Ms Lorena Boix Alonso:

A chairde - although I cannot pronounce it correctly, I am trying anyhow - I thank the Members of the Houses of the Oireachtas for inviting the Commission. I am very honoured to join the members in this meeting of the Joint Committee on European Union Affairs, in particular, to speak about this very important subject of cybersecurity.

The Commission President, Dr. von der Leyen expressed it well in her state of the Union address on 15 September when she said that "If everything is connected, everything can be hacked." In recent times, unfortunately, we have witnessed the hacking of the Colonial Pipeline in the US, the Solarwinds incident, the ransomware attack on the IT supplier, Kaseya, and, of course, one that the members are all very well aware of, the massive cyberattack on the Irish Health Service Executive precisely at a very bad moment which was in the middle of fighting a worldwide pandemic. This, unfortunately, according to our figures, will not diminish. According to the European Union Agency for Cyber Security, ENISA, so-called "supply-chain attacks", which are very difficult to fight regardless of how many measures you are taking in your own company or administration because they come from someone else in the supply chain, will multiply by four this year and attacks on cloud infrastructure have increased fivefold in one year. You have seen also the increase of ransomware attacks. Some studies state that they have increased by 60%. Others give a higher figure. This is the reason the status quois not an option. Basically, what we have been doing until now is clearly not sufficient because the attacks keep on increasing, and the impact keeps on increasing as well. Sometimes you would believe there are no limits for the hackers. They just attack everything.

This is why the Commission, in December of last year, came with a strategy to reinforce what we have now and to make sure that citizens and business are protected, both online and offline. This strategy, which was adopted by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy together, was presented at the same time because it is part of the Network and Information Security Directive, a reform of our NIS directive. The strategy provides, from our point of view, a fresh vision and plan for cybersecurity to deal with the challenges we are facing. The idea is to build resilience and ensure we can all benefit from digital technologies because digital technologies promise a lot of things. Of course, if they are not cybersecure, none of the benefits of digital technologies will be available to citizens and businesses. Building upon what we already have in place, the strategy focuses on three main angles. The first angle is to build resilience, so-called "technological sovereignty" and leadership. The second angle is to build operational capacity so that it is not only about making sure we are protected and are resilient, but that we have a capacity to act, whether it is to prevent, to deter or to respond to large-scale cyberattacks, in particular. Lastly, of course, the international dimension is extremely important and advancing a global and open cyberspace through increased co-operation is also important.

For each of these pillars, there are concrete actions. I will not go through all of them because there is no time. As I mentioned already, an important pillar of building resilience is the NIS 2 directive, which is currently being negotiated in the Parliament and the Council of the EU.

We hope that the trilogues will start as soon as possible. The main objective was to build on the success of the NIS directive and go beyond that by enlarging the scope in order that more sectors can be covered by or subject to the obligations of this directive, ensuring that the rules are clear and that there are stronger supervision tools. That is the main objective behind the NIS directive reform.

I mentioned operational capacity and the need to react together in order to help each other. The incident that happened in Ireland is a good example of the potential of this operational capacity. At the time that happened, the co-ordination system at EU level was triggered. The Irish authorities triggered it. They sought to receive support from the European computer security incident response team, CSIRT, network of all the member states. The idea of going beyond being operational was put in the strategy by a proposal to create what we call a joint cyber unit, namely, a hub that would potentially allow all communities, not only civil but international communities and law enforcement communities, to share information and co-ordinate potential collective responses to major crisis and incidents. That idea is being discussed with the member states.

Another element of the strategy being pushed by the Commission President is the cyber resilience Act. In the strategy, we set out the need to have horizontal rules that would set common cybersecurity standards for connected products and services in the Internal Market in order that we ensure cybersecurity by design whenever a product or service is put on the market and that a whole-life cycle of that product or service will be done. President von der Leyen, in her state of the Union speech, announced a cyber resilience Act, and this will be a follow-up of that announced initiative.

I will not continue further. I will stick to the five minutes allocated in order that we can have a debate. I believe cybersecurity is one of those challenges that is impossible to face alone. No member state alone can face it. That is clear by now. The attacks will increasingly have an impact across borders. We are here to be in solidarity and to support each other. I thank Ireland in particular for the constructive and co-operative role it always plays in discussions on cybersecurity. That is very much appreciated. We will continue to listen to members' views. I am happy to answer any questions they may have and to engage in a debate.