Council of the European Union Brussels, 30 July 2020 (OR. en) 10010/20 JAI 624              DROIPEN 61 COSI 121             COPEN 215 ENFOPOL 190          FREMP 51 ENFOCUSTOM 95        JAIEX 72 IXIM 79              CFSP/PESC 644 CT 61                COPS 256 CRIMORG 66           HYBRID 20 FRONT 207            DISINFO 16 ASIM 55              TELECOM 121 VISA 84              DIGIT 63 CYBER 140            COMPET 347 DATAPROTECT 71       RECH 286 CATS 56 COVER NOTE From:                   Secretary-General of the European Commission, signed by Mr Jordi AYET PUIGARNAU, Director date of receipt:        27 July 2020 To:                     Mr Jeppe TRANHOLM-MIKKELSEN, Secretary-General of the Council of the European Union No. Cion doc.:          COM(2020) 605 final Subject:                COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE EUROPEAN COUNCIL, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS on the EU Security Union Strategy Delegations will find attached document COM(2020) 605 final. Encl.: COM(2020) 605 final 10010/20                                                            RS/mr JAI.1                                     EN

EUROPEAN COMMISSION Brussels, 24.7.2020 COM(2020) 605 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE EUROPEAN COUNCIL, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS on the EU Security Union Strategy EN                                                             EN

I.       Introduction The Commission’s Political Guidelines made clear that we can leave no stone unturned when it comes to protecting our citizens. Security is not only the basis for personal safety, it also protects fundamental rights and provides the foundation for confidence and dynamism in our economy, our society and our democracy. Europeans today face a security landscape in flux, impacted by evolving threats as well as other factors including climate change, demographic trends and political instability beyond our borders. Globalisation, free movement and the digital transformation continue to bring prosperity, make our lives easier, and spur innovation and growth. But alongside these benefits come inherent risks and costs. They can be manipulated by terrorism, organised crime, the drugs trade and human trafficking, all direct threats to citizens and our European way of life. Cyber-attacks and cybercrime continue to rise. Security threats are also becoming more complex: they feed on the ability to work cross-border and on inter-connectivity; they exploit the blurring of the boundaries between the physical and digital world; they exploit vulnerable groups, social and economic divergences. Attacks can come at a moment’s notice and may leave little or 1 no trace; both state and non-state actors can deploy a variety of hybrid threats ; and what happens outside the EU can have a critical impact on security inside the EU. The COVID-19 crisis has also reshaped our notion of safety and security threats and corresponding policies. It has highlighted the need to guarantee security both in the physical and digital environments. It has underlined the importance of open strategic autonomy for our supply chains in terms of critical products, services, infrastructures and technologies. It has reinforced the need to engage every sector and every individual in a common effort to ensure that the EU is more prepared and resilient in the first place and has better tools to respond when needed. Citizens cannot be protected only through Member States acting on their own. Building on our strengths to work together has never been more essential, and the EU has never had more potential to make a difference. It can lead by example, by enhancing its overall crisis management system and working within and outside its borders to contribute to global stability. While primary responsibility for security lies with Member States, recent years have brought an increasing understanding that the security of one Member State is the security of all. The EU can bring a multidisciplinary and integrated response, helping 2 security actors in Member States with the tools and the information they need. The EU can also ensure that security policy remains grounded in our common European 3 values – respecting and upholding the rule of law, equality and fundamental rights and guaranteeing transparency, accountability and democratic control – to give policies the right foundation of trust. It can build an effective and genuine Security Union in which the rights and freedoms of individuals are well protected. Security and respect for fundamental rights are not conflicting aims, but consistent and complementary. Our values and fundamental rights must be the basis of security policies, ensuring the principles of necessity, 1 While definitions of hybrid threats vary, it aims to capture the mixture of coercive and subversive activity, conventional and unconventional methods (i.e. diplomatic, military, economic, technological), which can be used in a coordinated manner by state or non-state actors to achieve specific objectives (while remaining below the threshold of formally declared warfare). See JOIN(2016) 18 (final). 2 For example through the services delivered by the EU’s space programme such as Copernicus, providing Earth observation data and applications for border surveillance, maritime security, law enforcement, anti- piracy, drug-smuggling deterrence and emergency management. 3 A Union of Equality: Gender Equality Strategy 2020-2025, COM(2020) 152. 1

proportionality and legality, and with the right safeguards for accountability and judicial redress, while enabling an effective response to protect individuals, particularly the most vulnerable. Significant legal, practical and support tools are already in place, but need to be both strengthened and better implemented. Much progress has been made to improve the exchange of information and intelligence cooperation with Member States and to close down the space in which terrorists and criminals operate. But fragmentation remains. The work must also go beyond the EU’s boundaries. Protecting the Union and its citizens is no longer only about ensuring security within the EU borders, but also about addressing the external dimension of security. The EU’s approach to external security within the framework of the Common Foreign and Security Policy (CFSP) and the Common Security and Defence Policy (CSDP) will remain an essential component of EU efforts to enhance security within the EU. Cooperation with third countries and at global level to address common challenges is central to an effective and comprehensive response, with stability and security in the EU’s neighbourhood critical to the EU’s own security. 4           5                        6 Building on the previous work of the European Parliament , Council and the Commission , this new strategy shows that a genuine and effective Security Union needs to combine a strong core of instruments and policies to deliver security in practice with a recognition that security has implications for all parts of society and all public policies. The EU needs to ensure a secure environment for everyone, whatever their racial or ethnic origin, religion, belief, gender, age or sexual orientation. This Strategy covers the period 2020-2025 and focuses on building capabilities and capacities to secure a future-proof security environment. It sets out a whole-of-society approach to security that can effectively respond to a rapidly-changing threat landscape in a coordinated manner. It defines strategic priorities and the corresponding actions to address digital and physical risks in an integrated manner across the whole Security Union ecosystem, concentrating on where the EU can bring further value. Its goal is to offer a security dividend to protect everyone in the EU. II.       A rapidly changing European security threat landscape The safety, prosperity and well-being of citizens depend on being secure. The threats to that security depend on the extent to which their lives and livelihoods are vulnerable. The greater the vulnerability, the greater the risk that it can be exploited. Both vulnerabilities and threats are in a state of constant evolution, and the EU needs to adapt. Our daily lives depend on a wide variety of services – such as energy, transport, and finance, as well as health. These rely on both physical and digital infrastructure, adding to the vulnerability and the potential for disruption. During the COVID-19 pandemic, new technologies have kept many businesses and public services running, whether keeping us connected through remote working or maintaining the logistics of supply chains. But this 4 For example, the work of the European Parliament’s TERR committee which reported in November 2018. 5 From the Council Conclusions of June 2015 on a “renewed internal security strategy “to the more recent Council outcomes of December 2019. 6 “Delivering on the European Agenda on Security to fight against terrorism and pave the way towards an effective and genuine Security Union” COM(2016) 230 final, 20.4.2016. See the recent appraisal of the implementation of legislation in the internal security field: Implementation of Home Affairs legislation in the field of internal security - 2017-2020 (SWD(2020) 135). 2

has also opened the door to an extraordinary increase in malicious attacks, attempting to capitalise on the disruption of the pandemic and the shift to digital home working for 7 criminal purposes. Shortages of goods have created new openings for organised crime. The consequences could have been fatal, disrupting essential health services at a time of the most intense pressure. The ever-increasing ways in which digital technologies benefit our lives has also made the 8 cybersecurity of technologies an issue of strategic importance. Homes, banks, financial services and enterprises (notably small and medium enterprises) are heavily affected by cyber-attacks. The potential damage is multiplied still further by the interdependence of physical and digital systems: any physical impact is bound to affect digital systems, while cyber-attacks on information systems and digital infrastructures can bring essential services 9 to a halt. The rise of the Internet of things and the increased use of artificial intelligence will bring new benefits as well as a new set of risks. Our world relies on digital infrastructures, technologies and online systems, which allow us to create business, consume products and enjoy services. All rely on communicating and 10 interaction. Online dependency has opened the door to a wave of cybercrime. ‘Cybercrime-as-a-service’ and the underground cybercriminal economy give easy access to cybercrime products and services online. Criminals quickly adapt to use new technologies to their own ends. For example, counterfeit and falsified medicines have infiltrated the 11 legitimate supply chain of pharmaceuticals. The exponential growth of child sexual abuse 12 material online has shown the social consequences of changing patterns of crime. A recent survey showed that most people in the EU (55 %) are concerned about their data being 13 accessed by criminals and fraudsters. The global environment also accentuates these threats. Assertive industrial policies by third countries, combined with the continued cyber-enabled theft of intellectual property, are changing the strategic paradigm for protecting and advancing European interests. This is accentuated by the rise of dual-use applications – making a strong civilian technology sector a strong asset for defence and security capability. Industrial espionage has a significant impact on the EU’s economy, jobs and growth: cyber theft of trade secrets is estimated to 14 cost the EU €60 billion . This calls for a thorough reflection of how dependencies and the increased exposure to cyber threats affect the EU’s capacity to protect individuals and businesses alike. 7 Europol: Beyond the pandemic. How COVID-19 will shape the serious and organised crime landscape in the EU (April 2020). 8 Commission Recommendation on the Cybersecurity of 5G networks, C(2019) 2335; Communication on Secure 5G deployment in the EU - Implementing the EU toolbox, COM(2020) 50. 9 In March 2020 the Brno University Hospital in Czechia suffered a cyber attack which forced it to reroute patients and postpone surgery (Europol: Pandemic Profiteering. How criminals exploit the COVID-19 crisis). Artificial intelligence may be misused for digital, political and physical attacks as well as surveillance. Internet of Things data collection can be used for the surveillance of individuals (smart watches, virtual assistants, etc.). 10 According to some projections, costs of data breaches will reach $5 trillion annually by 2024, up from $3 trillion in 2015 (Juniper Research, The Future of Cybercrime & Security). 11 One 2016 study (Legiscript) estimated that globally only 4% of internet pharmacies operate lawfully, with EU consumers top targets for the 30,000-35,000 illicit online pharmacies active online. 12 EU Strategy for a more effective fight against child sexual abuse, COM(2020) 607. 13 European Union Agency for Fundamental Rights (2020), Your rights matter: Security concerns and experiences, Fundamental Rights Survey, Luxembourg, Publications Office. 14 The scale and impact of industrial espionage and theft of trade secrets through cyber, 2018. 3

The COVID-19 crisis has also underlined how social divisions and uncertainties create a security vulnerability. This increases the potential for more sophisticated and hybrid attacks by state and non-state actors, with vulnerabilities exploited through a mix of cyber- 15 attacks, damage to critical infrastructure , disinformation campaigns, and radicalisation of 16 the political narrative. At the same time, more long-established threats continue to evolve. There was a downward trend in terrorist attacks in the EU in 2019. However, the threat to EU citizens of jihadist 17 attacks from or inspired by Da’esh and al-Qaeda and their affiliates remains high. In 18 parallel, the threat of violent right wing extremism is also growing. Attacks inspired by racism must be a cause for serious concern: the deadly anti-Semitic terror attacks in Halle were a reminder of the need to step up the response in line with the 2018 Council 19 Declaration. One in five people in the EU are very worried about a terrorist attack in the 20 next 12 months. The vast majority of recent terrorist attacks were “low tech” attacks, lone actors targeting individuals in public spaces, while terrorist propaganda online took on a 21 new significance with the live streaming of the Christchurch attacks. The threat posed by radicalised individuals remains high – potentially bolstered by returning foreign terrorist 22 fighters and by extremists released from prison. The crisis has also shown how existing threats can evolve in new circumstances. Organised crime groups have exploited shortages of goods providing an opening to create new illicit markets. The trade in illicit drugs remains the largest criminal market in the EU, estimated at 23 a minimum retail value of €30 billion per year in the EU. Trafficking in human beings persists: estimates show an annual global profit for all forms of exploitation of almost €30 24                                                                                               25 billion. International trade in counterfeit pharmaceuticals reached €38.9 billion. At the same time, low rates of confiscation allow criminals to continue expanding their criminal 26 activities and infiltrating the legal economy. Criminals and terrorists find it easier to access 27 firearms, from the online market and through new technologies such as 3-D printing. Use of Artificial Intelligence, new technologies and robotics will further increase the risk that 28 criminals exploit the benefits of innovation for malicious ends . 15 Critical infrastructures are essential for vital societal functions, health, safety, security, economic or social well-being, whose disruption/destruction has a significant impact (Council Directive 2008/114/EC). 16 97% of EU citizens have been confronted to fake news, 38% on a daily basis. See JOIN (2020) 8 final. 17 A total of 119 completed, failed and foiled terrorist attacks were reported by 13 EU Member States, with ten deaths and 27 injuries (Europol, European Union Terrorism Situation and Trend Report, 2020). 18 2019 saw six right-wing terrorist attacks (one completed, one failed, four foiled: three Member States), compared to only one in 2018, with further deaths in cases not classified as terrorism (Europol, 2020). 19 See also the Council Declaration on the fight against antisemitism and the development of a common security approach to better protect Jewish communities and institutions in Europe. 20 EU Agency for Fundamental Rights: Your rights matter: Security concerns and experiences, 2020. 21 From July 2015 until the end of 2019, Europol found terrorist content on 361 platforms (Europol, 2020). 22 Europol: A Review of Transatlantic Best Practices for Countering Radicalisation in Prisons and Terrorist Recidivism, 2019. 23 EMCDDA and Europol EU Drugs Market Report 2019. 24 Europol’s Report on Trafficking in Human Beings, Financial Business Model (2015). 25 EU Intellectual Property Office and OECD report on Trade in counterfeit pharmaceutical products 26 Report on Asset recovery and confiscation: Ensuring that crime does not pay, COM(2020) 217. 27 In 2017, firearms were used in 41% of all terrorist attacks (Europol, 2018). 28 In July 2020, French and Dutch law enforcement and judicial authorities, alongside Europol and Eurojust, presented the joint investigation to dismantle EncroChat, an encrypted phone network used by criminal networks involved in violent attacks, corruption, attempted murders and large-scale drug transports. 4

These threats cut across categories and strike different parts of society in different ways. They all represent a major threat to individuals and businesses and require a comprehensive and coherent response at EU level. When security vulnerabilities can come even from small inter-connected household items such as an internet connected fridge or coffee machine, we can no longer rely on traditional state actors alone to ensure our security. Economic operators must take greater responsibility for the cybersecurity of products and services they place on the market; while individuals too need to have at least a basic understanding of cybersecurity to be able to protect themselves. III.     An EU coordinated response for the whole of society The EU has already shown how it can bring real added value. Since 2015, the Security Union brought new linkages in the way security policies are addressed at EU level. But more needs to be done to engage the whole of society, including governments at all levels, business in all sectors and individuals in all Member States. The increasing awareness of the 29                                                                    30 risks of dependency and the need for a strong European industrial strategy point to an EU with a critical mass of industry, technology production and supply chain resilience. Strength also means full respect of fundamental rights and EU values: they are a prerequisite of legitimate, effective and sustainable security policies. This Security Union strategy sets out concrete work streams to take forward. It is built around the following common objectives: •   Building capabilities and capacities for early detection, prevention and rapid response to crises: Europe needs to be more resilient to prevent, protect and withstand future shocks. We need to build capabilities and capacities for early detection and rapid response to security crises through an integrated and coordinated approach, both globally and through sector-specific initiatives (such as for the financial, energy, judiciary, law enforcement, healthcare, maritime, transport sectors) and building on 31 existing tools and initiatives. The Commission will also come forward with proposals for a wide-ranging crisis management system within the EU, which could also be relevant for security. •   Focusing on results: A performance-driven strategy needs to be based around careful threat and risk assessment to target our efforts to best effect. It needs to define and apply the right rules and the right tools. It needs reliable strategic intelligence as a basis for EU security policies. Where EU legislation is required, it needs to be followed up so that it is implemented in full, to avoid fragmentation and gaps left to be exploited. The effective implementation of this Strategy will also depend on securing appropriate funding in the next programming period 2021-2027, including for related EU agencies. •   Linking all players in the public and private sectors in a common effort: Key players in both the public and private sectors have been reluctant to share security-relevant information, whether for fear of compromising national security or competitiveness.                       32 29 Risks of foreign dependence involve an increased exposure to potential threats, from exploitation of vulnerabilities of IT infrastructures compromising critical infrastructures (e.g. energy, transport, banking, health) or taking control of industrial control systems, to increased capacity for data theft or espionage. 30 Commission Communication A New Industrial Strategy for Europe, COM(2020) 102. 31 Such as Integrated Political Crisis Response (IPCR), the Emergency Response Coordination Centre, Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (C(2017) 6100), the EU operational protocol for countering hybrid threats (EU Playbook) SWD(2016) 227. 32 Joint Communication on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, JOIN(2017) 450. 5

But we are most effective when all are harnessed to support each other. In the first place, this means a more intense cooperation between Member States, involving law enforcement, judicial and other public authorities, and with EU institutions and agencies, to build the understanding and exchange needed for common solutions. Cooperation with the private sector is also key, all the more so given that industry owns an important part of the digital and non-digital infrastructure central to fighting crime and terrorism effectively. Individuals themselves can also contribute, for example through building the skills and awareness to combat cybercrime or disinformation. Finally, this common effort must extend beyond our borders, building closer ties with like-minded partners. IV.      Protecting Everyone in the EU: Strategic priorities for the Security Union The EU is uniquely well-placed to respond to these new global threats and challenges. The threat analysis above points to four inter-dependent strategic priorities to be taken forward at the EU level, in full respect of fundamental rights: (i) a future proof security environment, (ii) tackling evolving threats, (iii) protecting Europeans from terrorism and organised crime, (iv) a strong European security ecosystem. 1. A future-proof security environment Critical infrastructure protection and resilience Individuals rely on key infrastructures in their daily lives, to travel, to work, to benefit from essential public services such as hospitals, transport, energy supplies, or to exercise their democratic rights. If these infrastructures are not sufficiently protected and resilient, attacks can cause huge disruption – whether physical or digital – both in individual Member States and potentially across the entire EU. 33 The EU’s existing framework for protection and resilience of critical infrastructures has not kept pace with evolving risks. Increasing interdependencies mean that disruptions in one sector can have an immediate impact on operations in others: an attack on electricity production could knock out telecommunications, hospitals, banks or airports, while an attack on digital infrastructure could lead to disruptions in networks for power or finance. As our economy and society increasingly move ever more online, risks such as these grow all the more acute. The legislative framework needs to address this increased interconnectedness and interdependency, with robust critical infrastructure protection and resilience measures, both cyber and physical. Essential services, including those based on space infrastructures must be adequately protected against current and anticipated threats, but also be resilient. This implies the ability of a system to prepare and plan for, absorb, recover from, and more successfully adapt to adverse events. At the same time, Member States have exercised their margin of discretion by implementing existing legislation in different ways. The resulting fragmentation can undermine the internal market and make cross-border coordination more difficult – most obviously in border regions. Operators providing essential services in different Member States have to comply with different reporting regimes. The Commission is looking into whether new 33 Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016; Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. 6

frameworks for both physical and digital infrastructures could bring more consistency and a more coherent approach to ensuring the reliable provision of essential services. This framework needs to be accompanied by sector-specific initiatives to tackle the specific risks faced by critical infrastructures such as in transport, space, energy, finance and 34 health . Given the high dependence of the financial sector on IT services and its high vulnerability to cyber-attacks, a first step will be an initiative on the digital operational resilience for financial sectors. Due to the particular sensitivities and impact of the energy system, a dedicated initiative will support a stronger resilience of critical energy infrastructure against physical, cyber and hybrid threats, ensuring a level playing field for energy operators across borders. Security-relevant effects of foreign direct investments likely to affect critical infrastructures or critical technologies will also be subject to the assessments carried out by EU Member States and the Commission under the new European framework for foreign direct 35 investments screening. The EU can also build new tools to support the resilience of critical infrastructures. The global internet has so far shown a high level of resilience, in particular as regards the ability to support increased traffic volumes. However, we need to be prepared for possible future crises threatening the security, stability and resilience of the internet. Making sure that the internet remains up and running means being robust against cyber incidents and malicious online activities, and limiting dependency on infrastructures and services located outside Europe. This will require a combination of legislation, with the review of existing rules to ensure a high common level of security of network and information systems in the EU; increased investment in research and innovation; and looking at the deployment or hardening of core internet infrastructures and resources, notably the Domain Name 36 System. A key element to protect key EU and national digital assets is to offer critical infrastructures a channel for secure communications. The Commission is working with Member States to put in place a certified secure end-to-end quantum infrastructure, terrestrial and space-based, in combination with the secure governmental satellite communications system laid out in the 37 Space Programme regulation. Cybersecurity 38 The number of cyber-attacks continues to rise . These attacks are more sophisticated than ever, come from a wide range of sources inside and outside the EU, and target areas of maximum vulnerability. State or state-backed actors are frequently involved, targeting key 34 Given the fact that the health sector has been under strain particularly during the COVID-19 crisis, the Commission will also consider initiatives to strengthen the EU health security framework and responsible EU agencies to respond to serious cross-border health threats. 35 With its entry into full application on 11 October 2020, Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union, will equip the EU with a new cooperation mechanism on direct investments from outside of the EU which are likely to affect security or public order. Under the Regulation, Member States and the Commission will assess potential risks linked with such FDI and, where appropriate and relevant for more than one Member State, propose adequate means to mitigate those risks. 36 A domain name system (DNS) is a hierarchical and decentralised naming system for computers, services, or other resources connected to the Internet or a private network. It translates domain names to the IP addresses needed for locating and identifying computer services and devices. 37 Proposal for a Regulation establishing the space programme of the Union and the European Union Agency for the Space Programme. COM(2018) 447. 38 https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018 7

39 digital infrastructures like major Cloud providers. Cyber risks have emerged as a significant threat to the financial system as well. The International Monetary Fund has estimated the annual loss due to cyber-attacks at 9% of banks’ net income globally, or 40 around $100 billion. The move to connected devices will bring great benefits for users: but with less data stored and processed in data centres, and more processed closer to the user ‘at 41                                                                                            42 the edge’ , cybersecurity will no longer be able to focus on protecting central points. In 2017, the EU put forward an approach to cybersecurity with resilience-building, rapid 43 response and effective deterrence at its core. The EU now needs to make sure that its cybersecurity capabilities keep pace with reality, to deliver both resilience and response. This calls for a real whole-of-society approach, with EU institutions, agencies and bodies, Member States, industry, academia and individuals giving cybersecurity the priority it 44 needs. This horizontal approach again needs to be complemented by sector-specific cybersecurity approaches for areas such as energy, financial services, transport or health. The next phase of the EU’s work should be drawn together in a revised European Cybersecurity Strategy. Exploring new and enhanced forms of cooperation between intelligence services, EU INTCEN, and other organisations involved in security should be part of efforts to enhance cybersecurity, as well as combatting terrorism, extremism, radicalism and hybrid threats. Given the ongoing roll-out of the 5G infrastructure across the EU and the potential dependence of many critical services on 5G networks, the consequences of systemic and widespread disruption would be particularly serious. The process put in place by the 45 Commission’s 2019 Recommendation on the Cybersecurity of 5G networks has now led to 46 specific Member State action on the key measures set out in a 5G toolbox. One of the most important long-term needs is to develop a culture of cybersecurity by design, with security built into products and services from the start. An important contribution to this will be the new cybersecurity certification framework under the 47 Cybersecurity Act . The framework is already under way, with two certification schemes already in preparation, and priorities for further schemes to be defined later this year. Cooperation between the EU Agency for Cybersecurity (ENISA), the data protection 48 authorities and the European Data Protection Board is of key importance in this area. 39 Distributed Denial of Service attacks remain a permanent threat: Major providers had to mitigate massive DDoS attacks such as an attack against Amazon Web services in February 2020. 40 https://blogs.imf.org/2018/06/22/estimating-cyber-risk-for-the-financial-sector/. 41 Edge computing is a distributed, open IT architecture that features decentralised processing power, enabling mobile computing and Internet of Things (IoT) technologies. In edge computing, data is processed by the device itself or by a local computer or server, rather than being transmitted to a data centre. 42 Communication on A European strategy for data, COM(2020) 66 final. 43 Joint Communication on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, JOIN (2017) 450. 44 The report “Cybersecurity – our digital Anchor” of the Joint Research Centre provides multidimensional insights into the growth of cybersecurity over the last 40 years. 45 Commission Recommendation on the Cybersecurity of 5G networks, COM(2019) 2335 final. The Recommendation foresees its review in the last quarter of 2020. 46 See Report by the NIS cooperation group on the implementation of the Toolbox, of 24 July 2020. 47 Regulation 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act). 48 Communication on Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation, COM(2020) 264. 8