Oireachtas Joint and Select Committees

Wednesday, 3 November 2021

Joint Oireachtas Committee on European Union Affairs

EU Cybersecurity Strategy: Discussion

Ms Lorena Boix Alonso:

What Mr. Cuffe said on making sure the resources are in place was very interesting. A system of peer reviews would help. I am comfortable with the negotiations with member states, but it is something that would help.

On the United Nations, our colleagues in the European External Action Service are dealing with it. We are very much engaging with the United Nations. We consider that this is extremely important. These things are delicate. The engagement and co-operation with like-minded countries is always easier and there is a lot of engagement, as the Deputy knows. Recently the United States in particular regarding ransomware launched a big call to work together and we are basically working with all like-minded countries. We have a number of cyber dialogues with them. Of course, it is more delicate with other non-like-minded countries. Voila. In particular on the UN convention, we are engaged in the push for norms of behaviour in cyberspace and also on the Budapest Convention where we are quite advanced. It is going well there.

On the cyber resilience Act and what would be the complementarity with the NIS directive, basically we are dealing with two different things. The NIS directive is about the obligations on companies to report, notify and take certain security measures on incidents, and the monitoring and enforcement tools. We are at the exploratory phase of the cyber resilience Act.

What we are exploring at this stage is the gap that exists in the current legislative framework in respect of products and services that are put on the market. Right now, what we have are very scattered sectoral pieces of legislation that deal with specific products and very often deal with security without necessarily having cybersecurity in mind. We have launched a study that we are closing now that has performed this exercise of identifying the current gaps. Those gaps are that we do not have anything general that would cover those products and services that are connected and, therefore, as the President of the Commission has stated, are subject to being hacked. That relates specifically to their cybersecurity. This is the analysis we are doing now. We will see whether these Acts should cover more or less than that but, right now, this is the analysis we are doing.