EU Cyber Update

EU releases its first State of Cybersecurity report with cyber threats and policy recommendations, along with a new cybersecurity plan for healthcare.

On December 3, 2024, the European Union released its first-ever report on the State of Cybersecurity in the Union. The report includes a description of the EU cyber threat landscape, cybersecurity capabilities at the union level, and ways of improving cybersecurity, through policy implementation, cyber crisis management, and building cybersecurity skills. Juhan Lepassaar, the EU Agency for Cybersecurity Executive Director, said the report “reflects on our ongoing collective efforts and underscores our shared goal to bolster security and resilience across the EU.” 

The cyber threat level was assessed to be “substantial”, with DOS/DDOS/RDOS, ransomware, and data attacks making up the majority of cyber incidents between July 2023 and June 2024. The main findings were that generally, nations in the EU have created cybersecurity strategies aligning with the EU’s objectives. Citizens are more aware of cybersecurity, but nearly half (46%) of EU citizens still “lack the digital skills needed to fully participate in society, hindering their access to online services.”  Young people tend to have a higher level of digital skills than older people, and the gender gap for digital skills is also shrinking. 

The report offers six policy recommendations to address these issues: 

1. Help EU cybersecurity organizations (like government agencies and other groups covered by the Network and Information Systems Directive 2 (NIS2 Directive) get the money and tech support they need to work together and quickly implement the EU's updated cybersecurity plans.

1. Update their plan for dealing with major cyberattacks, keeping in mind all the recent changes in EU cybersecurity policy. This updated plan should make cybersecurity practices more consistent across the EU and improve both national and EU-wide cybersecurity capabilities, leading to better protection against cyber threats.

1. Use the Cybersecurity Skills Academy and a shared EU approach to cybersecurity training to build up the cyber workforce by finding skill needs, setting up a certification system for cybersecurity skills, and addressing stakeholder concerns. 

1. Improve the cybersecurity of supply chains across the EU by working together to assess risks and creating a general EU policy to address the cybersecurity problems faced by both governments and businesses.

1. Boost understanding of the unique cybersecurity needs of different industries covered by the NIS2 Directive, improve their cybersecurity defenses, and use the upcoming Cybersecurity Emergency Mechanism to help sectors prepare for and withstand attacks, especially those that are considered high-risk based on EU-wide assessments.

1. Collaborate to create a single, consistent approach to cybersecurity awareness.  Building on what we've already done, we'll coordinate national efforts to teach both professionals and everyday people (regardless of age, etc.) about cybersecurity best practices and how to stay safe online.

On January 15, 2025, the EU Commission published an action plan on the cybersecurity of hospitals and healthcare providers - meeting the political guidelines of the 2024-2029 mandate and aligning with the fifth recommendation of the state of cybersecurity report. The health sector in the EU has been the target of many cyber attacks, especially ransomware. According to a report on the effects of cyber incidents in EU healthcare settings found that “71% of attacks with effects on patient care, such as delayed treatment, diagnosis and impaired access to emergency services, were of the ransomware type.” 

The strategy is the first to be sector-specific and use all EU’s cybersecurity measures but sets out to accomplish more broad objectives than the US counterpart - the Department of Health and Human Services (HHS) Cybersecurity Strategy. The action plan’s main goals are to help the sector prevent cybersecurity incidents, enhance cyber information sharing and the ability to detect cyber threats, give better response and recovery options following a cyber incident, and set up means of deterring cyber threat actors from attacking healthcare systems. 

The plan says “holding criminal actors accountable for their action is an important deterrent”, and the recent sanctions on three Russian nationals for cyber attacks on Estonia. Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov are believed to have launched cyber attacks on important computer systems to understand Estonia’s cybersecurity policy. They accessed confidential data from government ministries like Economic Affairs and Communications, Social Affairs, and Foreign Affairs - allowing them to see health records and private business information. Denisov and Korchagin have been previously charged by the Department of Justice for conspiring to commit computer intrusion and wire fraud conspiracy alongside other actors in Unit 29155, a hacking group in the Russian Federation. 

The EU’s report and action plan show that the union is continuing to take cybersecurity seriously. Hopefully, they will be effective in reducing cyber attacks and protecting everyday citizens.