Large-scale cybersecurity incidents caused by spyware – EU Commission response

Brussels, 1 March 2023

See question(s) :E-003134/2022

EN
E-003134/2022
Answer given by Mr Breton
on behalf of the European Commission
(1.3.2023)
The Commission strongly condemns any illegal access to communication systems and any form of unlawful interception of users’ communications. EU legislation tackles unlawful surveillance and protects data privacy, through the General Data Protection Regulation (GDPR)¹, the Law Enforcement Directive², the ePrivacy Directive³and Directive 2013/40/EU⁴.

The monitoring and enforcement of EU data protection and privacy rules are primarily the competence of Member States. The Network and Information Security (NIS2) Directive⁵, that entered into force on 27 December 2022, lays down obligations requiring Member States to adopt national cybersecurity strategies and lays down cybersecurity risk-management measures and reporting obligations for essential and important entities. Compared to its predecessor, NIS2 will include more sectors, strengthen security requirements, address security of supply chains, streamline reporting obligations and harmonise sanctions. NIS2 also formally establishes the EU-Cyber Crisis Liaison Organisation Network (CyCLONe)⁶to support the coordination and management of large-scale incidents.

Furthermore, the EU Blueprint⁷provides a plan for cooperation and coordination between Member States and EU Institutions, Bodies, and Agencies in the event of large-scale cybersecurity incidents and crises to enable effective response, share situational awareness and agree public communication messages.

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88.
2 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89-131.
3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37-47.
4 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, 14.8.2013, p. 8-14.
5 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), OJ L 333, 27.12.2022, p. 80-152.
6 https://www.enisa.europa.eu/topics/incident-response/cyclone
7 Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises, OJ L 239, 19.9.2017, p. 36-58.

Source: Answer to a written question – Commission response to large-scale cybersecurity incidents caused by spyware – E-003134/2022(ASW)

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.