European Commission's Despina Spanou on why cyber officials must 'learn lessons from crises'

When it comes to privacy and cybersecurity regulations, the European Union often sets the standards that other governments follow.

In 2016 the EU adopted the landmark General Data Protection Regulation (GDPR), which imposes multimillion-dollar penalties for failing to safeguard consumer data, as well as the Network and Information Security Directive (NIS) that sets cybersecurity requirements on critical infrastructure operators. Lawmakers are negotiating an updated version of the law, called NIS-2, that expands its scope.

Despina Spanou has played a key role in negotiating and implementing EU cybersecurity policy. She currently serves as the Head of Cabinet for Margaritis Schinas, one of the eight vice presidents of the European Commission, which acts as the executive body for the European Union. She previously served as Director for Digital Society, Trust and Cybersecurity for the Commission’s tech-focused directorate, where she was responsible for the implementation of the NIS Directive and negotiations of the EU Cybersecurity Act.

Spanou, who recently visited the U.S. to teach a course at the John F. Kennedy School of Government at Harvard University, talked to The Record about digital spillover effects from Russia’s war in Ukraine, the direction of EU cyber policy, and what the U.S. can learn from the EU’s efforts in this field. She said she was expressing her personal view based on her experiences, and was not speaking on behalf of the EU.

The conversation has been lightly edited for space and clarity.

The Record: What brings you to the U.S. right now?

Despina Spanou: I’m a visiting professor for an executive course on cybersecurity that I myself followed many years ago. But I come to the U.S. often… I was in Washington in early June for work and I was just telling the people in this course that I saw a very big change of wind in cybersecurity in the U.S.

TR: Yes, I think I saw a photo of you with Chris Inglis, the National Cyber director.

DS: He's a great guy, and he shared with me that he was very inspired by what we do in Europe. It is actually true that we were pioneers in cybersecurity legislation.

Thank you @ncdinglis for the excellent discussion on #cybersecurity and our common goals for protecting critical infrastructure and government institutions and addressing the skills gap in #EU and the #US pic.twitter.com/x04e2ezX1y

— Despina Spanou (@DespinaSpanou) June 3, 2022

TR: I want to talk more about that, but let’s start with what we’ve been seeing over the last few months — pro-Russia cybercrime groups have been targeting Lithuania, Italy, Romania and other countries in the European Union. What's the EU doing to combat them in a unified way?

DS: Cybersecurity was the number two issue for the European government after the war in Ukraine broke out. Immediately on the Sunday after the war started, the Ministers of Justice and Home Affairs of the European Union — the equivalent of Homeland Security in the U.S. — gathered in an extraordinary meeting. The two topics at the top of their minds as an immediate impact of the war that had broken out were: first, the influx of migrants in the EU, because of the proximity of the borders, which was the reality of those days. We had millions of people fleeing the war. And then second was cybersecurity — what are we doing to shield our systems? 

This was a very big revelation politically, because we've been working on cybersecurity and a common coordination between countries for some years. But it was the first time that we were being faced with an imminent threat in the eyes of the governments. And they turned to the EU to ask ‘what are we going to do? How are we going to deal with it together?’ The truth of the matter is that the EU has had a system of working together for a while now. Our legislation — known as NIS — requires every country to have a CERT team — an emergency response team — at a national level. And these CERT teams of the 27 governments of the EU, they have a network, and they talk to each other every time there's an incident.

You can imagine that their lines have been heating up over the last few months. So the first answer to your question is that this war has prompted our existing networks to work even closer together. And we have networks at the technical level — at the level of the CERTs. And we have the possibility, which we have not yet triggered, of political-level coordination because we have a blueprint that allows governments to agree on action. We haven’t had to do this because for now everything is well-managed — so far so good — by the governments and by the European agencies. Europol, the EU law enforcement agency, has been very active through their law enforcement capacity. Through cooperation agreements they also work with law enforcement in third-party countries, like the U.S. 

All these CERTs and all these emergency teams and networks have simply come even closer together. And I think this is why we have managed not to have a spillover of smaller cyberattacks, where they become large incidents. Not that this can’t happen, but for now I think the EU, with its current mechanisms that we have built very efficiently in the last five years, has managed to have a unified effort to do its best. 

But we don’t stop at what we have. Back in May, we also had further agreements between the governments of the member states. To enhance our cooperation, we are adopting what we call an EU cyber posture, which aims to demonstrate that we want to deal with cyber response together. We're not going to let every country deal with it alone, but we're going to take a unified approach. There will be more and more cooperation.

TR: When it comes to fallout from the war in Ukraine, what resources have you deployed?

DS: The EU deployed specific help there and we continue to mobilize financial resources. We have provided financial support for Ukraine, but also to the most exposed member states. We set aside more financial support for those members of the EU which are more exposed because of the specificity of the geopolitics of this war, to help them.

TR: Besides financial resources, have you also sent people?

DS: Yes, but we're talking about cybersecurity experts — the EU does not have a common cybersecurity army. All help that has been provided to Ukraine, it has been through individual governments. We don't do that as the EU, but what we can do is coordinate to bring people over.

TR: Earlier you mentioned spillover effects, which is something that both EU and U.S. officials have warned about. What can be done to prevent cyberattacks from cascading out of control?

DS: Our whole cybersecurity ecosystem is about preparedness, prevention, resilience. This is where we are the strongest in the EU. First of all, we have rules imposed on operators of critical infrastructure to meet very high cybersecurity standards. This is the well known NIS directive. This was our very first cybersecurity law, the first of its kind worldwide — 27 countries with the same level of cybersecurity for critical infrastructure.

So what does NIS mean? That energy, transport, banking, health, water systems, digital service providers, all these operators are obliged to meet the highest cybersecurity standards and to report any cybersecurity incidents to the authorities. Why report? Because when you report, the government can then make sure there's no spillover effect — not only at national level, but also at the EU level — because there is this network of government authorities that work together. This is the most solid way of preventing spillovers. 

And when NIS-2 will enter into force, we will have expanded the sectors of critical infrastructure even more. Sectors covered include pharmaceuticals, medical devices, food manufacturing, chemicals. All operators in these fields will have the same obligations. And if they do not meet all these requirements, they face a very high level of penalties. This is the way we've always done it in Europe. It doesn't work like that in every part of the world. But in the EU, we set up common norms and enforcement rules; this is the basis of our common market.

TR: I wanted to ask you about NIS-2 — I have that on my list. But I want to first bring up the NotPetya attack from five years ago, which is maybe the worst case scenario for a spillover effect. If something like that happened again, how would the EU respond?

DS: I think that NotPetya back then could have spread even more had it not been for European mechanisms.

I was doing cybersecurity work when NotPetya happened, and I truly believe that it could have had a bigger spillover effect if not for the fact that through the networks created in the EU, some countries had already started engaging in cooperation, and they started talking to each other. 

It's very simple. You meet at the level at the CERTs, people start calling each other, we have an issue. They tell each other to watch for this, know about that. I think five years on, this culture has been enhanced. The culture of cooperation and people talking to each other has increased tremendously. At the beginning, it was some like-minded people that were talking to each other, because in security the culture is not to share information. But I think five years on, we have a better culture of cooperation and more confidence in each other, and we have the legal framework. Since then, we have the implementation of the NIS, the implementation of the Cybersecurity Act that brings ENISA [the E.U. Agency for Cybersecurity] into the picture. 

And since then, we have also adopted a blueprint for large-scale incidents in Europe. We actually have a playbook that was adopted in 2018 that basically says who does what in case we have an incident that an EU member state can’t manage alone or that takes place in more than one member state. So this could be triggered in the next NotPetya-like incident. 

With NIS-2, we have another instrument called the EU CyCLONe, which is composed of member states’ cyber crisis authorities at a higher level and us in the European Commission — it is meant to meet and follow on the experts’ advice at the decision making level. These are instruments and mechanisms that we didn't have back then that could only enhance the coordination.

The whole spirit of prevention of spillover in the EU is based on talking to each other, because we have a connected internal market. And if one is in trouble, it's possible we're all in trouble. By way of a recent example of such interconnection: the COVID certificate was born in Europe and is now found in 75 countries in the world that adopted the same system. The certificates are maintained by national authorities, and it is a connected system in the whole of the EU created by the European Commission. So imagine somebody gets in one country's hub for maintaining the data of everyone that has a COVID certificate, which is basically almost every European citizen. It is the most sensitive of data because it is health data. It is very personal data. If you get into one, you get into others. It’s an example of why people now see the interest of working with each other, why something like the EU CyCLONe is very relevant.

TR: So NIS-2 — what’s the status of it, and can you break it down for our American readers who might not be familiar with it?

DS: Yes of course — I was just teaching about that, actually. For your American audience, the NIS-1 is what you are currently discussing in the U.S. with the Strengthening American Cybersecurity Act. In Europe we find it really important, especially at a time when there is a transatlantic cooperation that has been renewed under the new administration, to see this convergence of approaches. When we adopted the NIS in Europe, there was not any discussion about imposing obligations on critical infrastructure operators in the U.S. And now we see a convergence, so that's good news.

The second interesting part is that NIS-1 took a very long time even for European governments to agree on. We put five years between when we proposed it and when it was implemented. It entered into force in 2018, and at the end of 2019 we proposed to upgrade it. And we just finished the negotiations a year and a half later, which is record time for European standards, especially during COVID when you can't have meetings and proper negotiations.

This already shows you that there is a willingness to work on the basis of this legislation. The acceptance level is high for us to be able to upgrade it. Now, what was the upgrade about? The upgrade was about the scope and about the enforcement. The scope was to expand it, because originally it applied to the typical critical infrastructure operators: as I mentioned, banking, health, energy, transport, digital service providers, and water supply. And we have expanded it to cover certain manufacturing sectors like pharmaceuticals, medical devices, chemicals, food, and very interestingly public administration. Something that might be interesting for your American audience is that already under the previous U.S. administration, government agencies were being advised to apply the NIST [National Institute of Standards and Technology — a Commerce Department agency that sets cybersecurity guidelines] standards, whereas in Europe we had less public administration outside the scope of NIS. And interestingly, this was a very challenging part of the negotiations — to convince government that they had to equip themselves with high cybersecurity standards, like the critical infrastructure operators. These were the major issues, and then we wanted to go further in enforcement. So for the first time that cybersecurity legislation provides for penalties for those operators that do not meet either the standards or the reporting obligations.

TR: What are some lessons that the U.S. can learn from that process?

DS: Well, I think that if you take as an example the Colonial Pipeline incident, which caused major disruption in the U.S., I think that if an NIS type of legislation was there, we could have prevented some of the spillover impact. And I think it's possible that the spillover in the EU would have been greater if we didn't have the NIS. But cybersecurity is such a dynamic area that we all have to learn lessons from crises.

TR: You’ve said in the past that we don’t have mechanisms for building a “coalition for good” on cybersecurity…

DS: I believe we discussed this at the Munich Cybersecurity Conference. The current U.S. transatlantic agenda on technology that includes cyber, but also our discussions of cybersecurity, are a very good example of how the like-minded have to work together. And the current geopolitical context shows that we have to work together, because the like-minded people are interested in peace. But we do not have agreed mechanisms. At the moment, it's all on the basis of goodwill. 

For instance, after the Colonial Pipeline attack, we started a ransomware [action] group between the European Commission and the U.S. Department of Homeland and Security. And that's great. Why can't we do the same for large-scale cyber incidents? We have a blueprint in the EU. There is something equivalent in the U.S. Why can't we find something — a common ground — and have a set and agreed approach of like-minded partners to deal with risks and incidents? 

I think this is also our attempt in the Trade and Technology Council when it comes to the security of technology. We should not just be looking at cybersecurity incidents, but also on the baseline. There are certain very challenging issues on new technologies being introduced. I think we should use this mechanism to have agreed ways where the coalition of the good can come in. 

And last but not least, one of the biggest challenges we have in cybersecurity in the EU and U.S. is the lack of skilled workforce. We simply don't have enough people to do everything that we put in law. And governments will never have enough people, because they will always be poached by the industry because the private sector can be more appealing at times. So it's also there that we will need to pool expertise to deal with big incidents and try to send people to each other and borrow expertise. We don't have an agreed way of doing that.

"When faced with a crisis, the EU always has a history of becoming stronger. We did that with COVID. Who could imagine that we would have a single process for procuring COVID vaccines for the whole population of the EU, hundreds of millions of people. It's the same with the war in Ukraine. We decided to use all the mechanisms we have created in the last year for cybersecurity cooperation and deploy them in view of the new circumstances. Any crisis is a wake up call. And in the case of the EU, crises lead to more unity and more solidarity."

— Despina Spanou

TR: Do you think the EU and U.S. can overcome spying fears — is that getting in the way of cybersecurity collaboration?

DS: This is the question about any cooperation on security matters. This is not a question unique to cybersecurity. I think I mentioned it earlier how the culture of security is not to share information, it is to keep information. So, obviously, you need to have safeguards in any type of cooperation and on any kind of security agreements. You need to have safeguards that allow governments to preserve their sovereignty, their public security. In our pieces of legislation, this is the number one safeguard that is black-and-white stated. You just need to have the appropriate safeguards and a very solid basis of reciprocity for the exchange of information so that trust is built.

TR: What do you think are the key policies the EU should put in place on cyber, and what are the policies that the world should come together on?

DS: So, for the EU we have already announced a couple of things that are important to us. The first is the creation of this joint cyber unit approach, which is pooling experts that would work on the operational side in case we need to respond and counteract and manage a large-scale incident. It's very challenging because, as I mentioned, skills are scarce. If you're in the middle of a crisis, you have to preserve enough expertise to cover your own needs. So this is a big challenge for us, but it's a project that is ongoing and we're working on it. And it is very important that we now pass to the operational cooperation in the EU — not just cooperation on policy, prevention, preparedness, sharing of information.

And the second one has already been announced and will come before the end of the year. It is called the Cyber Resilience Act, and it covers a need to bring the culture we have in the EU for a high level of safety norms for every product and service in the EU, for connected products and services. You cannot export anything to the EU and you cannot circulate anything within the internal market of the EU unless it meets the norms set by the law, be that in food safety or in product safety. We haven't done that for cybersecurity yet. Now, that's major, because cybersecurity includes technology, and technology is very dynamic. The aim is to ensure that cybersecurity becomes part and parcel of products. This is the way to go to achieve security by design.

TR: To bring it full-circle on Ukraine, do you think the war has lit a fire under the EU when it comes to cybersecurity policy?

DS: When faced with a crisis, the EU always has a history of becoming stronger. We did that with COVID. Who could imagine that we would have a single process for procuring COVID vaccines for the whole population of the EU, hundreds of millions of people. It's the same with the war in Ukraine. We decided to use all the mechanisms we have created in the last year for cybersecurity cooperation and deploy them in view of the new circumstances. Any crisis is a wake up call. And in the case of the EU, crises lead to more unity and more solidarity. As you have seen, this has been the case at all levels regarding the war in Ukraine — one approach in the EU.