I. INTRODUCTION
The return of war in Europe, with Russia’s unjustified and unprovoked military aggression
against Ukraine, has been a wake-up call for all questioning the EU’s approach to security and
defence, its ability to promote its vision and defend its interests, including in cyberspace.
Authoritarian regimes are attempting to challenge and undermine the rules-based international
order in cyberspace, turning it into an increasingly contested domain along with land, sea, air,
and space. Malicious behaviour in cyberspace emanating from both state and non-state actors
has intensified in recent years, including a growing number of cyberattacks targeting military
and civilian critical infrastructure in the EU as well as in deployed missions and operations.
The lines between the civilian and military dimensions of cyberspace are blurred as seen in the
recent attacks on energy networks, transport infrastructure and space assets. It also illustrates
the interdependency between physical and digital infrastructure, and the potential for
significant cybersecurity incidents to disrupt or damage critical infrastructure. It is a stark
reminder that the EU needs close military and civilian cooperation in cyberspace to become a
stronger security provider.
The EU needs to take on more responsibility for its own security. This requires modern and
interoperable European armed forces. Member States must therefore, with urgency and
priority, commit to increase investments in full-spectrum cyber defence capabilities, including
active defence capabilities. Whilst remaining fully committed to international law and norms
in cyberspace, the EU should signal its willingness to use these capabilities in a coordinated
way in case of a cyberattack on a Member State.
To succeed in this, the EU must ensure its technological and digital sovereignty in the cyber
field. The EU’s capacity to act will depend on its ability to master and develop cutting edge
technologies for cybersecurity and cyber defence in the EU. As cyber technologies have a
strong dual-use potential, the cybersecurity and cyber defence industries, research and
development, and innovation activities must work in a much more synergetic manner to
develop better capabilities.
Common prevention and detection are an important part of the EU’s defence capabilities. The
EU needs to have the capacity to detect attacks in the early stages. Detection data must be
turned into actionable intelligence, which can serve both cybersecurity, and cyber defence.
Such cooperation between the defence and the civilian cyber communities is the foundation for
improved common situational awareness in cyberspace and it is equally crucial for coordinated
crisis response at both the technical and operational level.
The armed conflict in Ukraine has also shown the value of close cooperation with the private
sector and the necessity of having access to private trusted providers acting as cyber reserves
to enhance response in case of major cyberattacks. It is therefore necessary to ensure that
Member States can rely on support from trusted cyber reserves, and that this happens in a secure
and coordinated manner.
This Joint Communication, while building on the Cyber Defence Policy Framework1, proposes
an ambitious strategy to allow the EU and its Member States to act with self-assurance and
1
The EU Cyber Defence Policy Framework (CDPF) 2018
http://data.consilium.europa.eu/doc/document/ST-14413-2018-INIT/en/pdf
1
Update,
19
November
2018,