EU countries give lukewarm reception to cyber defence strategy

EU defence ministers adopted on Tuesday (23. May) conclusions on cyber defence, pointing out the need to avoid duplications in the institutional architecture, and stating their priorities on skills development and voluntary coordination in the defence sector.

The 18-page document undersigned by the EU27 defence ministers came in reaction to the Joint Communication of the European Commission and the High Representative on the EU Policy on Cyber Defence last November.

The document vouches “to further invest in our modern and interoperable armed forces, cutting-edge technologies, state-of-the-art cyber defence capabilities and enhance partnerships to address common challenges.”

As the primary threat to the security of EU networks, the member states mostly mentioned Russia, while also touching on China.

At the same time, the EU countries remained vague regarding the need to “deter against cyberattacks” and the offensive cyber measures EU member states could put in place for defensive purposes.

Intra-EU coordination 

The Foreign Affairs Council’s document stresses that the collaboration with other EU institutions, bodies and agencies, such as ENISA and CERT-EU, should avoid “any unnecessary duplication of efforts.”

ENISA, the EU’s agency for cybersecurity, has recently introduced a Cybersecurity Skills Framework that is a hands-on tool to identify tasks, competencies, skills and knowledge related to the roles of EU cybersecurity professionals.

CERT-EU is the EU’s Computer Security Incident Response Team, which oversees the ICT security of Union institutions and organisations. Currently, the EU plans to expand the capacity and funding of the CERT-EU, tasking it with a coordinating role in vulnerability disclosure and with proposing benchmarks for the institutions’ cybersecurity frameworks.

Skills development

On the topic of cyber education, training and exercises, the Council emphasised various projects but omitted the Commission’s Cyber Skills Academy, which is only mentioned near the bottom of of the document and in the context of the cybersecurity skills gap.

The Cybersecurity Skills Academy was launched by the Commission in mid-April to close the cybersecurity sector’s ongoing skills shortage and develop the EU’s cyber resilience.

Instead, the Council highlighted the Permanent Structured Cooperation projects, launched five years ago and reviewed this week by the EU defence ministers, to evaluate the bloc’s capabilities. Concerns were raised as a number of projects out of the total of 68 are moving slowly.

Coordinated approach to defence

In the EU defence ecosystem context, the Council invited the national governments to develop “non-legally binding voluntary recommendations inspired by NIS2 to increase cybersecurity in the defence community.”

The revised Networks and Information Directive (NIS2) introduces specific obligations for entities that are considered essential or important for the functioning of society.

NIS2 is also a benchmark for the EU’s new cybersecurity law, the Cyber Resilience Act. One month ago, the Swedish EU Council presidency proposed reworking the Cyber Resilience Act to allow national governments to impose additional security requirements for ICT products used by entities that qualify as essential or important under NIS2.

Support to the industry

The Council also highlighted the need to “scale up a European cybersecurity industry with the support of the ECCC as an essential pillar for this mechanism to be operational”.

The European Cybersecurity Competence Centre (ECCC) was set up one year ago, but its office only opened its doors two weeks ago in Bucharest and is still significantly short-staffed.

Furthermore, the appointment of the Centre’s executive director, a long-standing point of contention between the European Commission and Romania, is still to be finalised.


About the author

Related Post

Leave a comment

Your email address will not be published. Required fields are marked *