Large-scale cybersecurity incidents caused by spyware – EU Commission response

See question(s) :E-003134/2022

EN
E-003134/2022
Answer given by Mr Breton
on behalf of the European Commission
(1.3.2023)
The Commission strongly condemns any illegal access to communication systems and any form of unlawful interception of users’ communications. EU legislation tackles unlawful surveillance and protects data privacy, through the General Data Protection Regulation (GDPR)¹, the Law Enforcement Directive², the ePrivacy Directive³ and Directive 2013/40/EU⁴.

The monitoring and enforcement of EU data protection and privacy rules are primarily the competence of Member States. The Network and Information Security (NIS2) Directive⁵, that entered into force on 27 December 2022, lays down obligations requiring Member States to adopt national cybersecurity strategies and lays down cybersecurity risk-management measures and reporting obligations for essential and important entities. Compared to its predecessor, NIS2 will include more sectors, strengthen security requirements, address security of supply chains, streamline reporting obligations and harmonise sanctions. NIS2 also formally establishes the EU-Cyber Crisis Liaison Organisation Network (CyCLONe)⁶ to support the coordination and management of large-scale incidents.

Furthermore, the EU Blueprint⁷ provides a plan for cooperation and coordination between Member States and EU Institutions, Bodies, and Agencies in the event of large-scale cybersecurity incidents and crises to enable effective response, share situational awareness and agree public communication messages.

---

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88.
2 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89-131.
3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37-47.
4 Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, 14.8.2013, p. 8-14.
5 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), OJ L 333, 27.12.2022, p. 80-152.
6 https://www.enisa.europa.eu/topics/incident-response/cyclone
7 Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises, OJ L 239, 19.9.2017, p. 36-58.

Source: Answer to a written question – Commission response to large-scale cybersecurity incidents caused by spyware – E-003134/2022(ASW)

© European Union, 2023 – EP