On 18 November 2014, the Council of the European Union adopted the EU Cyber Defence Policy Framework. It was prepared pursuant to earlier European Council Conclusions on Common Security and Defence Policy (CSDP) from December 2013 and the Council Conclusions on CSDP of November 2013. Following a proposal from the High Representative, the Commission and the European Defence Agency (EDA), the European External Action Service (EEAS) together with the Commission services and the EDA provided input for this non-legislative document.
It serves as groundwork for countering threats arising from cyberspace. The document’s objectives are twofold: it provides a framework to the European Council and Council conclusions and to the cyber defence aspects of the EU Cyber Security Strategy. Besides clarifying the roles of the different European actors, it specifies five priority areas for CSDP cyber defence:
- Supporting the development of Member States’ cyber defence capabilities related to CSDP;
- Enhancing the protection of CSDP communication networks used by EU entities;
- Promotion of civil-military cooperation and synergies with wider EU cyber policies, relevant EU institutions and agencies as well as with the private sector;
- Improve training, education and joint exercise opportunities; and
- Enhancing cooperation with relevant international partners, particularly NATO.
For each area, the document proposes several concrete actions which are framed in more than forty proposals. Actions include:
- the intention to enhance cooperation between military CERTs of the Member States on a voluntary basis to improve the prevention and handling of incidents;
- the plan to promote real-time cyber threat information sharing between Member States and relevant EU entities by developing information sharing mechanisms and trust-building measures;
- enhancing further cooperation in developing a working mechanism to exchange best practice on exercise, training and other areas of possible civilian-military synergy;
- involving international partners such as NATO or OSCE once the EU has developed a CSDP cyber defence exercise; and
- reinforcing cooperation between the CERT-EU and relevant EU cyber defence bodies and the NATO Computer Incident Response Capability (NCIRC).
Every six months a progress report will present the implementation development of the EU Cyber Defence Policy Framework. The first progress report was released in June 2015 and it recorded several successes such as improvements in the field of cyber training and enhanced inter-institutional cooperation. It also addressed the fact that more legal training in relation to cyber defence in operations must be provided. Possibilities for further cooperation between the NATO CCD COE and the European Security and Defence College (ESDC) are also discussed.
The framework has an ambitious number of planned actions. In particular, it proposes ways to establish cooperation between the EU and NATO and how limited resources can be used complementarily in order to avoid duplication of effort. It remains to be seen what the frequently scheduled progress reports will have to say concerning the implementation of the actions.
The framework is intended to be updated depending on identification of further cyber threats and the updated version will be public information.
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.