Brussels, 29 June 2021
WK 8637/2021 INIT
LIMITE
CYBER
This is a paper intended for a specific community of recipients. Handling and
further distribution are under the sole responsibility of community members.
NOTE
From:
General Secretariat of the Council
To:
Delegations
Subject:
Building the Joint Cyber Unit - Commission Recommendation and Annex
Delegations will find in Annex the presentation of the Commission Recommendation and Annex on
building a Joint Cyber Unit, given by the Commission during the HWP on Cyber Issues meeting on 28
June 2021.
WK 8637/2021 INIT
LIMITE
EN
Building the Joint Cyber Unit
Commission Recommendation and Annex
The Joint Cyber Unit
‘Digitalisation and cyber are two sides of the
same coin.
This starts with a different mindset: We
need to move from “need to know” to
“need to share”.
We should do this through a joint Cyber
Unit to speed up information sharing and
better protect ourselves.’
President Von der Leyen Political Guidelines
The Joint Cyber Unit is a virtual and physical platform for cooperation for the
different cybersecurity communities in the EU, with a focus on operational and
technical coordination against major cross border cyber incidents and threats.
(The EU’s Cybersecurity Strategy for
the Digital Decade, JOIN(2020) 18 final)
The consultation process
16
• Presentation by the Commission at the HWP
July
’20
Jul– • Informal discussion paper shared by the Commission (feedback from 17 MS)
Sept
’20
Sept • ENISA mapping update
-Dec
’20
29
• Blue OLEx II - Strategic policy discussion on Joint Cyber Unit with heads of
Sept
EU cybersecurity authorities
’20
20
• JCU section in the EU Cybersecurity strategy
Dec
’20
Feb- • Bilateral meetings with all Member States
Mar
’21
23
• Recommendation C(2021) 4520 final issued
June
’21
EU cybersecurity communities
Source: ENISA mapping
The Joint Cyber Unit - Vision
Member States and relevant EU institutions, bodies and agencies should ensure that, in cases of
large-scale cybersecurity incidents and crises, they coordinate their efforts through a Joint Cyber Unit
which enables mutual assistance […] The Joint Cyber Unit should also allow participants to engage in
cooperation with the private sector.
• Lack of inter-community structured
cooperation
WHY - 2 main gaps
• Need to tap into the full potential of
operational cooperation including
private sector involvement
• Preparedness
WHAT - 3 objectives
• Situational awareness
• Coordinated response
• Civilian
WHO - 4 communities
• Law enforcement
• Diplomatic
• Defence
• Define
HOW - 4 steps
• Prepare
• Build
• Expand
Caveats:
- To the extent allowed by
their mandates
Objectives
- Take into account existing
processes and the expertise
of the different cybersecurity
communities
Ensure a coordinated EU response to and recovery
from large-scale cyber incidents and crises
Operational participants to swiftly and effectively
mobilise operational resources for mutual assistance - subject to the
request from one or more Member States.
share best practices
harness continuous
shared situational awareness
ensure necessary
preparedness
Key elements and principles
To complete
EU Cybersecurity Crisis Response Framework (‘Blueprint’)
• It tackles
large-scale incidents and crises (i.e. with a significant impact in at least two
Member States)
• Focuses on
technical and operational l
evels (link with political ensured through the
Integrated Political Crisis Response arrangements, IPCR)
It is not a new body
•
A platform assisting participants to perform crisis management operations more effectively
• Participants contribute to the
extent allowed by their mandates (e.g. Article 7 of Regulation
2019/881, Cyber-Act, and Article 3 of Regulation 2016/794, Europol)
• Funding provided through
DEP
Recommendation sets out
process, milestones and timeline
•
Four steps over
two years
•
Core and
supporting actions, depending on the objective
Incremental co-creation process between EUIBAs and MS
• Preparatory process to be completed by
working group (co-chaired by EC, HR, MS
representative)
•
Roles and responsibilities to be defined based on working group assessment
Enables mutual assistance
• Coherently with NIS Directive and
Article 222 of TFEU
•
Without prejudice to Article 42(7) of TEU
• Cooperation and mutual assistance agreements through
Memoranda of Understanding
Participants
•Space where cybersecurity
experts can, in case of need,
come together to conduct joint
Commission
Physical
External
operations, share knowledge
platform
Action
and exercises.
Service
EDA
•Built around
ENISA – CERT-
O
(including
EU adjacent Brussels office
INTCEN)
S
•Composed of collaboration
O
S
and secure information
sharing tools
PESCO
•Possible to use
existing
projects
ENISA
infrastructure (e.g. ‘SIENA’)
representat
to support the exchange of
ive
operational information,
Virtual
possibly including confidential
S
O
platform
material.
•Leveraging the wealth of
JCU
information gathered through
the
European Cyber-Shield,
notably through Security
HWP
CERT-EU
Operation Centres (‘SOCs’)
Chair
and Information Sharing and
Analysis Centres (‘ISACs’).
S
O
CSIRT
Cooperation
Network
Group Chair
Chair
S
O
EU-
EUROPOL
CyCLONe
‘EC3’
Chair
O: Operational
O
O
S: Supporting
S: Secretariat
Operations
EU coordinated response
The establishment, training, testing and coordinated
deployment of
EU Cybersecurity Rapid Reaction
Teams
The coordinated deployment of a
virtual and physical
platform
The creation and maintenance of an inventory
of
operational and technical capabilities available in the
EU across cybersecurity communities
The reporting experience gained in
cybersecurity
operational cooperation activities within and across
cybersecurity communities
Operations
Shared situational awareness and preparedness
The development of the
Integrated EU Cybersecurity Situation report
• Building on the ENISA Technical situation report
The use secure
tools for rapid information-sharing
The
exchange of information and expertise
The development, management and testing of
EU Cybersecurity Incident and Crisis Response Plan
• Based on
national plans introduced under NIS2
• Testing through cross-community exercises and trainings
Conclusion of information-sharing and operational cooperation agreements with
private sector entities
Synergies with national, sectoral and cross-border
monitoring and detection capabilities (e.g. SOCs)
Assistance in crises
management
• supporting diplomatic action (use of Cyber-diplomacy toolbox)
• political attribution as well as attribution in the context of criminal investigations
• aligning public communication and facilitating incident recovery
Steps to build the Joint Cyber Unit
Assessment and
conclusions on future
By
the
By
end
Step Three -
Step One -
Step Two -
Step Four -
J
Operationalise
une
Define (by 31
Prepare (by 30
of
Expand (by
(by 31
December 2021)
June 2022)
June 2023)
s
2025
December 2022)
tep
tw
o
• Assessment of the
• Preparing Incident and
• Mobilising EU Rapid
• Expanding the
Joint Cyber Unit
Crisis Response Plans
Reaction teams, along
cooperation within the
organisational aspects
and rolling-out joint
the lines of procedures
Joint Cyber Unit to
and identification of
preparedness
in the EU Incident and
private entities and
EU available
activities (i.e.
Crisis Response Plan,
reporting on progress
operational
exercises, integrated
and support EU
made
capabilities
EU cybersecurity
response (e.g. public
situation reports)
communication,
attribution)
Council conclusions endorsing the
outcome of the preparatory work
Assessment of
Working Group
JCU organisational
aspects and
roles and
responsibilities
Co-chaired by Commission
High Representative Member
By 30 June 2022:
Presents the
assessment to the
States representative
Commission and the
High Representative
(which share it with
Council)
Composed
Tasked with
of
completing
Commission and the
Convened
High Representative
operational
the
draw up a
joint report
by the
and
preparatory
on the basis of that
Commission
assessment
supporting
work (first
participants
two steps)
Invite the Council to
endorse that report via
Council conclusions.
Thank you
Document Outline
