The 10th European Cyber Security Conference

The EU’s cybersecurity policy agenda has steadily advanced in the past decade. Russia’s war on Ukraine has demonstrated the need for an up-to-date, future-proof regulatory framework that prepares Europe for an ever-growing threat landscape, reinforces the EU’s industrial and technological capacities to reduce dependencies, enhances its strategic autonomy, and drives its leadership in cybersecurity forward. Accelerating the implementation of NIS2 and CER to protect our critical infrastructure is now deemed paramount. Several legislative files and projects aiming to complement the EU Cybersecurity framework are currently in the making. This session will ask if the latest cyber security initiatives that aim to increase trust and security in essential products and services, such as the CRA, the EUCS and other certification and standardisation schemes, are truly fit-for-purpose, and the extent to which they will fulfil the ambition of creating a robust cyber security landscape in which a thriving European cybersecurity market can be developed, allowing the region to become a global leader in this area and supporting its drive for strategic autonomy in the digital domain.

Possible questions:

• To what extent does the European cybersecurity policy framework reflect the rapidly expanding cyber threat landscape? What is being done to ensure that the new proposed files and cybersecurity certifications initiatives remain aligned with NIS2 and other relevant existing legislations and schemes and address the emergence of future technologies?
• What is the latest on the Cybersecurity Certification Scheme for Cloud Services (EUCS) and on the sovereignty requirements on European data localisation and foreign law immunity that have been proposed? How will the three levels of assurance suggested be established, and how can it be ensured that fair competition and trade are not restricted? With this voluntary certification scheme expected to become mandatory, what does this mean for companies involved in cloud service deliveries, including SMEs?
• To what extent will the provisions of the proposed CRA, meant to address vulnerabilities in digital products and associated services through a security-by-design approach, help enhance the security of the entire cyber ecosystem in Europe? What does security by design look like in practice? What new opportunities, and challenges, do the proposed obligations for businesses bring, and how can it be ensured that the Act does not impede the roll-out of future technologies and services in Europe? How can companies prepare now, and should further sectoral legislation be proposed to complement the provisions of the CRA?
• How will the latest policies interact with global standards and accepted certifications from internationally accredited bodies? To what extent can the European cybersecurity framework become an international point of reference, setting cybersecurity as a competitive advantage, and enhancing security levels globally?

As the cyber threat landscape will continue to evolve more rapidly than legislations regulating the space, it is paramount that organisations across Europe develop holistic approaches to cyber security, combining digital technologies with human skills, systems and processes, to prepare and protect themselves against the latest and most sophisticated threats.  This session will explore how such integrated approaches look in practice and will discuss what information security management systems and governance frameworks need to be put in place to successfully leverage the role that technology such as AI, ML, ‘digital twins’, blockchain and quantum can play when combined with human expertise. Speakers will debate what is needed for such layered processes to become more mainstream across operations in European organisations when it is recognised that the considerable shortage of skilled cybersecurity professionals and low levels of investment across the bloc dampens current efforts to increase cyber resilience.

Possible questions:

• How does the use of technologies such as AI and ML bolster cyber security and augment the work of cyber security individuals? How will they, in practice, make SOCs more efficient? What cybersecurity considerations must be given regarding the increased use of Edge Computing within organisations?
• How can a strong culture of cybersecurity within an organisation be built? What can be learnt from entities achieving systematic cyber preparedness and resilience through cyber-risk governance and management? What are the benefits of strategic frameworks such as the Zero-Trust model and Vulnerability Disclosure Policy for an organisation’s cyber resilience?
• How can the target of reaching 20 million ICT workers by 2030, outlined in the ‘Path to the Digital Decade’, be achieved? How can the training, upskilling and re-skilling of the current workforce in cyber security, cyber awareness and hygiene be further supported? What is being done to encourage organisations to focus on diversity, equity, inclusion and investment in early talent through their cybersecurity recruiting programmes? How can the Cyber Skills Academy, expected to be launched in 2023, concretely address these issues?

The digital space has increasingly become a ground for cyber and hybrid attacks led by state and non-state actors exploiting the open nature of the internet, targeting critical infrastructures globally, spreading disinformation campaigns, or conducting cyber sabotage and espionage. These trends have accelerated since the start of Russia’s war on Ukraine. and have emphasised the urgent need to strengthen the resilience of cyberspace and critical infrastructures around the world. While the EU has stepped up its regulatory efforts in the past years to boost cyber security, protect critical infrastructures, and enhance the security of supply chain, digital products and services within the bloc, these initiatives must remain coherent and complimentary with similar schemes being developed on regional and global levels, as well as with international standards and norms. This session will explore how collaborative global efforts of like-minded partners and a multistakeholder approach can be enhanced to boost the resilience and security of a trusted, borderless cyberspace. It will discuss whether the systems currently in place to build global partnerships around shared understandings of cyber risks, capacity building, information sharing, and coordination on cyber threats detection and response are fit-for-purpose and what more is needed given the global dimension of cyber threats, the rapid emergence of new technologies and the various regional and national digital sovereignty approaches that are surfacing worldwide.

Possible questions:

• How has cooperation between the EU and allies on cybersecurity issues changed since the start of Russia’s war on Ukraine? How successfully is the EU working with international partners, and how effective have attempts to develop a global cyber security approach been? What might a global rules-based system for cyber security look like, and how could this be achieved when different, and sometimes competing, visions over digital governance keep emerging worldwide?
• As most critical infrastructure is owned and operated by private companies, how can cooperation between the private sector and governments be improved to enhance the resilience of such infrastructure? What is needed to deepen international cooperation to ensure the integrity of the ICT supply chain?
• How can threat information-sharing and confidence-building measures at the global level be improved?
• To what extent will the EU External Cyber Capacity Building Agenda enhance third countries’ cyber resilience and capacities?
• As provisions to strengthen the EU Cyber Diplomacy Toolbox are expected in 2023, what more should be included to prevent and respond more effectively to cyber threats and improve attribution capabilities? To what extent can the sanctions regime be enhanced?

Today’s geopolitical context and the recent cyber-attacks on space, transport and energy infrastructures on which both the civilian and military realms rely further underline how central the cyber dimension can become in military conflicts. To address the need for better protection, detection, deterrence, and defence against a growing number of cyber threats, the European Cyber Defence Policy was recently released to boost the EU’s cyber defence capacity and bolster cooperation between the civilian and military cyber communities as well as between the public and private sectors. From the improvement of information exchange and early detection of cyber threats via a network of SOCs powered by AI, the development of state-of-the-art cyber defence capabilities through the creation of a technology roadmap for critical cyber technologies to the promotion of the use of emerging and disruptive technologies (EDTs) to inform future military strategies and operations, digital technologies are at the very heart of the European Cyber Defence Policy.  This session will discuss how the benefits of digital tech can be best harnessed so that the goals outlined in the European Cyber Defence Policy can be achieved – considering that the EU cyber defence sector currently relies significantly on civilian solutions and external markets and explore the extent to which the EU’s proposed approach to cyber defence will be enough to keep pace with ever-growing sophisticated cyber threats.

Possible questions:

• How can coordination mechanisms among national and EU cyber defence actors, between military and civilian cyber communities and between the private and public sectors be enhanced considering the existing shape of the cyber defence industrial ecosystem?
• What more can be done to capitalise on the role tech, including EDTs, can fully play in cyber defence? How can the existing gaps for specific military cybersecurity requirements be fulfilled to contribute to better detection and response to threats?
• How will it be ensured that the technology roadmap for critical cyber technologies expected in 2023 truly addresses the technology needs of the EU cyber defence sector and reduce technological dependencies without stifling innovation? How will this roadmap interact with the CRA? Is an EU cybersecurity certification scheme for companies providing services to the defence industry needed?
• How is the new EU Cyber Defence Policy connected to the recent work on protecting critical infrastructure? How will the need for cooperation between the civilian and military sectors be addressed to develop standards for dual-use digital and cyber security products?
• In the context of cyber defence, how will establishing the EU-wide Cyber Shield through a cross-border network of AI-powered SOCs and creating an EU Cyber Solidarity Initiative truly work in practice? How will the shield complement the work of existing SOCs and CSIRTs/CERTs? What conditions will be met for private cybersecurity companies to be considered a ‘trusted private provider’ forming the EU-level cyber reserve? How will it be possible for European SMEs working in the field of security and defence to be included?
• Are the proposed research and investment instruments enough to turn all these objectives into reality, considering the budgetary constraints that the EU currently faces?