Advancing European Cyber Resilience and Defence

Strengthening cyber resilience in Europe requires both a concerted European effort to defend its critical assets and a well-coordinated international response strategy. Pan-European cyber resilience relies on European nations’ technological capabilities, available human resources and relevant cooperation mechanisms. In all these categories, nations should step up their efforts to face the new waves of cyber threats.

The EU has rightly set very impressive goals to strengthen its internal cyber resilience through numerous regulatory steps, including the updated Network and Information Systems Security Directive (NIS 2.0), the Cyber Resilience Act, the Cyber Solidarity Act and other recent legislation. While laudable, these regulatory efforts come at a time when many European nations are struggling to reach the next level of digitisation, have patchy cyber protection capabilities and suffer from a chronic shortage of cyber professionals. Small- and medium-sized enterprises and less-protected public sector organisations are particularly vulnerable, as they often lack the necessary expertise and technology to counter increasingly sophisticated cyber threats. The shortage of cyber professionals is a major challenge for the EU and will not be easy to address. Education policy in the EU is a national competence of the Member States; the Commission has only modest possibilities to promote cyber education programs on a pan-European level. In this context, the lack of cyber expertise in many Member States will seriously hamper the implementation of recent EU cyber legislation. Currently, there is limited access to good cyber education at either the European or national level. If significant progress is to be made in strengthening cyber resilience, the EU and its Member States should launch much more ambitious education programs, with a particular focus on skills and practical training. The Cyber Skills initiative proposed by the Commission in 2023 is a step in the right direction.

In terms of international response, the EU has developed a cyber diplomacy toolbox and many cooperative activities with key strategic partners over the past decade. To date, a number of individuals and entities have been sanctioned and the EU has joined international public attribution initiatives, all of which are very positive, but fail to take advantage of the EU’s economic weight.  Sanctioning a modest number of entities and individuals is unlikely to discourage malicious actors in the long run, especially state-sponsored (or state-tolerated) cyber operations such as online theft of intellectual property. In addition to using traditional foreign policy tools, the EU could step up the international response by using its economic and trade muscle, which might more effectively change the calculus of major global players that tacitly or overtly support cyber operations against EU targets. This will require a much more unified effort by key players in Brussels, including the Commission directorates responsible for trade and key economic policies. Given the complexity of any concerted EU effort, navigating the political, legal and institutional landscape for a more robust international response will be a complex task. However, without this effort, the EU cannot move beyond the level of ambition adopted in 2017 with the current Cyber Diplomacy Toolbox. Statistics show that a large number of recent cyberattacks in Europe continue to be carried out by nation-state or state-affiliated cyber threat actors. Therefore, it will be worthwhile to put additional pressure on the states behind the major cyber operations.

Finally, in addition to EU-level efforts initiated by institutions in Brussels, cyber policymakers in European capitals should step up their strategies, policies and capabilities to strengthen cyber defence and crisis response. While many EU Member States have built robust national civilian cyber response and cooperation mechanisms, not all nations are ready for the potential increase in cyber aggression that requires cyber contingency plans for crisis and wartime situations.

Most importantly, all nations should also integrate their cyber crisis response into national crisis mechanisms, as well as those of the EU and NATO. This could be a complex exercise, as many government agencies in intelligence, law enforcement, diplomacy, defence and cyber incident response should come together and bring their perspectives to the cyber crisis at the national level. As cyberattacks have become a regular part of any crisis or war, exercising cyber elements as part of the actual crisis response has become an inevitable necessity. Due to the unique requirements of national cyber coordination, regular national cyber exercises should aim to bring together all the different communities mentioned above and promote horizontal cooperation between national agencies to overcome the vertical silo thinking that governments are prone to.

Another important priority for European capitals will be to update their defence strategies and concepts based on the lessons learned from modern warfare, in which technological superiority plays a dominant role in determining success on the battlefield. In addition to cyber defence capabilities to support modern warfare, European nations should improve their integrated technological capabilities to enhance situational awareness, intelligence and reconnaissance. Cyber defence and ISTAR capabilities should be a renewed focus of growing European defence budgets. In this regard, lessons learned from the ongoing war in Ukraine will provide guidance on the most critical priorities for improving technological capabilities. With the military use of artificial intelligence and quantum computing on the horizon, the nature of warfare will undergo new and profound changes in the next five to ten years. In order for European nations to maintain superiority in future wars, updates in both doctrinal approach and technological capabilities are warranted without delay.