European Union Embeds Protection of the Public Core of the Internet in new EU Cybersecurity Act

The Council of the European Union adopted the EU Cybersecurity Act, including a clear commitment to protect the Public Core of the open Internet. The protection of the public core of the Internet is a principal norm developed by the Global Commission on the Stability of Cyberspace (GCSC).

The Cybersecurity Act represents a major step forward in EU cybersecurity policy. It aims to increase cybersecurity capabilities at EU level by establishing an EU-wide cybersecurity certification framework and promotes the current European Agency for Network and Information Security (ENISA) to a permanent EU Agency for Cybersecurity.

The GCSC is very pleased to note that the EU Cybersecurity Act also embedded a clear commitment to the protection of the general availability and integrity of the public core of the open Internet into Union policy and law. The Act also extends the mandate of ENISA to include the protection of the public core of the Internet.

The Cybersecurity Act refers to the importance of protecting the public core of the Internet in its preamble:

The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top level domains), and the operation of the root zone.” Paragraph 23, EU Cybersecurity Act, 14.

Moreover, the Cybersecurity Act reinforces the mandate bestowed upon ENISA to now include the preservation of the public core of the open Internet:

“ENISA shall contribute to the development and implementation of Union Policy and Law, by […] assisting Member States and Union institutions, bodies, offices and agencies in developing and promoting cybersecurity policies related to sustaining the general availability or integrity of the public core of the open internet.” Article 5, EU Cybersecurity Act, 70.

The Act is currently pending signature by the Presidents and Secretaries-General of the European Parliament and the Council of Ministers. It will then enter into force 20 days after being published in the Official Journal of the European Union.

The GCSC commends the EU’s efforts to protect the public core of the Internet in alignment with the GCSC Call to Protect the Public Core of the Internet issued in November 2017.

“The EU’s adoption of the norm to protect the public core of the Internet bears testament to the fundamental importance of this norm for enhancing stability and security in cyberspace” says Marietje Schaake, GCSC Commissioner and Member of the European Parliament. “Furthermore, its inclusion in ENISA’s mandate is indicative of the EU’s commitment to protect the technical foundation of the open Internet, a global public good managed in a multistakeholder manner where all actors have a role.”

Michael Chertoff, Co-Chair of the GCSC, states that “the Global Commission on the Stability of Cyberspace welcomes the adoption of this resolution and commends the European Union for its sustained commitment to protecting the public core of the Internet.” Latha Reddy, Co-Chair of the GCSC, adds that “this marks an important step in the continuation of the GCSC’s work. We will continue to call upon a wide range of stakeholders to adopt and implement norms of responsible behaviour wherever this would advance stability in cyberspace.”


Learn more about the EU Cybersecurity Act here.

Learn more about the GCSC Call to Protect the Public Core of the Internet here and see the definition of the Public Core of the Internet, to which the norm applies, here.