European Cyber Defence Policy

The European Cyber Defence Policy

On 18 November 2014, the European Council adopted the EU Cyber Defence Policy Framework. It was prepared pursuant to earlier European Council Conclusions on Common Security and Defence Policy (CSDP) from December 2013 and the Council Conclusions on CSDP of November 2013.

The paper: EU Cyber Defence Policy Framework."

Following a proposal from the High Representative, the Commission and the European Defence Agency (EDA), the European External Action Service (EEAS) together with the Commission services and the EDA provided input for this non-legislative document.

It serves as groundwork for countering threats arising from cyberspace. The document’s objectives are twofold: it provides a framework to the European Council and Council conclusions and to the cyber defence aspects of the EU Cyber Security Strategy.

2018 update - European Cyber Defence Policy Framework

To respond to changing security challenges, the EU and its Member States have to strengthen cyber resilience and to develop robust cyber security and defence capabilities.

The EU Cyber Defence Policy Framework (CDPF) supports the development of cyber defence capabilities of EU Member States as well as the strengthening of the cyber protection of the EU security and defence infrastructure, without prejudice to national legislation of Member States and EU legislation, including, when it is defined, the scope of cyber defence.

Cyberspace is the fifth domain of operations, alongside the domains of land, sea, air, and space: the successful implementation of EU missions and operations is increasingly dependent on uninterrupted access to a secure cyberspace, and thus requires robust and resilient cyber operational capabilities.

The objective of the updated CDPF is to further develop EU cyber defence policy by taking into account relevant developments in other relevant fora and policy areas and the implementation of the CDPF since 2014. The CDPF identifies priority areas for cyber defence and clarifies the roles of the different European actors, whilst fully respecting the responsibilities and competences of Union actors and the Member States as well as the institutional framework of the EU and its decisionmaking autonomy.

The updated EU Capability Development Plan (CDP) endorsed by the EDA Steering Board in June 2018 identifies cyber defence as a key element, recognising the need for defensive cyber operations in any operational context, based on sophisticated current and predictive cyberspace situational awareness, including the ability to combine large amounts of data and intelligence from numerous sources in support of rapid decision making and increased automation of the data gathering, analysis and decision-support process.

The CDP 2018 identifies cyber defence capability priorities in the following areas: cooperation and synergies with relevant actors across cyber defence and cybersecurity areas; cyber defence research and technology activities; systems engineering frameworks for cyber operations; education, training, exercises and evaluation (ETEE); addressing cyber defence challenges in Air, Space, Maritime and Land.

Six priority areas have been identified in the updated CDPF. A primary focus of this policy framework is the development of cyber defence capabilities, as well as the protection of the EU CSDP communication and information networks. Other priority areas include: training and exercises, research and technology, civil-military cooperation and international cooperation.

In the area of training, emphasis is given to the upscaling of Member States' cyber defence training and of cyber awareness training of the CSDP chain of command. It is also important that the cyber dimension is adequately addressed in exercises in order to improve the EU's ability to react to cyber and hybrid crises by improving decision-making procedures and availability of information.

Cyberspace is a rapidly developing domain and new technological developments need to be supported, both in the civilian and military domains. Civil-military cooperation in cyber field is key to ensure a coherent response to cyber threats. Last, but not least, enhancing cooperation with international partners could help enhance cybersecurity within the EU and beyond, and to promote EU principles and values.

1. Supporting the development of Member States' cyber defence capabilities

The development of cyber defence capabilities and technologies should address all aspects of capability development, including doctrine, leadership, organisation, personnel, training, industry, technology, infrastructure, logistics and interoperability. To this end, Member States should step up their efforts to deliver effective cyber defence capability. The EEAS, the Commission and EDA should work together and support these efforts.

A continuous assessment of the vulnerabilities of the information infrastructures that support CSDP missions and operations is required, along with a near real-time understanding of the effectiveness of the protection. From an operational point of view, one of the main areas of attention of cyber defence activities will be to maintain the availability, integrity and confidentiality of CSDP communication and information networks, unless specified otherwise within the mandate of the operations or missions. Furthermore, the EEAS, in cooperation with Member States, will further integrate cyber capabilities in CSDP missions and operations.

Actors of malicious cyber activities need to be held accountable for their actions. It is important that EU Member States, supported by the EEAS, foster mutual cooperation to respond to malicious cyber activities. The cyber diplomacy toolbox is developed to help achieve such a mutual response. The EEAS and EDA will organize regular exercises on the basis of the cyber diplomacy toolbox in which EU Member States can practice this.

Considering that in national legislation of Member States as well as EU legislation, the scope of cyber defence is broad and diversified, where and when it is defined, there is a need to develop a common aggregated understanding on the scope of cyber defence.

As CSDP military operations rely on a Command, Control, Communications and Computer (C4) infrastructure provided by the Member States, a certain degree of strategic convergence when planning cyber defence requirements for information infrastructure is necessary.

2. Enhancing the protection of CSDP communication and information systems used by EU entities

Without prejudice to the role of the Computer emergency response team for the EU institutions, bodies and agencies (CERT-EU) as the central EU cyber incident response coordination structure for all Union institutions, bodies and agencies and within the framework of the relevant rules concerning the Union budget, the EEAS will develop an adequate and autonomous understanding of security and network defence matters and develop its own IT security capacity. It will aim to improve the resilience of the EEAS CSDP networks, with a focus on prevention, detection, incident response, situational awareness, information exchange and early warning mechanisms.

The protection of EEAS communication and information systems and the development of Information Technology (IT) security capacities are led by the EEAS Directorate General for Budget & Administration (BA). Additional dedicated resources and support will also be provided by the European Union Military Staff (EUMS), the Crisis Management and Planning Directorate (CMPD) and the Civilian Planning and Conduct Capability (CPCC). This IT security capability will cover both classified and unclassified systems and will be an integral part of the existing operational entities.

There is also a need to streamline the security rules for the information systems provided by different EU institutional actors during the conduct of CSDP missions and operations. In this context, a unified chain of command could be considered with the aim to improve the resilience of networks used for CSDP.

For better coordination and to enhance the protection and resilience of CSDP communication and information systems and networks, an internal EEAS Cyber Governance Board under the EEAS Secretary General was created in 2017.

3. Promotion of civil-military cooperation

Cyberspace is a rapidly developing domain: technological developments need to be strengthened by security systems, both in the civil and military domain. To the extent possible, coordination should be foreseen between the civil and the military domain in the cases that similar technological developments bring solutions for civil and military applications. In other cases, military capabilities and weapon systems are so specific that there is no scope for sharing with civilian technologies. Without prejudice to Member States' internal organisation and legislation, civil-military cooperation in the cyber domain can be considered inter alia for exchange of best practices, information exchange and early warning mechanisms, incident response risk assessments and awareness raising, and for training and exercises.

Improving civil cyber security is an important factor which contributes to overall network and information security resilience. The NIS Directive increases preparedness at the national level, and strengthens cooperation at Union level between Member States both at strategic and operational level. This cooperation involves both national authorities overseeing cybersecurity policies as well as national CERTs and CERT-EU. Cooperation between civil and military CERTs should be reinforced taking due account of these developments. The new European Cybersecurity Act aims to improve European resilience to cyberattacks and provide a cybersecurity certification framework for products and services, thus increasing trust in the civilian digital sphere.

4. Research and technology

Operators of infrastructure and Information and Communication Technology (ICT) services for civilian and defence purposes are confronted with similar cyber security challenges, as a result of common technology and operational capability requirements. Common R&T needs and common requirements for systems are anticipated to improve the interoperability of systems in the long run, as well as to reduce the costs of solutions development. Achieving economies of scale is a necessity in order to face the ever-increasing number of threats and vulnerabilities. This should in turn facilitate the preservation and growth of a competitive cyber defence industry in Europe.

Cyber defence capability development has an important R&T dimension. Within the framework of the Cyber Defence Research Agenda (CDRA), the EDA has provided a sound basis for the prioritisation of future R&T funding within the intergovernmental framework. The subsequent Strategic Research Agenda developed within the relevant EDA Ad Hoc Working Group provides informed prioritisation on cyber-related technologies necessary for the military while identifying opportunities for dual-use efforts and investments, be it in national, multinational or EU-funded contexts.

The development of technological capacities in Europe to mitigate threats and vulnerabilities is essential. Industry will remain the primary driver for cyber defence-related technology and innovation. Cryptography, secure embedded systems, malware detection, simulation and visualisation techniques, network and communication systems protection, identification and authentication technology are some of the areas that need to be addressed. It is also important to foster a competitive European industrial cyber security supply chain by supporting the involvement with small and medium-sized enterprises (SMEs).

Ensuring that Europe is able to keep up with international competitors on cyber technological capabilities also depends on our ability to boost breakthrough innovation, through national as well as EU instruments, such as the European Innovation Council.

5. Improve education, training and exercises opportunities

To increase preparedness to address cyber threats and to develop a common cyber defence culture across the EU, also benefiting EU missions and operations, there is a need to improve and upscale cyber defence training opportunities. It is crucial that education and training budgets are used efficiently while delivering the best possible quality. Pooling and sharing cyber defence education and training at the European level will be of key importance.

There is a need to improve cyber defence exercise opportunities for military and civilian CSDP actors. Joint exercises serve as a tool to develop common knowledge and understanding of cyber defence. This will enable national forces to enhance their preparedness to operate within a multinational environment. Conducting common cyber defence exercises will also build interoperability and trust.

6. Enhancing cooperation with relevant international partners

In the framework of international cooperation there is a need to ensure a dialogue with international partners, specifically NATO and other international organisations, in order to contribute to the development of effective cyber defence capabilities. Increased engagement should be sought with the work being done within the framework of the Organisation for Security and Cooperation in Europe (OSCE) and the United Nations (UN), with a view to bring forward a strategic framework for conflict prevention, cooperation and stability in cyberspace.

There is political will in the EU to cooperate further with NATO on cyber defence in developing robust and resilient cyber defence capabilities as required within the Joint Declaration signed by the President of the European Council, the President of the European Commission and the Secretary General of the North Atlantic Treaty Organization in Warsaw on 8 July 2016. Regular staff-to-staff consultations, cross-briefings, as well as possible meetings between the Politico-Military Group and relevant NATO committees, will help to avoid unnecessary duplication and ensure coherence and complementarity of efforts, in line with the aforementioned framework.


Upon EEAS coordination of the implementation of the CDPF, an annual progress report that includes the six areas outlined above should be presented to the Politico-Military Group, with the participation of the members of the Horizontal Working Party on Cyber Issues, and to the Political and Security Committee, by EEAS / EDA / Commission, in order to assess the implementation of the CDPF. A six-monthly oral presentation will also be provided.

It is essential that, as the cyber threat develops, new cyber defence requirements are identified, and then included in the Cyber Defence Policy Framework. The next revision of the CDPF should be presented no later than by mid-2022, in close consultations with Member States.

June 2015 - The first progress report on the Implementation of the Cyber Defence Policy Framework.

Since the adoption of the EU Cybersecurity Strategy in February 2013, cyber defence has been a priority on the EU CSDP agenda.

Cyber capabilities are now part of many conflicts, for example Ukraine in the context of hybrid warfare, or with the cyber attacks on TV5, Le Monde, Le Soir and other media. The risk of cyber-attacks, both by states and non-state actors, is growing.

The need for international cooperation to improve transparency and reduce the risk of miscalculation has become clearer during the last few years. Useful first steps have been made by the international community to increase trust and confidence in cyberspace.

The 2013 report of the UN Group of Governmental Experts agreed that existing international law, notably the UN Charter and the Law of Armed Conflict/International Humanitarian Law, applies to cyberspace. More effort should be made to reach a common understanding of how norms and rules should apply in cyberspace.

Encouraging international discussion on the adoption of norms and principles for responsible behaviour in cyberspace and confidence-building measures will certainly contribute to a more stable cyberspace.

In the framework of the European Council of December 2013, cyber threats are recognised as a significant emerging threat and the (May 2015) FAC Conclusions called for bold action to implement the CDPF. A primary focus of the CDPF is the development of cyber defence capabilities made available by Member States for the purposes of the Common Security and Defence Policy.

A key task for the CSDP thus remains the reinforcement of cyber defence capabilities and to increase the resilience of CSDP structures, missions and operations, which remain two of the main aims of the CDPF.

The EEAS, together with the Commission and the EDA, remain strongly committed to supporting the development of robust and resilient cyber defence capabilities, linked to CSDP structures, missions and operations

The development of cyber defence capabilities and technologies should address all aspects of capability development, taking into account the responsibilities of all relevant actors. Several actions have already been taken, and the work will continue. Ensuring the Member States' involvement alongside the EU institutions and defining their roles in the implementation process remains vital. It remains essential that, as the cyber threat develops, new cyber defence requirements are identified, and then included in the CDPF.

November 2014 - European Council's adoption of the EU Cyber Defence Policy Framework

Cyberspace is often described as the fifth domain of military activity, equally critical to European Union (EU) Common Security and Defence Policy (CSDP) implementation as the domains of land, sea, air, and space.

The successful implementation of CSDP has been increasingly dependent on the availability of, and access to, a secure cyberspace. Robust and resilient cyber defence capabilities are now required to support CSDP structures and CSDP missions and operations.

A primary focus of this policy framework will be the development of cyber defence capabilities, made available by Member States for the purposes of the CSDP as well as the protection of the European External Action Service (EEAS) communication and information networks relevant to CSDP.

In the area of training, emphasis is given to the development of programmes for different audiences in the CSDP chain of command.

It is important that the cyber dimension is adequately addressed in exercises in order to improve the EU's ability to react to cyber crises in a CSDP context, to improve strategic decision-making procedures and to strengthen the information infrastructure architecture.

Cyberspace is a rapidly developing domain where dual-use capabilities play an essential role; therefore it is necessary to develop civil-military cooperation and synergies with wider EU cyber policies to address the new challenges it presents, while respecting the Member States internal organisation and competences.

The objectives of cyber defence should be better integrated within the Union's crisis management mechanisms. In order to deal with the effects of a cyber crisis, relevant provisions of the Treaty of the EU and the Treaty on the Functioning of the EU may be applicable, as appropriate.

December 2013 - European Council's conclusions on the Common Security and Defence Policy (CSDP)

For the first time since the entry into force of the Lisbon Treaty, the European Council held a thematic debate on defence. It identified priority actions for stronger cooperation.

This debate was preceded by a meeting with the NATO Secretary-General. He presented his assessment of current and future security challenges and welcomed the ongoing efforts and commitments by the EU and its Member States as being compatible with, and beneficial to NATO.

We read:

"Defence matters. An effective Common Security and Defence Policy helps to enhance the security of European citizens and contributes to peace and stability in our neighbourhood and in the broader world. But Europe's strategic and geopolitical environment is evolving rapidly. Defence budgets in Europe are constrained, limiting the ability to develop, deploy and sustain military capabilities. Fragmented European defence markets jeopardise the sustainability and competitiveness of Europe's defence and security industry"

"The EU and its Member States must exercise greater responsibilities in response to those challenges if they want to contribute to maintaining peace and security through CSDP together with key partners such as the United Nations and NATO.

The Common Security and Defence Policy (CSDP) will continue to develop in full complementarity with NATO in the agreed framework of the strategic partnership between the EU and NATO and in compliance with the decision-making autonomy and procedures of each. This requires having the necessary means and maintaining a sufficient level of investment.

Today, the European Council is making a strong commitment to the further development of a credible and effective CSDP, in accordance with the Lisbon Treaty and the opportunities it offers. The European Council calls on the Member States to deepen defence cooperation by improving the capacity to conduct missions and operations and by making full use of synergies in order to improve the development and availability of the required civilian and military capabilities, supported by a more integrated, sustainable, innovative and competitive European Defence Technological and Industrial Base (EDTIB). This will also bring benefits in terms of growth, jobs and innovation to the broader European industrial sector."

"New security challenges continue to emerge. Europe's internal and external security dimensions are increasingly interlinked. To enable the EU and its Member States to respond, in coherence with NATO efforts, the European Council calls for:

• an EU Cyber Defence Policy Framework in 2014, on the basis of a proposal by the High Representative, in cooperation with the Commission and the European Defence Agency;

• an EU Maritime Security Strategy by June 2014, on the basis of a joint Communication from the Commission and the High Representative, taking into account the opinions of the Member States, and the subsequent elaboration of action plans to respond to maritime challenges;

• increased synergies between CSDP and Freedom/Security/Justice actors to tackle horizontal issues such as illegal migration, organised crime and terrorism;

• progress in developing CSDP support for third states and regions, in order to help them to improve border management;

• further strengthening cooperation to tackle energy security challenges."

February 2013 - The Cyber Security Strategy for the European Union

Over the last decades, the Internet and more broadly cyberspace has had a tremendous impact on all parts of society. Our daily life, fundamental rights, social interactions and economies depend on information and communication technology working seamlessly. An open and free cyberspace has promoted political and social inclusion worldwide; it has broken down barriers between countries, communities and citizens, allowing interaction and sharing of information and ideas across the globe; it has provided a forum for freedom of expression and exercise of fundamental rights, and empowered people in their quest for democratic and more just societies - most strikingly during the Arab Spring.

For cyberspace to remain open and free, the same norms, principles and values that the EU upholds offline, should also apply online. Fundamental rights, democracy and the rule of law need to be protected in cyberspace. Our freedom and prosperity increasingly depend on a robust and innovative Internet, which will continue to flourish if private sector innovation and civil society drive its growth. But freedom online requires safety and security too. Cyberspace should be protected from incidents, malicious activities and misuse; and governments have a significant role in ensuring a free and safe cyberspace. Governments have several tasks: to safeguard access and openness, to respect and protect fundamental rights online and to maintain the reliability and interoperability of the Internet. However, the private sector owns and operates significant parts of cyberspace, and so any initiative aiming to be successful in this area has to recognise its leading role.

Information and communications technology has become the backbone of our economic growth and is a critical resource which all economic sectors rely on. It now underpins the complex systems which keep our economies running in key sectors such as finance, health, energy and transport; while many business models are built on the uninterrupted availability of the Internet and the smooth functioning of information systems.

Recent years have seen that while the digital world brings enormous benefits, it is also vulnerable. Cybersecurity incidents, be it intentional or accidental, are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, healthcare, electricity or mobile services. Threats can have different origins — including criminal, politically motivated, terrorist or state-sponsored attacks as well as natural disasters and unintentional mistakes.

The EU economy is already affected by cybercrime activities against the private sector and individuals. Cybercriminals are using ever more sophisticated methods for intruding into information systems, stealing critical data or holding companies to ransom. The increase of economic espionage and state-sponsored activities in cyberspace poses a new category of threats for EU governments and companies.

In countries outside the EU, governments may also misuse cyberspace for surveillance and control over their own citizens. The EU can counter this situation by promoting freedom online and ensuring respect of fundamental rights online.

All these factors explain why governments across the world have started to develop cybersecurity strategies and to consider cyberspace as an increasingly important international issue. The time has come for the EU to step up its actions in this area. This proposal for a Cybersecurity strategy of the European Union, put forward by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy (High Representative), outlines the EU's vision in this domain, clarifies roles and responsibilities and sets out the actions required based on strong and effective protection and promotion of citizens' rights to make the EU's online environment the safest in the world.

July 2004 - The European Defence Agency

The European Council formally adopts the Joint Action that officially creates the European Defence Agency. The new Agency sets up a strategic framework for defence, built around three main pillars:

- Research & Technology Strategy;

- Armaments Cooperation Strategy; and

- European Defence Technological and Industrial Base Strategy, headed by a Capability Development Plan.

EDA is implementing various cooperative cyber defence projects, with a special focus on the system engineering framework for defensive cyber operations, cyber education, training & exercises, the Cyber Situation Awareness (CySAP) project as well as deployable cyber forensics.

EDA cooperates through regular exchanges and meetings with the EU agencies working in the cyber domain:

1. The European Union Agency for Cybersecurity (ENISA),

2. The European Union Agency for Law Enforcement Cooperation (Europol), and

3. The Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU).

March 2004 - The European Network and Information Security Agency (ENISA)

Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 established ENISA. The objectives of ENISA were:

1. The Agency shall enhance the capability of the Community, the Member States and, as a consequence, the business community to prevent, address and to respond to network and information security problems.

2. The Agency shall provide assistance and deliver advice to the Commission and the Member States on issues related to network and information security falling within its competencies as set out in this Regulation.

3. Building on national and Community efforts, the Agency shall develop a high level of expertise. The Agency shall use this expertise to stimulate broad cooperation between actors from the public and private sectors.

4. The Agency shall assist the Commission, where called upon, in the technical preparatory work for updating and developing Community legislation in the field of network and information security.

According to regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019:

1. ENISA shall be a centre of expertise on cybersecurity by virtue of its independence, the scientific and technical quality of the advice and assistance it delivers, the information it provides, the transparency of its operating procedures, the methods of operation, and its diligence in carrying out its tasks.

2. ENISA shall assist the Union institutions, bodies, offices and agencies, as well as Member States, in developing and implementing Union policies related to cybersecurity, including sectoral policies on cybersecurity.

3. ENISA shall support capacity-building and preparedness across the Union by assisting the Union institutions, bodies, offices and agencies, as well as Member States and public and private stakeholders, to increase the protection of their network and information systems, to develop and improve cyber resilience and response capacities, and to develop skills and competencies in the field of cybersecurity.

4. ENISA shall promote cooperation, including information sharing and coordination at Union level, among Member States, Union institutions, bodies, offices and agencies, and relevant private and public stakeholders on matters related to cybersecurity.

5. ENISA shall contribute to increasing cybersecurity capabilities at Union level in order to support the actions of Member States in preventing and responding to cyber threats, in particular in the event of cross-border incidents.

6. ENISA shall promote the use of European cybersecurity certification, with a view to avoiding the fragmentation of the internal market. ENISA shall contribute to the establishment and maintenance of a European cybersecurity certification framework in accordance with Title III of this Regulation, with a view to increasing the transparency of the cybersecurity of ICT products, ICT services and ICT processes, thereby strengthening trust in the digital internal market and its competitiveness.

7. ENISA shall promote a high level of cybersecurity awareness, including cyber-hygiene and cyber-literacy among citizens, organisations and businesses.

Ursula von der Leyen, European Commission President, 2021 State of the Union address.

"If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. [...] This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act."

Ursula von der Leyen, European Commission President, 2021 State of the Union address.

2021 State of the Union Address by President von der Leyen

Europe can – and clearly should – be able and willing to do more on its own. But if we are to do more, we first need to explain why. I see three broad categories.

First, we need to provide stability in our neighbourhood and across different regions.

We are connected to the world by narrow straits, stormy seas and vast land borders. Because of that geography, Europe knows better than anyone that if you don't deal in time with the crisis abroad, the crisis comes to you.

Secondly, the nature of the threats we face is evolving rapidly: from hybrid or cyber-attacks to the growing arms race in space.

Disruptive technology has been a great equaliser in the way power can be used today by rogue states or non-state groups.

You no longer need armies and missiles to cause mass damage. You can paralyse industrial plants, city administrations and hospitals – all you need is your laptop. You can disrupt entire elections with a smartphone and an internet connection.

The third reason is that the European Union is a unique security provider. There will be missions where NATO or the UN will not be present, but where the EU should be.

On the ground, our soldiers work side-by-side with police officers, lawyers and doctors, with humanitarian workers and human rights defenders, with teachers and engineers.

We can combine military and civilian, along with diplomacy and development – and we have a long history in building and protecting peace.

The good news is that over the past years, we have started to develop a European defence ecosystem.

But what we need is the European Defence Union.

In the last weeks, there have been many discussions on expeditionary forces. On what type and how many we need: battlegroups or EU entry forces.

This is no doubt part of the debate – and I believe it will be part of the solution.

But the more fundamental issue is why this has not worked in the past.

You can have the most advanced forces in the world – but if you are never prepared to use them - of what use are they?

What has held us back until now is not just a shortfall of capacity – it is the lack of political will.

And if we develop this political will, there is a lot that we can do at EU level.

Allow me to give you three concrete examples:

First, we need to build the foundation for collective decision-making – this is what I call situational awareness.

We fall short if Member States active in the same region, do not share their information on the European level. It is vital that we improve intelligence cooperation.

But this is not just about intelligence in the narrow sense.

It is about bringing together the knowledge from all services and all sources. From space to police trainers, from open source to development agencies. Their work gives us a unique scope and depth of knowledge.

It is out there!

But we can only use that, to make informed decisions if we have the full picture. And this is currently not the case. We have the knowledge, but it is disjoined. Information is fragmented.

This is why the EU could consider its own Joint Situational Awareness Centre to fuse all the different pieces of information.

And to be better prepared, to be fully informed and to be able to decide.

Secondly, we need to improve interoperability. This is why we are already investing in common European platforms, from fighter jets, to drones and cyber.

But we have to keep thinking of new ways to use all possible synergies. One example could be to consider waiving VAT when buying defence equipment developed and produced in Europe.

This would not only increase our interoperability, but also decrease our dependencies of today.

Third, we cannot talk about defence without talking about cyber. If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, but also strive to become a leader in cyber security.

It should be here in Europe where cyber defence tools are developed. This is why we need a European Cyber Defence Policy, including legislation on common standards under a new European Cyber Resilience Act."

So, we can do a lot at EU level. But Member States need to do more too.

This starts with a common assessment of the threats we face and a common approach to dealing with them. The upcoming Strategic Compass is a key process of this discussion.

And we need to decide how we can use all of the possibilities that are already in the Treaty.

This is why, under the French Presidency, President Macron and I will convene a Summit on European defence.

It is time for Europe to step up to the next level.

The European Cyber Defence Policy, news and alerts

This website belongs to Cyber Risk GmbH (established in Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). We are carefully monitoring the new legal and regulatory obligations that follow the amendments of the European Cyber Defence Policy. We learn the requirements for EU and non-EU firms and entities, update our training programs accordingly, and inform our clients and recipients of our monthly newsletter. For news and developments about the European Cyber Defence Policy, you can receive our monthly newsletter at no cost (you may visit Cyber Risk GmbH, Reading Room, links at the top of the page). You may also visit this web site.

Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox