6 December 2016 marks a significant day in the strengthening of EU-NATO relations. In the field of cyber defence, several measures were decided which will have ‘immediate effect’. They are determined in the Conclusions on the Implementation of the Joint Declaration by the President of the European Council, the President of the European Commission and the Secretary General of the North Atlantic Treaty Organization and show a strong common way ahead.
Cyber defence constitutes just one category amongst several which were highlighted in the conclusions. Others concern countering hybrid threats; operational cooperation, including maritime issues; defence capabilities; defence industry and research; exercises (in general) and defence and security capacity-building.
Following on from their joint declaration of June 2016, the EU and NATO will, among several other developments, strengthen their relationship by introducing for the first time in the EU-NATO relations an official set of interlinked and complementary activities in the field of cyber defence and cyber security. Earlier in 2016, the EU and NATO signed a technical arrangement concerning the facilitation of technical information sharing between the Computer Emergency Response Team of the EU (CERT-EU) and the NATO Computer Incident Response Capability (NCIRC). During the Warsaw Summit, cyberspace was declared as a new operational domain alongside air, land and sea.
According to the Conclusions, the measures planned will be introduced with ‘immediate effect’. Four measures have been agreed on cyber defence and cyber security:
- The EU and NATO will exchange concepts on cyber defence issues and foster the interoperability in cyber defence requirements and standards;
- Training courses will be open for staff members from both organisations;
- Research in the area of cyber defence and technology innovation will be fostered, and the linkages will be tightened between the EU, NATO and with the NATO CCD COE which, as a cyber think tank, plays a vital role in this field and which was explicitly named in the conclusions; and
- Reciprocal staff participation in cyber exercises shall also be promoted, in particular for the biggest cyber incident simulation exercises like Cyber Coalition and Cyber Europe.
Anchoring this cooperation plan in an official declaration certainly elevates the importance of fighting cyberattacks jointly and helps to prevent duplication of effort. This undoubtedly makes sense as the majority of EU member states are also members of NATO; 22 out of the 28 NATO members belong to the EU and, remarkably, three out of the six non-NATO members, namely Austria, Finland and Sweden have joined the NATO CCD COE as contributing nations. Given the relevance of a common approach to cyber defence, the ongoing developments in the field of cyber come as no surprise. At the same time, the declaration is also a welcome towards fulfilling the 2014 EU Cyber Defence Policy Framework where enhancement of EU-NATO cooperation was set as a major goal. In fact, little cooperation in the field of cyber could be detected between them until now; for example, there has been little EU take-up of the courses offered by the NATO CCD COE until now. However, on those occasions where cooperation has been realised between NATO CCD COE and ENISA (the European Union Agency for Network and Information Security) (providing lectures, for example) outstanding cooperation has been seen and these courses will remain open to EU staff members where capacity allows.
In training and exercises, the NATO CCD COE has an enormous amount to contribute. Offering technical and legal courses, training, workshops, and providing lectures on a broad range of cyber defence topics at an unknown number of events, NATO CCD COE will continue training and developing the sponsoring nations’ personnel and EU staff who also want to benefit from them.
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.