Taming National Interests within the CFSP

CFSP and cyber

Over the past decade, the EU has launched several key initiatives to enhance its cyber­security capabilities, reflecting the impor­tance of this sector within the CFSP and for the Union’s security. The EU’s Global Strat­egy 2016, notably recognises cybersecurity as a “cross-sectional” policy task, essential to various EU policy areas, including inter­nal and external security, and both civilian and military cooperation. According to Article 24(1) TEU “the Union’s competence in matters of common foreign and security policy shall cover all areas of foreign policy and all questions relating to the Union’s security” – thereby including cybersecurity.

The need for coordinated responses at the EU level to cybersecurity challenges is highlighted by the 2019 Cybersecurity Act, which clearly states that large-scale cyber incidents “necessitate effective and coordi­nated responses and crisis management at Union level, building on dedicated policies and wider instruments for European soli­darity and mutual assistance”. In June 2017, the EU adopted the framework for a joint EU diplomatic response to malicious cyber activities (the so-called “cyber diplo­macy toolbox”, CDT). This framework primarily sets out non-military measures under the CFSP that could contribute to “the mitigation of cyber security threats, conflict prevention and greater stability in international relations”. It includes restric­tive measures (e.g. sanctions), which fall under the Union’s competence as laid down in Article 29 TEU and 215 TFEU. In July 2020, the very first, and so far only, cyber sanction regime was adopted.

In addition, already in 2013, the EU Cyber Security Strategy (updated in 2017) referred to the so-called “solidarity clause” laid down in Article 222 TFEU where the Union and member states are obliged to combine their efforts and “shall act jointly in a spirit of solidarity” to “assist a member state in its territory, at the request of its political authorities, in the event of a natu­ral or man-made disaster”. The European Parliament (EP) even went a step further and mentioned cyberattacks as a reason to invoke the so-called “mutual defence clause” laid down in Article 42(7) TEU.

However, despite these advancements, the EU’s cyber defence remains a work in progress and focuses primarily on civilian capacity-building efforts. In sum, cyber for­eign and security policy is a growing con­cern for the EU, which is not reflected in the overall CFSP output.

Low CFSP output in cyber as vulnerabilities increase

The gap between the expectations directed at the CFSP and its capabilities has been a longstanding issue. The overall output of CFSP decisions has shown stagnation since 2009 across all instruments, except for re­strictive measures (sanctions) (see Figure 1). When empirically looking at the application of four CFSP instruments considered in this analysis – missions and operations, the use of the European Peace Facility (EPF), Permanent Structured Cooperation (PESCO) and restrictive measures – it becomes evi­dent that there has been a notable increase in the number of sanctions, particularly since 2021. Specifically, in the cyber and in­formation space, the number of CFSP deci­sions is particularly low, with only nine out of the 1,790 decisions examined relat­ing to hostile cyber activities (including restrictive measures). This trend applies across the different instruments.

Since the Treaty of Lisbon took effect in 2009, there have been 1,106 decisions related to sanctions, establishing around 35 different sanctions regimes targeting states, organisations, and companies. How­ever, the first and only CFSP decision direct­ly addressing cyberattacks was enacted in 2019. In addition, the Union has never ex­plicitly stated that legal attribution should be solely the responsibility of member states, with the exception of cases involving cyber sanctions.

Regarding decisions on missions or military operations, there have been 612 such decisions since 2009, peaking at 170 between 2014 and 2016 and 111 between 2022 and 2023. In practice, the EU has initiated or conducted over 40 missions and operations on three continents. As of March 2024, 22 missions and operations of the Common Security and Defence Policy (CSDP) are still active, including 12 civilian missions and nine military operations. The EU Partnership Mission Moldova (EUPM Moldova) launched in May 2023, however, was the first EU civilian CSDP mission to focus on fighting hybrid threats, cybersecu­rity, and foreign informational manipula­tion and interferences and crisis manage­ment. In addition, the EU Military Assistance Mission in support of Ukraine (EUMAM Ukraine) aims to enhance the military capacity of the Ukrainian Armed Forces, in­cluding building their long-term resil­ience in cyber defence.

Although the European Peace Facility was introduced only in 2022, 41 decisions on military empowerment measures have been taken since then. The first EPF used to support cyber defence in the Repub­lic of Moldova was initiated in 2023.

PESCO also currently remains at a low level, despite the ambitious political agenda for establishing a European Defence Union, with only 68 projects based on 31 decisions. Out of the current 12 ongoing PESCO pro­jects on cybersecurity, only three are focused on cyber defence. These include the establishment of a Coordination Centre for the Cyber and Information Domain, Cyber Rapid Response Teams, and a platform for information exchange on cyber threats.

While the gap between expectations and capabilities remains, vulnerabilities in the cyber and information space continue to mount. The challenge for the EU here is that the strategic gains from cumulative cyber campaigns are higher than the restric­tive measures taken by the EU against these threat actors. Data from the European Repository of Cyber Incidents (EuRepoC) can serve to illustrate the rising vulnerabilities and the limited activity in its foreign and security policy to retaliate against these threat actors (see Figure 2). As of March 2024, the dataset lists around 2,700 serious cyber­attacks, 405 of which targeted EU member states and emanated from 116 dif­ferent threat actors. Additionally, EuRepoC data show that since 2009, a large proportion (44%) of the serious cyberattacks against EU member states, targeted critical infrastructure organisations vital to the functioning of society – predominantly within the transport and financial sectors.

The Cyber Diplomacy Toolbox (CDT)

The CDT should serve as an EU instrument to help address these cyber threats. After all, it was intended to provide the EU with capabilities that would allow for appropriate joint diplomatic responses to cyber­attacks, corresponding to the scope, extent, duration, intensity, and impact of the respec­tive attacks. Its goal was to establish a basis for proportional, appropriate responses to cyberattacks. Low-threshold attacks typi­cally result in the EU issuing a protest note or summoning an ambassador. In contrast, severe attacks prompt the implementation of targeted restrictive measures, such as freezing accounts or imposing travel restric­tions. However, unanimity in the Council makes proportional, appropriate political and legal responses to serious cyberattacks almost, if not entirely, impossible. This was evident in the EU’s response to the KA-SAT incident, where unanimity prevented the imposition of additional sanctions against Russia, despite the attack’s disruption to Europe’s energy supplies.

Qualified majority voting (QMV) would help overcome obstacles to common action, as set out in the CDT implementing guide­lines from 2023. The Council states that joint EU attributions taken by QMV facili­tate exposing “the specific malicious cyber activit[ies] or specific actor, enable mitigating initiatives, promote the UN framework for responsible state behaviour, demonstrate capacity to identity its origin, discour­age future malicious cyber activities, as well as to enable other response options to be used sequentially”.

However, to date, a not insignificant proportion (29%) of cyberattacks against EU member states since 2009 remain un­attributed (Figure 2). The KA-SAT attack in February 2022 stands out as the only in­cident that has been officially attributed to a state by the governments of the US, UK, Canada, Australia, as well as by a statement of the High Representative (HR) of the EU. At the same time, very few cyberattacks were met with political or legal responses by EU member states since the launch of the CDT (14% and 14.4%, respectively). Rather, EU member states have primarily responded to cyberattacks with stabilizing (e.g. statements by ministers, deputies, or heads of government) or preventative mea­sures (i.e. political declarations intended to point out growing cyber risks). In addition, there is a significant disparity in the rate of political responses to cyberattacks among member states, further highlighting the inconsistencies in current responses to cyber threats within the EU. For example, Estonia responded with political reactions to 44% of all cyberattacks it faced, while the Netherlands only responded to 4%. This may indicate that the EU member states’ countermeasures to cyber incidents are primarily political in nature and not neces­sarily proportional to the intensity of the cyberattacks.

Consequently, many perpetrators of these serious cyberattacks remain unaccountable and the lack of a uniform strategy or co­ordinated attribution process among the member states, let alone at the EU level, merely serves to exacerbate the issue. The unanimous decision-making required in the CFSP significantly hinders the EU’s ability to respond swiftly and effectively to cyber threats, particularly against critical infra­structure. On the other hand, QMV would allow the HR to take stabilizing measures, for example statements condemning states to stop its cyberattacks against the EU. Ad­ditionally, varying forensic capabilities and differing perceptions of threats among the member states further complicate the con­sensus needed for collective action. The diversity in threat perception and response mechanisms across the 27 member states highlights the need for a Europeanized or harmonized approach to cyber foreign and security policy. This is crucial not only for ensuring external protection but also for the smooth functioning of the (digital) internal market and its associated value chains.

Cyber foreign and security policy is a relatively new aspect of EU policy which, owing to its technological nature, has experienced limited politicization to date. Cyberattacks not only have a transnational impact but also pose a threat to the security of the entire Union, its member states and citizens. Therefore, fulfilling the protective role within the framework of the CFSP is absolutely necessary.

QMV roadmap in cyber

Increasingly faced with cyber threats, it is imperative for the EU to focus more of its efforts towards safeguarding critical infra­structure. Enhancing resilience and improv­ing crisis management, while upholding international law, are crucial steps for the EU and its member states to adapt to such challenges. Qualified majority decisions in the Council of the EU in European foreign and security policy should proceed cau­tious­ly, variably, and according to a clear roadmap. EU foreign and security policies should be decided by QMV, as they neces­sitate an immediate and effective crisis response. This would help to broaden the fundamental understanding of the pressing challenges and to extend the limits of the current technical or legal understanding of the CFSP/CSDP to tasks formulated in the Strategic Compass, such as combating hybrid threats or defending against cyber­attacks. Ultimately, the roadmap should initially focus on technical and less contro­versial issues before addressing the politi­cally contentious ones. The decision on whether the HR should make a declaration on behalf of the EU is to be determined by QMV. To this end, European foreign and security policy must fundamentally distin­guish between technical resilience-related and politically sensitive sanctions: as a start­ing point, the application of instruments such as preventive cooperation or stabilizing measures with third countries should be initiated. Most of the preventive measures are so far directed towards friend­ly neighbouring countries of the EU. How­ever, cooperative measures such as dia­logues could be enlarged to authoritarian states. For example, QMV would allow the EU to engage in capacity-building efforts with other regional organisations such as the African Union (AU). After successful collaboration in the first phase, member states could then move to the second phase and expand their ambitions to the applica­tion of restrictive measures. In the third and final phase, coercive measures accord­ing to international humanitarian law could be added to complete the spectrum of powers. The timetable for transitioning from one phase to the next should be determined by the member states in cooperation with the national parliaments and the EP.