices will be promoted in partner countries as well.

We will consider the need for a mechanism for more systematic monitoring and gathering of aggregated data on internet traffic and for advising on potential disruptions, and join international partners to improve coordination to address and respond to intentional disrupting attempts. Furthermore, the secure connectivity flagship announced in the action plan on synergies between civil defence and space industries aims to provide a space—based backbone. This will ensure resilient and autonomous access for EU users in case something happens to ground—based connectivity infrastructures.

Finally, let me renew the Commission’s strong support for the multi—stakeholder model for internet governance. We will be promoting this model and we will oppose any attempt to establish top-down control of the global internet.

  Cristian-Silviu Buşoi, author. – Madam President, the digital transformation is a key strategic priority of the Union. Cybersecurity means safety and security for any interconnected device, service or phone, be they smart devices or smart washing machines, smart home systems, or online payment services, the online services that governments puts at citizens’ disposal, and even the European Parliament’s system and website, as well as the cars we drive, or metros and railways. Everything is interconnected and interoperable and could be hacked.

Technological progress, new technologies and the internet of things potentially mean hundreds more devices going online and being interconnected in the near future, with cyber threats then having the ability to endanger on a greater scale and with a greater impact. Moreover, the COVID-19 crisis has again exposed the cyber vulnerabilities of some critical sectors, particularly healthcare.

The associated measures of teleworking and social distancing have increased our dependency on digital technologies and connectivity, while cyberattacks and cybercrime – including espionage and sabotage, as well as malicious and unlawful ways of entering and manipulating ICT systems, structures and networks – are increasing in number and sophistication across Europe.

To address these challenges we need resilience. We need to become less vulnerable to attack and, in the case of a threat or even an attack, we need a quick response mechanism. The EU looks more determined to fight these challenges. Securing network and information systems in the European Union is essential to keeping the online economy running, safeguarding the competitiveness of our industry, and ensuring privacy and prosperity for our citizens, securing their data privacy as well.

The European Union is working on a number of fronts to promote cyber resilience. We welcome the initiatives announced in the EU’s cybersecurity strategy for the digital decade, but also note the evolution in the nature and sophistication of cyber threats, the risk of fragmented regulation and opportunity to strengthen our industry. We would therefore call on the Commission to promote the development of secure and reliable network and information systems, infrastructure and connectivity across the Union with a framework laying down horizontal cybersecurity requirements that would also aim to harmonise national measures and avoid fragmentation of the single market.

Therefore, it is essential to further assess the need to propose measures at Union level introducing cybersecurity requirements for applications, software, embedded software and operating systems by 2023, building upon the EU acquis on risk management requirements.

Digitalisation should happen with cybersecurity embedded, and for this, we need to further invest in innovation as well. The new European Cybersecurity, Industrial Technology and Research Competence Centre, based in Bucharest, will aim to retain and develop the cybersecurity, technological and industrial capacities necessary to secure the Union digital single market and will be of paramount importance for creating an interconnected Europe-wide cybersecurity, industrial and research ecosystem. Therefore, the Centre needs to start its activity as soon as possible.

We would welcome on behalf of the Committee on Industry, Research and Energy (ITRE Committee) concrete answers from the Commission to the following questions:

How and when does it intend to draw up a regulatory framework for ensuring that connected products and associated services, including supply chains, are secure by design, resilient to cyber incidents, and can be quickly patched up when vulnerabilities are discovered?

Does the Commission plan to tackle the need to introduce cybersecurity requirements for applications, software, embedded software and operating systems?

What concrete steps will the Commission take to strengthen the EU’s strategic autonomy in cybersecurity, namely by reducing its technological dependence and skills gap?

How is the Commission planning to ensure that EU funds are spent in a synergetic way to achieve these goals?

And finally, what actions will the Commission take in order to improve the cybersecurity of the core of the Internet while keeping it free, open and neutral?

  Pilar del Castillo Vera, en nombre del Grupo PPE. – Señora presidenta, señor comisario, desde la primera Directiva sobre ciberseguridad en el año 2016 Europa está desarrollando una política consistente, basada en reforzar nuestra capacidad para prevenir y responder a los ciberataques.

Tengo que decir que la Unión Europea está demostrando un importante valor añadido, contribuyendo a la coordinación de las respuestas a amenazas cibernéticas, invirtiendo en investigación e impulsando el desarrollo de una industria europea de ciberseguridad. Pero es necesario dar un paso más. Es necesario acelerar.

Nos hallamos, en estos momentos ya, en una economía de datos que solo puede prosperar si se garantiza la confianza en los productos y las aplicaciones. Se estima que para el año 2024 habrá más de 23 000 millones de dispositivos conectados en todo el mundo. Por otro lado, Europa cuenta con un importante sector industrial globalmente competitivo y el creciente desarrollo de la internet de las cosas abre una nueva oportunidad para reforzar esa capacidad.

Para ello, es necesario garantizar que la infraestructura y los productos conectados a internet sean seguros a partir del propio diseño, sean resistentes a los incidentes cibernéticos y se reparen rápidamente cuando se descubran vulnerabilidades. Estamos hoy debatiendo una Resolución que es una magnífica contribución de este Parlamento a la hoja de ruta de la ciberseguridad europea.

  Maria-Manuel Leitão-Marques, em nome do Grupo S&D. – Senhora Presidente, informação recente mostra que os ataques que fazem aos sistemas de informação reféns, e exigem resgates aos donos, aumentaram de 150% em 2020 e o valor do resgate duplicou.

A migração crescente das nossas vidas para a esfera online e o aumento dos produtos em rede, o armazenamento de muitos dados e a sua utilização, tornaram por demais evidente a importância da cibersegurança. A estratégia europeia de cibersegurança para a década é um contributo fundamental para manter a União segura na era digital.

Precisamos de regras apertadas para as infraestruturas críticas, como os hospitais. Precisamos de acelerar a formação de especialistas, faltavam-nos 219.000 em 2019. Precisamos de investir na literacia digital e também precisamos de combater a desigualdade de género na cibersegurança.

É preciso incentivar a criação de um verdadeiro espaço europeu de cibersegurança, com partilha de informação e respostas comuns. Tal como a segurança offline, a cibersegurança é um pilar central para que os cidadãos confiem.

  Christophe Grudler, au nom du groupe Renew. – Madame la Présidente, il y a quatre jours, une entreprise familiale en Vendée était victime d'une cyberattaque. 650 employés ont dû rester chez eux, car leurs outils de travail ne fonctionnaient plus. Le 14 mai, le système de santé irlandais était affecté par un rançongiciel empêchant de nombreux patients de recevoir des traitements. Le 9 décembre, l'Agence européenne des médicaments était attaquée. Je pourrais citer des dizaines d'autres exemples.

L’Europe fait bien face à une montée de cyberattaques, et cette marée ne fait que monter à mesure que la numérisation progresse. L'Union doit réagir plus fortement face à ces menaces numériques, qui n'affectent pas seulement le monde numérique, mais aussi la vie concrète des entreprises et de nos concitoyens. Nous avons rédigé cette résolution, qui insiste sur plusieurs points.

Premièrement, il faut plus de coopération face aux cyberattaques, que cela soit entre États membres ou avec les entreprises. Les informations doivent mieux circuler.

Deuxièmement, nous avons besoin de nouvelles réglementations européennes. Produits connectés ou logiciels, de nouvelles règles sont nécessaires pour sécuriser nos outils numériques.

Et enfin, troisièmement, il faut développer une culture de la cybersécurité. Chaque institution, chaque entreprise, chaque citoyen doit prendre conscience des risques qui existent sur le numérique et s'y préparer, car une fois que la cyberattaque est arrivée, il est déjà trop tard.

  Rasmus Andresen, im Namen der Verts/ALE-Fraktion. – Frau Präsidentin! Angriffe auf den irischen Gesundheitsdienst, die Volksbanken oder das Europäische Parlament: Wenn autoritäre Regime oder Kriminelle unsere europäischen Institutionen oder Firmen angreifen, geschieht dies immer öfter online. Cybersicherheit ist eine der größten Herausforderungen, die wir sicherheitspolitisch haben. Und die Wahrheit ist: Wir sind zu schlecht darauf vorbereitet. Cybersicherheit wird von der Bevölkerung, von Unternehmerinnen und Unternehmern und vielen Politikerinnen und Politikern unterschätzt. Über eine Billion Euro Schaden für die Weltwirtschaft haben Cyberattacken allein 2019 verursacht. Die Folgen für unsere Demokratie sind gravierend.

Für uns Grüne kommt es in der Debatte auf drei Punkte an. Erstens: Wir brauchen eine bessere Koordinierung zwischen Mitgliedstaaten und der EU. Wir kritisieren scharf, dass einige Mitgliedstaaten aus ideologischen Gründen nicht bereit sind, der EU ausreichend Kompetenzen zu geben. Mit nationalistischem Klein-Klein werden wir gegen Cyberattacken keine Chance haben.

Zweitens: Starker Datenschutz verhindert Sicherheitslücken, und offene Standards reduzieren Anbieterabhängigkeiten. Und Drittens: Wir müssen unsere Gesetzgebung ausdehnen und schneller werden. Die Technologie ist schneller als die Politik. Wir brauchen Gesetzgebung für Smart Technologies und einheitliche Standards für kritische Infrastruktur wie Gesundheit oder unser Bildungssystem.

Daran arbeiten wir gemeinsam erfolgreich im Parlament. Es wird Zeit, dass die Mitgliedstaaten aufwachen und uns dabei unterstützen.

  Alessandra Basso, a nome del gruppo ID. – Signora Presidente, onorevoli colleghi, Albert Einstein diceva: "I computer sono incredibilmente veloci, accurati e stupidi. Gli uomini sono incredibilmente lenti, inaccurati e intelligenti. E l'insieme dei due costituisce una forza incalcolabile."

Una cosa è certa: i computer governano le nostre vite e ci sono uomini intelligenti ma criminali che utilizzano macchine stupide per attentare alla nostra sicurezza. Le cronache riportano gli attacchi informatici che, colpendo infrastrutture logistiche industriali, hanno rischiato di mettere in ginocchio intere nazioni.

Un recente studio ci dice che il 2020 è stato un anno disastroso per la cybersicurezza. Ogni ora si verificano tra i 5 000 e i 10 000 attacchi informatici. Va fatta una riflessione sull'importanza di proteggere il nostro spazio informatico ancora largamente dominato da players non europei.

La strategia dell'Unione europea in materia di cybersicurezza deve basarsi su alcuni punti fondamentali, come lo sviluppo di sistemi avanzati di elaborazione situati nel territorio dell'Unione, su una gestione interna dei dati sensibili e su un'analisi dei flussi di dati diretti all'estero da dispositivi importati nell'Unione. Ci impegneremo a migliorare le proposte della Commissione in questo campo, avendo sempre come guida la tutela delle imprese e dei cittadini dei paesi dell'Unione, della loro libertà e della loro sicurezza.

  Izabela-Helena Kloc, w imieniu grupy ECR. – Pani Przewodnicząca! Sponsorowani przez wrogie rządy hakerzy zdalnie atakują europejskie szpitale, elektrownie atomowe, instytucje publiczne, a także osoby publiczne. To nie jest science fiction, to powoli staje się rzeczywistością. Na geopolitycznej arenie pojawił się nowy front, kolejny front –cyberprzestrzeń.

Oto jeden tylko przykład z tego tygodnia: Wczoraj nastąpił atak hakerski na skrzynkę mailową i konta w serwisach społecznościowych szefa kancelarii premiera Polski. Jednocześnie konto jego żony zostało wykorzystane do opublikowania fałszywego oświadczenia sugerującego ingerencję Polski w wewnętrzne sprawy Białorusi. Jest to klasyczna dezinformacja i nie ulega wątpliwości, że ma to związek z faktem, że osoba ta, Michał Dworczyk, od wielu lat aktywnie wspiera przemiany demokratyczne na terenie byłego Związku Radzieckiego. Co więcej, przez wiele lat miał zakaz wjazdu na teren Białorusi i Rosji.

Im bardziej jesteśmy uzależnieni od internetowych technologii, tym bardziej stajemy się bezbronni. Rosja, Chiny czy Iran doskonale to rozumieją, a ich ataki na nasze obiekty stwarzają coraz większe zagrożenie dla naszego życia i zdrowia. Nie możemy pozostać bierni. Na cybernetycznym froncie państwa Unii Europejskiej muszą wykazać jedność i energicznie współpracować.

  Marisa Matias, em nome do Grupo The Left. – Senhora Presidente, com a crise pandémica a nossa exposição aos ciberataques aumentou exponencialmente e, em alguns casos, esse aumento está reportado em 150%. Mas não podemos apenas deter-nos às Instituições Europeias ou às grandes empresas. Devemos pensar também nas pequenas e médias empresas e nos trabalhadores e trabalhadoras que, muitas vezes, não têm sequer as ferramentas para identificar esses mesmos ataques.

Numa altura em que a transição digital está no centro da nossa agenda política e que é uma parte substancial dos fundos de recuperação e resiliência em cada um dos países, apelamos para que as medidas tomadas não reforcem as desigualdades já existentes e para que a transição digital chegue a toda a gente. Para isso é importante, também, garantir que os dados pessoais são protegidos, sempre, e não podem ser usados como um efeito colateral. E é também, ainda, importante garantir a neutralidade e o acesso aberto a todos os mecanismos que possam estar disponíveis no quadro da integração digital.

  Fabio Massimo Castaldo (NI). – Signora Presidente, onorevoli colleghi, gentile Commissario, gentile Segretaria di Stato, dalla nostra resilienza agli attacchi informatici, dalla capacità di reazione ad essi e dagli strumenti di deterrenza dei quali ci doteremo non dipenderà solo il corretto funzionamento di tutte quelle attività che si svolgono ormai interamente nel mondo digitale, ma anche e soprattutto la capacità dell'Unione di elevarsi al ruolo di attore geopolitico di primo piano.

La linea di demarcazione tra sicurezza interna ed esterna dell'Unione si sta erodendo in tutti i domini, e in quello digitale, in realtà, queste due dimensioni si sovrappongono in maniera pressoché totale. Poter contare su livelli elevati di sicurezza cibernetica s'impone come un diktat strategico.

A oggi abbiamo compiuto enormi passi ma serve fare di più. Oltre a metterci al riparo da attacchi esterni dovremmo ancora una volta farci campione di un mondo libero, sicuro e basato sul rispetto di norme, spingendo per l'installazione di regolamenti vincolanti in ottica multilaterale e utilizzando appieno gli strumenti di cyber diplomacy del nostro arsenale. Da settant'anni l'Unione europea è sinonimo di libertà e sicurezza. Per i prossimi settant'anni dovrà essere il nostro obiettivo quello di espandere tale assunto anche al mondo digitale.

  Riho Terras (PPE). – Lugupeetud istungi juhataja, head kolleegid! Ma pean väga õigeks arutada küberjulgeoleku küsimusi ka parlamendi täiskogu istungil. Olen veendunud, et küberrünnakute all kannatab nii Euroopas kui maailmas laiemalt palju rohkem inimesi ja ettevõtteid, kui me endale ette kujutada oskame. Viimase paari aasta jooksul on avalikkuse ette toodud mitmed laiaulatuslikud rünnakud, mis on olnud suunatud suurte IT-ettevõtete või kriitilise tähtsusega taristu vastu. Me teame, et küberrünnakute omistamine on keeruline ja rünnaku toimepanija tuvastamine võib väga pikalt aega võtta. Samas on selge, et mitme suuremahulise rünnaku taga, nagu SolarWinds või Microsoft Exchange, näeme autoritaarsete režiimide Venemaa ja Hiina tegevust. Üha rohkem leiab aset lunavara rünnakuid, mis puudutavad üksikisikuid, väikese ja keskmise suurusega ettevõtteid, aga ka börsiettevõtteid. Kurjategijate modus operandi on muutunud lihvitumaks, näiteks ligipääs suurte börsiettevõtete arvutisüsteemidele võimaldab manipuleerida ja ähvardada väga mastaapsete ettevõtete tegevust. Olen seda meelt, et Euroopa Liit peab tugevdama just liikmesriikide vahelist koostööd küberjulgeoleku tagamisel. Meil on kohustus kaitsta oma ettevõtteid ja oma kodanikke.

  Łukasz Kohut (S&D). – Pani Przewodnicząca! Panie Komisarzu! Żyjemy w czasach czarnego lustra, czornego żdżadła, cyberataków i dezinformacji. Jak się przed tym bronić? Niezależnie od zabezpieczeń na końcu każdego łańcucha bezpieczeństwa jest człowiek, to często jego najsłabsze ogniwo. Wczorajsze włamanie do prywatnej skrzynki szefa kancelarii polskiego premiera. Wykradzione dokumenty służbowe są chwilę później na popularnym na Wschodzie komunikatorze Telegram. Dotyczą imigrantów z Białorusi. Jeżeli urzędnik miał takie dokumenty na swoim prywatnym mailu, to zabezpieczenia sieci są drugorzędne. Taki mamy klimat. Sieć kształtuje świat realny. Jeden tweet Muska i kurs bitcoina drastycznie spada. Fabryki trolli i ordynarna antyeuropejska propaganda mediów narodowych napędzają hejt na projekt europejski. Cyberataki na wolność myśli i prawo do informacji nie są spektakularne. Cyberpropaganda sączy się powoli, ale czy jest mniej niebezpieczna? Od odpowiedzi na to pytanie zależy nasza wolność.

  Bart Groothuis (Renew). – Madam President, at a time when worldwide ransomware incidents have, according to the FBI, tripled over the past year, making tens of millions of victims on this continent – just look at the Emotet hackers that have been apprehended – and at a time when ransomware gangs are increasingly going after critical infrastructure – look at Ireland – and also at a time when ransomware criminals are beginning to match the skills, technology and capabilities of state hackers, this Parliament is working on the best cybersecurity legislation this continent has ever seen, and it will be very ambitious.

But as we are debating the most effective measures against ransomware, technically the most effective measure is also the most cynical. Probably, we should all attach a Russian keyboard to our computers. I’m deadly serious. Close reading of malware reports, which is my night-time hobby, shows that oftentimes the malware first checks whether a Russian keyboard is present, and then it decides whether to penetrate and hack the rest of the network. This is the technical affirmation of that which police forces have been telling us: many gangs operate under the tacit approval of the Russian state, as long as they don’t attack Russian citizens.

And the political conclusion must be that ransomware is not just a technical problem solved by the Directive on Security of Network and Information Systems (NIS 2 Directive); it is also a foreign policy problem. We have to hold Russia accountable for offering safe havens to ransomware criminals, which is totally unacceptable.

In the end, I argue that cybersecurity should be a Chefsache. And I urge the Commission and Council that this safe haven problem should be a Chefsache for them as well.

  Ciarán Cuffe (Verts/ALE). – Madam President, I listened carefully to the previous speaker’s comments, and it may well be that some nation states are complicit in the attack on our citizens by cybercriminals. These attacks are a plague on society. We’ve seen more of them in recent months, and I have no doubt that this will continue.

We’ve seen patients blackmailed for their medical information in Finland, hospital IT systems in France attacked, and in my own home country of Ireland, the Irish health system was reduced to a 1970s level of functioning by ransomware attacks in recent weeks. So I welcome the Commission’s strategy on cybersecurity, but we do need laws that match the rapid pace at which the digital world is developing, and Member States do need to coordinate their cybersecurity plans and responses. We need to protect our power grids, our water, our wastewater systems from cyberattacks.

We’ve seen the US gas pipeline cyberattack. So we need to take this seriously. We need joined-up thinking. There are physical threats, there are political threats and there are now cyberthreats. We need to treat them with the urgency that they deserve.

  Jean-Lin Lacapelle (ID). – Madame la Présidente, Monsieur le Commissaire, pour certains intervenants, ce débat sur la cybersécurité sert visiblement de prétexte à d’énièmes attaques idéologiques à l’encontre de la Russie.

Or, ce sujet sérieux mérite une réflexion plus large et plus juste. Vous dénoncez la menace que représentent pour l’Europe les opérations de piratage menées contre nos institutions, car il est vrai que l’Europe est sensible et vulnérable à ces attaques. Vous évoquez leur origine russe potentielle, mais vous vous murez dans un silence absolu quand les agences d’espionnage des États-Unis mettent sur écoute les dirigeants européens. Silence également lorsque les services de renseignement français collaborent avec la société américaine Palantir, proche de la NSA, donnant ainsi aux Américains un pied dans notre souveraineté la plus confidentielle. Silence toujours lorsque le géant chinois Huawei, derrière lequel se profile le Parti communiste chinois, investit toute l’Europe en déployant ses réseaux 5G. N’oublions pas la leçon du vice-amiral français Arnaud Coustillière, qui déclarait devant le Sénat que tous nos matériels informatiques, du petit logiciel jusqu’à la puce électronique, nous exposaient aux infiltrations étrangères.

Depuis la révélation par Edward Snowden de l’espionnage américain en Europe, l’Union européenne a beaucoup parlé, mais a bien peu agi. Nous aurions dû et devons favoriser le développement de filières européennes dans l’industrie du numérique. Cela doit passer par un financement préférentiel de nos capacités de formation technologique, d’approvisionnement en matériaux, de création de logiciels et de matériels d’assemblage et d’équipements. Ici comme ailleurs, la souveraineté doit rester le maître mot de notre action politique.

  Ryszard Czarnecki (ECR). – Pani Przewodnicząca! To jest wojna, bo cyberataki to współczesna wojna. I tak naprawdę nie chodzi tutaj o pojedynczych hakerów, którzy włamują się na konta bankowe, ale o zatrudniane przez całe państwa armie sowicie opłacanych hakerów, którzy destabilizują nasz świat – świat Zachodu. Mam tutaj spis, mogę czytać. Co kilka tygodni tak naprawdę dochodzi do ataków na instytucje państwowe naszych państw członkowskich Unii Europejskiej, ale także do ataków poza Unią Europejską, a zwłaszcza w tych krajach, które kandydują do przyszłego członkostwa w naszych strukturach.

Tak, to jest wojna. Myślę, że trzeba robić wszystko, aby w tej wojnie być solidarnym, żeby również w tej wojnie być solidarnym ze Stanami Zjednoczonymi, i żeby w tej wojnie jeden był za wszystkich i wszyscy za jednego.

  Lars Patrick Berg (NI). – (Beginn des Redebeitrags bei ausgeschaltetem Mikro) ... in den USA, die die Pipeline-Branche und auch die fleischverarbeitende Industrie zur Zielscheibe hatten, veranschaulichen die Anfälligkeit hochgradig vernetzter Gesellschaften gegenüber Cyberkriminalität.

Mir ist bewusst, dass die Gespräche innerhalb der Vereinten Nationen voranschreiten, wenn auch langsam – zu langsam. Und der Vorschlag für eine Genfer Digitalkonvention der UNO liegt auf dem Tisch. Wenn man dies nur gutheißen kann, ist es unwahrscheinlich, dass diese Gespräche mit dem Tempo der aggressiven Bedrohungen Schritt halten können.

Ich begrüße deshalb den Vorstoß, die Mitgliedstaaten resilienter gegenüber solchen Angriffen zu machen. Ein engerer Zusammenhalt der Mitgliedstaaten ist erforderlich, eine bessere, eine schnellere Abstimmung, um diesem auch teilweise staatlich geförderten Cyberterrorismus erfolgreich die Stirn zu bieten.

Wir müssen jedoch die richtige Balance zwischen Sicherheit und Freiheit im Internet finden, da es totalitären Regimes ein Leichtes wäre, den Zugang zum Internet im Namen der Sicherheit einzuschränken.

  Seán Kelly (PPE). – Madam President, the pandemic has accelerated the shift towards digitalisation, which has now become integrated in virtually every aspect of personal and working lives. This comes with a significant rise in cybercrime as criminals take advantage of the massive shift towards remote work.

A few weeks ago, Ireland’s healthcare system suffered the biggest cyberattack in the history of our state, which affected most of the country’s health services, including coronavirus testing, maternal care services, cancer care, COVID-19 tracking and routine referrals for secondary care.

Cyberattacks on healthcare systems have risen significantly since the pandemic began last year, with criminals taking over servers, stealing personal data and then charging money to allow officials to get it back. The callousness of such attacks during a pandemic, where many people have sadly lost their lives, is beyond reproach. We must be aware that cyberthreats are rapidly evolving in nature and sophistication.

The EU and all Member States need a digital security architecture that defends us robustly against cyberattacks. This will be central to ensuring security in the digital world and to protecting the health and well-being of citizens.

The attack on the Irish health system should stand as a stark warning, for ransomware operators are becoming more effective at targeting larger and larger organisations. We need a strong European-level approach and cybersecurity policy to combat this new form of advanced criminality.

  Цветелина Пенкова (S&D). – Г-жо Президент, г-н Комисар, кризата, предизвикана от COVID-19, ни показа, че е необходимо да засилим мерките и в областта на киберсигурността, както на европейско, така и на национално ниво. През април бяхме свидетели на кибератаки срещу европейските институции. Само преди две години в България се случи най-мащабната кибератака над национална институция и данните на над 5 милиона европейски граждани бяха направени публични.

В тази резолюция искаме да подчертаем, че киберсигурността трябва да бъде основополагаща в процеса на цифровизация. Тя трябва да бъде вградена във всеки един технологически процес на настоящето и бъдещето. Ключов е и човешкият фактор. Подготвянето на кадри в областта на киберсигурността трябва да бъде приоритет на всяко едно правителство.

И не на последно място, държавите членки не могат да разчитат само на европейско сътрудничество за борба с киберпрестъпленията. Те трябва да развият собствени стратегии за превенция и устойчивост и да носят отговорност при неспазването на мерките.

  Billy Kelleher (Renew). – Madam President, 27 days ago, there was a massive cyberattack on the health service in Ireland. This was not a malicious attack by some few individuals, but it was done with the tacit approval of Russia. And let us be very clear as well, it was not just an attack on some abstract computer system. This was an attack on citizens, an attack on European citizens. Healthcare had to be cancelled in many cases. It could have even cost lives in terms of delayed diagnostics or cancellations of operations.

So this is a significant issue that has to be addressed. And we do need to ensure that it is coordinated at European level. I do welcome the fact that there is a cybersecurity strategy, but we have to ensure that there are additional resources by Member States and by the Commission itself to ensure that we can coordinate and hold rogue elements in countries outside of the European Union to account if they continue to facilitate the undermining of institutions, of facilities, of services in the European Union. And those countries must be held to account. And I include Russia in that.

  Christine Anderson (ID). – Frau Präsidentin! Vielen Dank an den Kollegen Bușoi für die Fragen an die Europäische Kommission zum Thema Cybersicherheit. Die offensichtlichste Bedrohung durch Spionage und Sabotage auf IT-Infrastrukturen durch die USA und China – nicht selten auf Veranlassung staatlicher Stellen – geht die EU nicht entschlossen an, sondern setzt hier weiter auf einen Kuschelkurs und macht sich allein dadurch schon unglaubwürdig.

Die Fragen sind aber berechtigt und zeigen auf, dass bei den Themen Cybersicherheit und somit auch Digitalisierung noch immer deutliche und nicht nachvollziehbare Defizite bestehen. Es wird in den Vorworten richtig angemerkt, dass Cybersicherheit als elementare Voraussetzung doch bereits vollumfänglich implementiert sein muss, bevor digitale Infrastruktur vollumfänglich genutzt werden kann.

Während vor Jahren für die deutsche Bundeskanzlerin Merkel das Internet immerhin schon Neuland war – das setzt ja zumindest mal voraus, dass man es entdeckt hat –, war es für die EU offenbar noch nicht einmal das. Sie hatten es sehr lange gar nicht auf dem Schirm.

Bei völlig belanglosen Themen wie zum Beispiel dem Anbau von genmanipuliertem Mais in Indonesien ist die EU natürlich ganz vorne mit dabei. Sobald es aber um wirklich wichtige und bedeutsame Themen geht, ist die EU lange inaktiv, um dann hektisch zu reagieren. Aber Proaktivität wäre hier gerade nötig, um von den USA und China in Sachen Forschung und Entwicklung nicht abgehängt zu werden. Und genau das ist aber nun für jeden ersichtlich eingetreten.

Der Bürokratieapparat EU wird diesen Rückstand auch nicht mehr aufzuholen imstande sein. Dies wird insbesondere deshalb nicht gelingen, weil anstelle des Vorantreibens von Forschung und Entwicklung der Digitalisierung sich die EU lieber auf ideologisch motivierten, aber völlig irrelevanten Nebenkriegsschauplätzen wie Gender Equality, Gender Budgeting und CO2-Neutralität austobt. Wobei hier die Faustformel gilt: …

(Die Präsidentin entzieht der Rednerin das Wort.)

  Ivan Štefanec (PPE). – Pani predsedajúca, v Európskej únii musíme byť pripravení výrazne posilniť bezpečnosť internetu a iných kritických sietí a informačných systémov. Ako môžeme vidieť na aktuálnych prípadoch vo svete, útoky na naše dáta budú čoraz sofistikovanejšie a dopady nebezpečnejšie.

Nedostatočná systematická ochrana môže ohroziť nielen fungovanie jednotného trhu, ale aj bezpečnosť či životy našich obyvateľov.

Do roku 2024 bude na celom svete na internet napojených viac než 22 miliárd zariadení. Vítam a oceňujem preto rozhodnutie Rady z apríla tohto roku, v ktorom schválila zriadenie centra kompetencií v oblasti kybernetickej bezpečnosti.

Je dôležité, aby sme danú oblasť rozvíjali a aby Európska komisia predstavila ďalšie návrhy, ktoré doplnia akt o kybernetickej bezpečnosti z roku 2019.

Kybernetická bezpečnosť je kľúčom pre budovanie odolnejšej, environmentálne prijateľnejšej a digitálnej Európy.

Dôležité je dosiahnuť nielen strategickú autonómiu v tejto oblasti, ale aj zároveň zachovať otvorené hospodárstvo.

Musíme preto posilniť svoju schopnosť prijímať autonómne rozhodnutia, ktoré sa týkajú kybernetickej bezpečnosti, aby sme si udržali naše postavenie v digitálnej oblasti.

No a na záver, dovoľte mi tiež zdôrazniť aj moju osobnú prioritu, ktorou je ochrana detí na internete, a verím, že Európska komisia dodrží termín a predstaví aj v tejto oblasti plánovanú legislatívu s cieľom dlhodobého riešenia v tejto oblasti.

  Nicolás González Casares (S&D). – Señora presidenta, una de las repercusiones de esta pandemia es el papel absolutamente crucial de las redes de telecomunicaciones. Si hemos seguido funcionando, si hemos sido capaces de mantener un mínimo de vida, ha sido gracias a estas redes que sustentan la conectividad. Son cruciales ahora y van a seguir siéndolo en el futuro con el desarrollo de la 5G y la internet de las cosas.

Por lo tanto, cualquier atisbo de duda va a facilitar que se entrometan en nuestra vida los ciberataques, como lo estamos viendo cada día en las redes de telecomunicaciones, en redes industriales, en redes de distribución de energía, incluso en el coche autónomo, en nuestros transportes.

Por lo tanto, la Unión debe seguir avanzando para blindarse frente a los ciberataques, y debe hacerlo con sus propias capacidades ⸻de ahí el Centro Europeo de Competencia Industrial, Tecnológica y de Investigación en Ciberseguridad, que aprobamos durante el pasado Pleno⸻ y extendiendo el nivel máximo de exigencia en ámbitos vitales, como se propone en la Directiva SRI 2. Debe hacerlo, además, para blindar nuestro propio sistema democrático frente a injerencias externas. No debemos permitirlas.

  Salvatore De Meo (PPE). – Signora Presidente, onorevoli colleghi, la nostra economia e la nostra vita quotidiana dipendono sempre più dalle tecnologie digitali e sono quindi a rischio di cyberattacchi. Tantissimi tentativi di intromissione nei sistemi di sicurezza delle nostre infrastrutture strategiche pubbliche e private, grandi e piccole, ed ognuno di noi è a rischio nell'utilizzo dei suoi dispositivi digitali.

La pandemia ha accelerato la transizione digitale, ma ha anche dimostrato le forti carenze in termini di sicurezza e competenze, per le quali è necessario investire per rendere la transizione sicura e garantire un rafforzamento globale dell'Unione europea. Purtroppo, tra le criticità emerse ci sono anche le ingerenze di paesi terzi che cercano di indebolire la nostra democrazia e la nostra economia. L'attacco informatico subito dalla Commissione europea è stato l'ennesimo campanello di allarme.

Esprimo apprezzamento per la recente iniziativa del Consiglio di affiancare alla Agenzia europea per la cybersicurezza anche un nuovo centro di ricerca con competenze specifiche, e condivido la decisione presa il mese scorso di sanzionare gli hacker sponsorizzati dalla Cina e da paesi ostili. L'Europa deve rafforzare le sue difese digitali per salvaguardare la sua indipendenza democratica e difendere le sue strutture strategiche.

  Иво Христов (S&D). – Г-жо Председател, нарастващият брой и сложност на кибератаките от началото на пандемията доказаха неотложната нужда Европа да постигне високо ниво на киберсигурност. Болниците, научноизследователските центрове и националните администрации се оказаха предпочитаната мишена на хакерите. Притеснително е, че през последните две години редица държави и европейски органи станаха обект на хакерски атаки, с което бе компрометирана защитата на личните данни на милиони европейски граждани. За съжаление и моите сънародници в България също пострадаха от безпрецедентна кибератака срещу Националната агенция по приходите и срива на търговския регистър. Неотдавна системата за електронно записване за час за ваксиниране също се срина вследствие на хакерска атака.

Новата стратегия на Европейския съюз за киберсигурност следва да заложи на три принципа. Първият е укрепването на устойчивостта на критичната инфраструктура, вторият е осигуряването на стратегическата автономност на Съюза чрез намаляването на технологичната зависимост от външни партньори, третият е преодоляването на недостига на умения сред гражданите. Това е задължително предусловие за прекрачването в света на дигитализирани услуги, който не бива да маргинализира по-възрастните и ниско образованите.

  Karlo Ressler (PPE). – Poštovana predsjedavajuća, europske institucije i države članice trpe snažne, koordinirane i kontinuirane kibernetičke napade. Jučer su pak poteškoće u radu imale i velike medijske platforme te popularni internetski alati uzrokujući neugodnosti tisućama korisnika diljem svijeta.

To nas još jednom podsjeća koliko smo ranjivi i koliko je ranjiva naša infrastruktura, što može biti kobno. Moderna tehnologija korisna nam je jedino ako je sigurna i ako je pouzdana, a to je nemoguće bez značajnijih investicija u kibernetičku sigurnost.

Danas više nego ikada ranije pitanje nacionalne i europske sigurnosti i suverenosti ujedno je i neodvojivo i pitanje sigurnosti računalnih procesa.

  Carlos Zorrinho (S&D). – Senhora Presidente, Senhor Comissário, Senhora representante da Presidência, a resposta europeia às ameaças de cibersegurança é um desafio de soberania, de sobrevivência, de capacitação tecnológica e de organização económica e social, para enfrentar com sucesso os desafios da próxima década. Exige que a resposta sistémica, prevista na estratégia europeia, se concretize, desde já, com eficácia e cooperação.

Combatendo a fragmentação regulatória e processual e definindo legislação horizontal. Encorajando a partilha de informação entre os Estados-Membros. Promovendo a ciberliteracia em todos os patamares da sociedade. Reduzindo a dependência tecnológica da União e usando os novos programas de apoio à inovação e ao desenvolvimento, para garantir a autonomia estratégica europeia em toda a cadeia de valor e a liderança em segmentos críticos do mercado. Apoiando as PME para reforçarem a sua capacidade de proteção, desenvolvendo standards seguros de conectividade e interoperabilidade, acessíveis aos diferentes utilizadores. Finalmente, introduzindo critérios de proteção e segurança robustos na regulamentação dos serviços e dos mercados digitais.

É este o caminho que, com determinação, temos que percorrer juntos.

  Raphaël Glucksmann (S&D). – Madame la Présidente, chers collègues, Agence européenne des médicaments, centres de stockage des vaccins, hôpitaux, Autorité bancaire européenne, parlements nationaux ou régionaux, boîtes mail des campagnes électorales: la liste des cibles européennes des cyberattaques est longue, et ce n’est qu’un début.

Nous ne sommes pas en guerre, mais nous ne sommes plus vraiment en paix. Nous évoluons dans un entre-deux fluctuant, nébuleux et dangereux. Un état dit «de guerre hybride». Il est temps de saisir à quel point nous sommes vulnérables, temps de renforcer nos défenses et d’investir massivement dans la cybersécurité.

Chers collègues, nous ne sommes pas attaqués par des hackers isolés, mais par des régimes autoritaires hostiles qui considèrent la piraterie comme une stratégie politico-militaire efficace et peu coûteuse. Et comment leur donner tort? Jusqu’ici, le coût imposé aux régimes russes ou chinois pour leurs attaques est risible. Alors, réveillons-nous! Pour être dissuasif, il ne faut pas simplement sanctionner les hackers, il faut sanctionner les États qui sont derrière les hackers. Il en va de notre sécurité à tous.

  Johannes Hahn, Member of the Commission. – Madam President, the tactics, techniques and procedures employed by threat actors continue evolving in their attempt to avoid further detection and remediation efforts by our cyber defence. The pace at which these threat actors conduct cyberattacks is higher than ever, while their campaigns are increasingly sophisticated and automated, quickly exploiting vulnerabilities.

The Union’s cybersecurity strategy stresses that technological sovereignty is key to building a more resilient Union. The Cybersecurity Industrial, Technology and Research Competence Centre will play a key role in delivering on the ambitious cybersecurity objectives of the Digital Europe and Horizon Europe programmes.

We call on the Member States to make these investments. The Recovery and Resilience Facility funding will also be crucial to reinforce the EU cybershield through enhanced detection and response capabilities, for instance in security operations centres and quantum computing infrastructure.

The funds could be used to increase the preparedness of sectors, and for skills and training and reinforcing research and development. The Digital Europe programme will also fund the design and delivery of specialised programmes and traineeships for future experts in cybersecurity.

With the European Defence Fund, the Commission will co-fund joint defence R&D projects, including in the areas of cybersecurity and cyber defence.

Lastly, the Commission, as part of its action plan on synergies between civil defence and space industries, will set up an EU observatory of critical technologies using its own resources. The proposal for a regulation on cybersecurity for the institutions in October 2021 will be the Commission’s commitment to maintain high cyber standards also in the European institutions, bodies and agencies.

Your commitment is needed to maintain the ambition in the NIS 2 directive. This means keeping its scope. It means a commitment to an open but trustworthy core internet in Europe. It means confirming the legal obligation to making an agile response to incidents.

Our operational teams are ready to embrace a mandatory 24-hour notification of major incidents to the competent authorities in the EU institutions. In fact, they believe it’s crucial to allow us to get an overview of the scope of an attack and coordinate.

So we should not ask Member States to be less ambitious. This is no time to lower our guard. We are deeply committed to keeping the ambition high, so I expect that we can count on you to do the same.

  Ana Paula Zacarias, Presidente em exercício do Conselho. – Senhora Presidente, Senhor Comissário, Senhoras e Senhores Deputados, resulta claro deste debate que se a transformação digital em curso nos oferece enormes oportunidades, ela acarreta, ao mesmo tempo, enormes desafios, incluindo os da segurança cibernética.

Ouvimos como os incidentes de cibersegurança estão a aumentar em escala e sofisticação, como atestam os casos do SolarWinds, Microsoft Exchange Server, o ataque cibernético contra a Agência Europeia de Medicamentos ou o recente caso que visou o Sistema Nacional de Saúde da Irlanda.

Estamos confrontados com ameaças aos nossos processos democráticos, às nossas Instituições e às nossas empresas, que resultam em perdas financeiras muito significativas para vários setores. Estes incidentes visam explorar as vulnerabilidades dos nossos sistemas de informação e comunicação, o que torna a nossa preparação e resiliência em matéria de cibersegurança mais vital do que nunca.

É, por isso, fundamental que as Instituições Europeias e os Estados—Membros colaborem para melhorar a nossa resiliência. A estratégia de cibersegurança da União Europeia é, sem dúvida, um instrumento fundamental para manter a União segura na era digital. Mas todos sabemos que temos que ser vigilantes, porque as ameaças e a desinformação estão sempre um passo à nossa frente e os desafios tecnológicos são contínuos.

Muitas medidas foram já tomadas e aqui referidas neste debate, incluindo a recente regulamentação sobre a Agência Europeia para a Segurança das Redes e da Informação (ENISA) e o Centro de Competências Europeu em Cibersegurança. Mas temos que, em liberdade e em segurança, ser capazes de continuar a tomar as medidas adequadas e a utilizar os instrumentos financeiros necessários para reforçar a nossa capacidade nesta área.

Aguardamos, também, com expetativa, as novas propostas da Comissão sobre regras comuns em matéria de segurança e informação sobre a cibersegurança para todas as Instituições e organismos da União Europeia e contamos com o apoio do Parlamento Europeu para avançar, com celeridade, nas negociações sobre estas propostas, assim que forem apresentados os respetivos instrumentos pela Comissão.

É tempo de sermos ambiciosos. Muito obrigada. Agradeço uma vez mais a atenção que me dispensaram.

  President. – The joint debate is closed.

The vote on the amendments will take place today, and the final vote will take place tomorrow, 10 June 2021.

Written statements (Rule 171)

  Patryk Jaki (ECR), na piśmie. – Niestety można odnieść wrażenie, że UE we współczesnym świecie jest bezbronna wobec cyberataków. Niestety brakuje nam skutecznych narzędzi do walki. Niestety brakuje nam solidarności europejskiej w tym względzie. Potrzebne jest współdziałanie i wymiana informacji. Mamy jednych z najlepszych informatyków na świecie, ale nie wykorzystujemy tego potencjału do ochrony. To jest w naszym wspólnym interesie, aby pilnie zacząć działać i nadrabiać ten stracony czas.

  Eva Maydell (PPE), in writing. – Last year, as the world was brought to a halt by the Covid-19 pandemic, we witnessed a global shift to remote and hybrid work, forcing organisations to re-invent the way they operate, and to go digital practically overnight, with little to no preparation whatsoever. This was an excellent opportunity for cyber-criminals to take advantage, and there is almost not a single day that goes by without hearing about a cyber-attack. In the recent months, the cases such as Solar Winds, Colonial Pipeline, AXA in France, the Irish Health Executive Agency and the Department of Health, are clear proof that we are very vulnerable in the digital territory. Organised cyber-crime groups and foreign states attack our digital infrastructure, our businesses and institutions on an unprecedented scale. Normalising cyber incidents I believe is not the right path ahead of us.

We must have a clear and robust answer: A strong European cyber security and defence, investments in technological know-how for countering such attacks and high-level of cyber resilience through skilled professionals. The NIS2 and the CER have to be a priority, a constant instrument in our toolbox for a free, open and protected digital future of Europe.

  Edina Tóth (NI), írásban. – A kiberfenyegetések jellege és összetettsége folyamatosan változik, így az Unió egyik kulcsfontosságú prioritását jelentő digitalizáció a kiberbiztonságon múlik. Üdvözlöm a digitális évtizedre vonatkozó uniós kiberbiztonsági stratégiáról szóló állásfoglalási indítványt, amely megfelelő intézkedéseket hoz a kibertér biztonságosabbá tétele érdekében. A cél az, hogy megerősödjön Európa kiberfenyegetésekkel szembeni ellenállóképessége, valamint hogy minden polgár és vállalkozás megbízható szolgáltatásokat és digitális eszközöket vehessen igénybe, és ezek előnyeit teljes mértékben ki tudja használni. Véleményem szerint az EU-nak ezért komoly erőfeszítéseket kell tennie annak érdekében, hogy megvédje magát a harmadik országokból érkező kibertámadásokkal szemben. Úgy gondolom, hogy a technológiai függőség csökkentése érdekében az Uniónak nagyobb stratégiai autonómiára van szüksége a kiberbiztonság terén. A pandémia megmutatta, hogy milyen sérülékeny Európa, ezért csökkentenie kell a függőségét a globális beszállítói láncoktól. Törekednünk kell az európai fejlesztések erősítésére a kritikus fontosságú infrastruktúrákban, s a védekező képesség megteremtésére, hiszen így válhat Európa egy biztonságos térséggé.