EU policy initiatives in the field of cybersecurity, but also in the broader context of a secure interconnected digital world, have grown exponentially over the past few years. Taking into account the rapid escalation of cyber-attacks and increasing adaptability of cyber criminals, Europe has been launching a series of initiatives that will help counter the attacks but also mitigate the risks. Yet, emerging cybersecurity policy at the EU level is still facing some key challenges:

  1. Considering that technological advancements, particularly in the digital field, tend to evolve at a much faster pace than EU policy processes can be implemented, it is evident that European policymakers need to find new ways of adapting to the rapidly changing environment.
  2. In terms of effectiveness, most EU policies related to cyber concerns seem to be responding to the needs of society, but there is still room for improvement particularly when it comes to risk assessment and mitigation. More specifically, the European Commission’s Digital Single Market strategy paved the way for a more efficient online market and allowed for digital technology to become a more integral part of everyday life. Nonetheless, it has several shortcomings when it comes to capturing the impacts of this transformation, such as the growing role of data management, artificial intelligence, and automation, not has it provided a comprehensive outline of cybersecurity risks.
  3. The first EU Cybersecurity strategy attempts to breach this gap by offering a mapping of the principles that should guide cybersecurity policy. While the majority of the principles outlined in the strategy accurately reflect reality, and the Network and Information Security (NIS) directive was a first major step in bringing Member States together in ensuring a safer online environment, the strategy does not manage to adapt in line with the fast evolution of the threat landscape.
  4. The updated 2017 EU Cybersecurity Strategy addresses some of the new challenges faced within the cyber world and attempts to enhance the role of the EU in the fight against cyber-attacks by expanding the role of the European Union Agency for Network and Information Security (ENISA) and creating a European Cybersecurity Research and Competence Centre. This new policy initiative is quite ambitious and forward looking; however, it lacks certain elements such as defining the role of industry or distinguishing between capacity and capability building and the resources that will be used for the implementation of the proposed ideas.

Without addressing these policy loopholes, and accurately reflecting European cybersecurity risks, the EU’s ambitions for European cybersecurity resilience, and competitiveness on the global market will be severely challenged. Why is understanding risk so important? To diminish the efficiency of attacks and reinforce defences, all European digital stakeholders need quantitative risk information, on tangible and intangible assets, for decision makers to prioritise security investments.
Therefore, on the one hand, EU policymakers need to strive to evolve cybersecurity policy so that it encourages accurate risk assessments, while on the other more quantifiable evidence is required for all stakeholders to make well-informed decisions on their cybersecurity mitigation strategies.

As such, HERMENEUT’s cyber-security cost-benefit approach is a step towards quantifying this cybersecurity risk. It combines integrated assessment of vulnerabilities and their likelihoods with an innovative macro- and micro-economic model for intangible costs, delivering a quantitative estimation of the risks for an organisation or a business sector and investment guidelines for mitigation measures. 11 partners from 6 countries deliver an innovative methodology and advanced macro- and micro-economic models and make it available to the European research community. HERMENEUT implements its innovations in a decision support tool, tested with two users in healthcare and an IPR intensive industry. Read more on how HERMENEUT helps enterprises quantifying cyber risk with its holistic risk assessment model and approach to cyber-security cost-benefit analysis.


This article has been written by project member EOS, the European Organisation for Security. EOS is the voice of the European security industry and research community. Operating in 15 countries, EOS members provide security research, solutions and services across many security domains, including border, cyber, transport and crisis management.