The European Council has approved conclusions on the development of the European Union’s stance against cyber-attacks. The posture is intended to demonstrate the EU’s determination to provide immediate and long-term responses to threats that seek to deny the EU secure and open access to cyberspace and affect its strategic interests, including its partners’ security.
Ministers, among other things, call on the European Commission to propose common EU cybersecurity requirements for connected devices and associated processes and services. They also invite relevant authorities, such as the European Union Agency for Cybersecurity (ENISA), to make recommendations to strengthen the resilience of communication networks and infrastructures within the EU. The Council also stresses the importance of establishing regular cyber exercises to test and develop the EU’s internal and external response to large-scale cyber incidents.
Cyberspace has become an arena for geopolitical competition. The EU must therefore be able to respond swiftly and forcefully to cyber-attacks, such as malicious cyber-activities targeting the Union and its member states. It must also make full use of all the instruments at its disposal. Perpetrators should be aware that cyber-attacks against member states and EU institutions will rapidly be detected, identified and fought with all necessary tools and policies.
In the conclusions, the Council highlights the EU’s five roles in the cyber domain:
1. Strengthen resilience and protective capacities. Malicious behaviour in cyberspace has intensified in recent years and emanates from both state and non-state parties. This includes a sharp and steady increase in activities targeting critical infrastructure and supply chains.
2. Improve solidarity and comprehensive crisis management. In the current geopolitical climate, the Union’s strength lies in unity, solidarity and determination, and the implementation of the Strategic Compass. This should enhance the EU’s strategic autonomy and its ability to work with partners to safeguard them, while respecting their values and interests, including in the cyber domain.
3. Promote the EU vision of cyberspace. Consolidate peace and stability in cyberspace and in favour of an open, free, global, stable and secure cyberspace, and coordinate short-, medium- and long-term actions to prevent, identify and respond to cyber threats and attacks.
4. Improve cooperation with partner countries and international organisations. The overall level of EU cybersecurity needs to be raised and see a rapid adoption of the draft Directive on measures to achieve a high common level of cybersecurity across the Union (NIS), the draft Regulation on Digital Operational Resilience for the Financial Sector (DORA) and the draft Directive on Critical Entity Resilience (CER).
5. Prevent, defend and respond to cyber-attacks. Competent authorities, such as the Body of European Regulators for Electronic Communications (BEREC), the European Union Agency for Cybersecurity (ENISA) and the Network and Information Security (NIS) Cooperation Group, together with the Commission, will formulate recommendations based on risk assessment in the member states and the European Commission to strengthen the resilience of communications, networks and infrastructures within the European Union.