Required cookies

This website uses cookies necessary for its operation in order to provide the user with content and certain functionalities (e.g. language selection). You have no control over the use of these cookies.

Website visitor statistics

We collect visitor statistics on the use of the site. The data is not personally identifiable and is only stored in the Matomo visitor analytics tool managed by CSC.

By accepting visitor statistics, you allow Matomo to use various technologies, such as analytics cookies and web beacons, to collect statistics about your use of the site.

Change your cookie choices and read more about visitor statistics and cookies


CSC also appreciates the more strategic and forward-looking approach where more focus is put on policy-level cooperation among the Member States as well as measures concerning cyber threats, risks and vulnerabilities rather than just incidents. The new peer review system (Art. 16) must be used effectively to promote policy-level cooperation among the Member States as well as more harmonised implementation of the Directive across the Union. Harmonisation, along with more proactive security measures, will also be supported by the use of cybersecurity certification schemes as suggested in Art. 21 of the Commission’s proposal. In this context, it would be most efficient to endorse well-known international security certifications, such as ISO 27001.

In the context of cybersecurity regulation, any underlying political considerations, such as those related to Europe’s digital sovereignty, must be made as transparent and explicit as possible. Their potential impact on cost and access to state-of-the-art technologies must also be acknowledged and assessed, in order to reach the best possible added value for Europe. In general, improving Europe’s digital resilience and sovereignty is a good objective that must be supported with broad-scale measures to develop European technological competences and skills. At the same time, excellence, cost-efficiency and environmental sustainability must remain the main criteria for developing the digital infrastructures in Europe.

Cybersecurity issues cannot be solved and managed by government actions and government agencies alone. CSIRTs (Computer Security Incident Response Team) and ISACs (Information Sharing and Analysis Center) have vital and well-established roles in incident mitigation and prevention. It is very important to ensure an early flow of trusted information on vulnerabilities and incidents between governmental CSIRTs as well as CSIRTs and ISACs in the private sector and in the NRENs (National Research and Education Networks) and research infrastructures. Existing mechanisms for trust, such as the Trusted Introducer Protocol and SIM3 or Sirtfi certification, should enable access to some early information on vulnerabilities and incidents.

Considering the vital importance of timely and efficient information flows, CSC is pleased with the proposal’s emphasis on increasing cooperation and information sharing among the authorities and service providers covered by the Directive, especially the obligation for the Member States to facilitate information sharing among essential and important entities (Art. 26). When identifying the parties and channels of information sharing, all existing networks, such as those between the private-sector CSIRTs and ISACs described above, must be fully leveraged. The aim must be to allow for as much information sharing as possible without compromising on confidentiality.

CSC is also happy to see that the national cybersecurity strategies are to include a policy on supporting academic and research institutions to develop cybersecurity tools and secure network infrastructure (Art. 5.2.f). These policies must also fully leverage existing structures and prior self-regulation efforts, e.g. in the framework of the emerging European data infrastructure landscape and ecosystems, including European Open Science Cloud, GAIA-X, EuroHPC and European research and education networks.