In a resolution on the state of the EU cyber defence capabilities, the European Parliament called on the European Commission and EU member states to increase spending and staff dedicated to cyber defence.
A lack of resources was identified as one of the main obstacles to creating a secure digital environment, stressed the report that was adopted by the European Parliament on Wednesday evening (6 October).
“Because of the huge task ahead, we need more money, more resources, and more coordination between member states,” French Socialist MEP Raphaël Glucksmann said during the plenary session.
The EU Cybersecurity Agency (ENISA) was singled out as being chronically underfunded.
“They have very few resources. Very few experts. When you compare it to the means of the Americans to ensure their cybersecurity, it’s derisory,” Glucksmann pointed out.
In a similar vein, liberal MEP Bart Groothuis stressed that the EU should “take the lead and formulate a new spending norm” to address evolving cyber security threats.
The EU cyber defence capabilities report took stock of the current cybersecurity framework in the EU and outlined several gaps, ranging from the need to intensify cooperation between the member states to increasing collaboration with NATO.
The main goal is “to strengthen cyber resilience and develop common cyber security and defence capabilities to respond to these kinds of security challenges,” said Renew Europe MEP Urmas Paet, who authored the report.
Hybrid Threats and Collective Defence
The report also said that the EU is increasingly involved in “hybrid conflicts with its adversaries,” notably China, North Korea, and Russia.
“The picture could not be any clearer, for state actors’ hostile to the EU, like Russia, the cost for attacks is infinitely smaller than the rewards, and that has to change,” centrist MEP Barry Andrews said.
Parliament considered these hybrid conflicts to be particularly dangerous and destabilising for democracies, as they blur the line between war and peace through cyber-enabled disinformation campaigns or targeting digital service providers and critical infrastructure.
However, these attacks are not severe enough to trigger the collective defence clauses under Article 5 of the NATO treaty or the defence and solidarity clauses under the treaties of the EU.
To tackle this legal vacuum, the parliamentary report stressed that the provisions for collective defence in the EU treaties should be reinterpreted to allow for voluntary collective countermeasures.
“This is the only effective means to counter the paralysis in reacting to hybrid threats,” the report reads.
Cyber Diplomacy Toolbox
The EU already has several tools at its disposal to respond to cyber-attacks, most notably the cyber diplomacy toolbox.
In her response to the plenary debate, Commissioner Jutta Urpilainen explicitly referred to the toolbox as one of the primary means to tackle cyber threats and deter attacks by other actors.
“We work to enhance the EU’s ability to prevent, deter and respond to cyber-attacks, through our cyber security toolbox, including sanctions,” Urpilainen said.
The toolbox adopted in 2017 allows the EU to take restrictive measures in response to malicious cyber activities and impose sanctions.
The EU used the toolbox for the first time in 2020 and has imposed sanctions on eight individuals and four entities.
“The European Union cyber diplomacy toolbox has already proved its value in allowing member states to take measures – including sanctions – to address cyber activities affecting them and threatening their security,” Urpilainen said.
The parliamentary report calls to develop these tools further and asks that the system of proportionate restrictive measures to contain cyber-attacks be enforced more rigorously.
[Edited by Luca Bertuzzi/ Alice Taylor]