EU cyber defence governance: facing the fragmentation challenge

Delphine Deschaux-Dutard


Cyberspace has recently become the fifth battlefield (O'Connell 2012). As an international organisation, the European Union (EU) has become increasingly concerned with cybersecurity in the last decade. This topic is especially stimulating as the academic literature remains quite sparse (Dunn Cavelty 2013a, 2013b; Sliwinski 2014; Christou 2016; Barrinha and Carrapico 2016, 2017, 2018). As Barrinha and Carrapico (2018) underline, European cybersecurity constitutes an emerging field both for academic researchers and practitioners. In recent years, the EU has been summoned to be able to act as a security provider, which also entails the military aspects of the cyberspace. In this regard, cybersecurity encompasses the topic of this chapter, which lays emphasis on cyber defence. While cybersecurity designates both ‘the insecurity created by and through [cyberspace] and [...] the practices or processes to make it more secure’ (Dunn Cavelty 2013a: 363), cyber defence can be defined as the set of norms, organs, tools and procedures aimed at protecting critical infrastructures and networks dedicated to the military defence of a given country or group of countries from cyberattacks harming the national security of a country or collective security.1 The paradox of cyberspace is that contrary to air, land or sea, in defence-related issues, it relies not only on the military but mostly on the civilian and private spheres. The specificity of cyberspace is its transnational nature relying on multiple stakeholders.

Faced with recurring cyberattacks and cyber threats against military infrastructure (emanating from Russia but not only, see Barrinha 2018), the EU started developing a discourse around cybersecurity and cyber defence (Christou 2016 and 2019; Barrinha and Carrapico 2017). Yet, what is striking is that EU cyber defence is much less academically investigated than cybersecurity, even though the EU started developing a cyber defence architecture half a decade ago. Hence, this chapter focuses on EU cyber defence normative and institutional architecture to understand the governance of cyber defence at the European level as well as the challenges and limits it faces. This chapter aims at illustrating the global aim of this edited book seeking to open the black box of the politics governing new technologies in the EU. How does EU cyber defence emerge and work as a

E U cyber defence governance 117 specific field? What are the characteristics and challenges of the governance of EU cyber defence? We rely on the concept of governance as defined in the Introduction of this book, which means as a tool enabling the exploration of how and by whom emerging security technologies are governed. Theoretically, the chapter borrows from the concept of strategic culture to explore these questions. Strategic culture designates a ‘set of general beliefs, attitudes, and behaviour patterns’ (Snyder 1977) affecting defence policy.2 Norms, values, patterns of behaviour as well as historical experience shape the culture which the state (and at a regional level, the EU) tend to deploy in terms of military and strategic matters. We agree with Meyer’s definition of strategic culture as ‘a causal factor of relatively high permanence, which has practical implications for explaining decisions' about military matters (2013: 51). The concept of strategic culture is not predictive but helps us to understand why EU member states do not all share the same ideas about cyber defence, as the third part of the chapter demonstrates.

Thus, to show what impact strategic culture has on EU cyber defence initiatives, the chapter proceeds as follows. The first part analyses EU cyber defence normative architecture to show its still marginal position. The second part focuses on the governance of EU cyber defence by analysing its actors and tools. The final part uncovers the challenges of the EU cyber defence normative and institutional architecture by relying on the concept of strategic culture to explore the limits of the EU as an efficient cyber defence actor in the short term.

An emerging normative cyber defence architecture in Brussels

This part aims at understanding how the EU cyber defence is integrated into a global European normative framework.

A European framing of cybersecurity mostly based on economic and civilian aspects

The EU has shown a growing interest for cybersecurity matters since the late 1990s, seeing cyber technologies as a key sector as mentioned in this book’s introduction. A first set of EU directives was issued by the European Commission between 1999 and 2002 with one main objective: protecting the EU citizens’ fundamental rights and freedom, while securing economic and trade activities relying in the use of Internet. The economic logic underpinning these documents did not include the military dimension of cyber. Even in the European Security Strategy (Solana 2003), there is no mention of cyber threats. After the cyberattacks in Georgia in 2008, the EU included energy and transport as an important matter of cybersecurity. The EU also strongly focuses on the fight against cyber criminality with the involvement of the Commission, the Council and Europol (which developed a team dedicated to fighting cyber criminality: EC3; Christou 2016: 87-118).

The adoption of EU’s Cybersecurity Strategy (EUCSS) released jointly by the Commission and the High Representative in February 2013 has become the nucleus of EU's cybersecurity normative architecture (European Commission/ HRVP 2013). The EU Cybersecurity Strategy emphasises cyber resilience by protecting critical information systems and fostering cooperation between the public and private sector, as well as civilian and defence authorities. Yet, the EUCSS does not provide a clear and common European definition of cybersecurity (Sliwinski 2014). The document proposes a holistic approach necessitating cooperation among many public and private stakeholders, as in many other dual-technologic issues studied in this volume.3 This cyberstrategy, updated in September 2017, comes together with the European Network and Information Security (NIS) directive adopted in 2016 and enforced in 2018, which is the first EU-wide legislation on cybersecurity and aims at creating common standards of cybersecurity within the member states. The driving concept under the strategy is resilience, which does not aim at the removal of the threat but rather at the capacity of the system to quickly recover in case of a cyberattack (Dunn Cavelty 2013a, 2013b). The last document adopted in May 2019 is the EU Cybersecurity Act, which mainly expands the mandate and resources of ENISA, the EU Agency for Cybersecurity located in Heraklion, and aims at producing a European certification framework. This rapid ovendew of EU cyber norms shows that defence has not been the priority in the framing of EU cybersecurity. However, in the last five years, the EU has started to look at the external dimension of cybersecurity, encompassing cyber defence. New technologies (drones, Al, big data, etc.) and their impact on warfare have prompted the need for a European reflexion on cyber defence, embedded in the quest for European strategic autonomy globally.

Cyber defence as a side issue in EU’s framing of cybersecurity

framing of cybersecurity’

The external dimension of cybersecurity encompasses both cyber diplomacy and cyber defence. In this regard, the EU launched a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, also called the Cyber Diplomatic Toolbox, adopted by the Council in June 2017, looking at the best collective answer at the EU level regarding cyberattacks and creating a toolbox from sanctions until the ultimate level: the possibility to invoke the mutual defence clause (Article 42 §7) or the mutual assistance clause (Article 222 TFEU) in case of crossing of the threshold for a cyber conflict (or a cyberattack with lethal or conventional consequences; Moret and Pawlak 2017). Moreover, on 14 May 2019, the European Council agreed on the capability to impose European sanctions to deter and respond to cyberattacks (Council Decision 7299/19). This shows a European will to exist as a diplomatic actor in cyberspace, even though imposing sanctions raises the difficult issue of the attribution of cyberattacks to a state or a state-sponsored attacker (Bendiek 2018).

Cyber defence is the military side of EU's interest for the external dimension of cybersecurity. Even if cyber defence is not the main priority of the EU, the EUCSS remains the first norm introducing cyber defence at the European level. First, in this document, the EU recognises for the first time that it is now entitled to deal with cyber defence, which was not included in EU’s defence activities (namely, in the Common Security and Defence Policy [CSDP]) before. Second, the cybersecurity strategy appeals to the solidarity clause (Article 222 for the Treaty on the Functioning of the European Union) as follows: ‘A particularly serious cyber incident or attack could constitute sufficient ground for a member state to invoke the EU Solidarity Clause’ (EEAS 2013: 19). This explains why cyber defence has been enriched with specific norms. The 2013 EU Cybersecurity Strategy underlines four main issues to be developed in cyber defence: the development of cyber defence capabilities with EU member states; the development of an EU Cyber Defence Policy framework; the promotion of the civil-military dialogue; and the dialogue with international partners like NATO. The need for a specific cyber defence document had already been expressed in the final report of the High Representative in October 2013 (eight months after the release of EU Cybersecurity Strategy). In November 2014, the Council issued an EU Cyber defence framework focusing on capability development, training, education and exercises (Council of the European Union 2018).

Since then, European cyber defence has been extended by several strategic documents. The EU Global Security Strategy published in June 2016 considers ‘cyber’ as one of the key components of EU’s security and defence (see Barrinha and Renard 2018: 182). In September 2017, the European Commission and the High Representative issued a joint communication known as the ‘2017 Cybersecurity Package’ emphasising the need for an EU cyber defence to better face hybrid threats (Pupillo et al. 2018). The European Commission and the European External Action Service (EEAS) also updated the EUCSS in September 2017 with a Joint Communication (‘Resilience, Deterrence and Defence: Building Strong Cybersecurity for the EU’). Moreover, the European Parliament adopted a motion on Cyber defence in May 2018 stating: ‘while cyber defence remains a core competence for member states, the EU has a vital role to play in providing a platform for European cooperation’ (cited in Pupillo et al. 2018: 36). In June 2018, the European Commission, the European Parliament and the Council issued a joint communication titled ‘Increasing Resilience and Bolstering Capabilities to Address Hybrid Threats’ also putting emphasis on the need for cyber defence coordination at the European level.

To sum up, EU cyber defence norms take roots in a dense cybersecurity framework mostly based on civilian and economic principles at the European level. The main EU institutions (the Council, the Commission and the Parliament) have framed cybersecurity and cyber defence as a shared area of responsibility.4 In reality, the securitisation process of cyber at the European level remains highly differentiated (Christou 2019), with cyber defence governance torn between the EU level and the national level as we analyse it in the next section. The EU's emerging cyber defence strategic architecture does not yet entail a consistent European cyberstrategic culture.5

The governance of EU cyber defence: an unstable balance between the national and European levels

This section explores the governance of EU cyber defence to show that as in many other dual-use technological issues, when it comes to the military dimensions of these technologies, the European level has to count with European governments maintaining a primary role, as stated in this volume’s introduction. As EU cybersecurity architecture has already been well documented (Christou 2016; Barrinha and Carrapico 2016, 2017), we only focus on the EU cyber defence governance. As cyber defence reports to EU's external action, the institutional structures involved are the ones working in the framework of CSDP, characterised by a governance torn between intergovernmentalism (the tuling principle of CSDP), and Europeanisation, represented by the nature of these structures incarnating the European interest within CSDP’s institutional framework.

EU’s actors operating European cyber defence torn between intergovernmentalism and Europeanisation

The architecture of EU cyber defence primarily relies on actors at the European level and at the member states level. At the European level, three main institutional actors and three tools can be identified. Regarding the institutions, the main actors dealing with cyber defence in Brussels are the European Defence Agency (EDA) and the EU Military Staff (EUMS) within the EEAS. Interestingly, these actors are included in European defence institutional framework (CSDP) but are not intergovernmental. Both the EDA and the EUMS are composed of detached national agents, which means these agents do not represent their own member states contrary to the agents working in the Political and Security Committee (PSC) or the EU Military Committee (EUMC).

The EDA is an important agency concerning EU cyber defence initiatives. The EDA’s global role in CSDP is to support the member states in different areas of military capability development including cyber defence. It is also an actor participating in the creation of a military discourse at EU level (Barrinha 2015). Cyber defence has clearly become a priority of the EDA’s capability development plan since 2010 and has been reaffirmed by the European Council of December 2013 as one of four key capabilities for EDA activity. The agency therefore set up a unique cross-national expert project team (coming from national MoDs and from the civilian sphere) in 2011 to promote the development of cyber defence capabilities both at the EU and national levels. As the success of military operations is increasingly dependent upon the access to cyberspace

E U cyber defence governance 121 and the armed forces are reliant on cyberspace both as a user and as a battlefield, the EDA is active in the fields of cyber defence capabilities as well as in research and technology.6 The EDA's action in cyber defence is more precisely developed within the Capability, Armament & Technology Directorate directed by Martin Konertz, working in close dialogue with the defence authorities of EU member states. Concretely, the EDA organises training and exercises and delivers cybersecurity and cyber defence courses for operational actors as well as decision makers, with the objective of creating a collaborative platform to exchange best practices and common standards.7 Moreover, the EDA works at developing cyber defence situational awareness for CSDP operations with the objective of integrating cyber defence in the European military planning process. This issue is very accurate as, contrary to NATO, the EU does not possess its own planning assets and cyber threats raise the question of the protection of national critical infrastructures used in CSDP structures, missions and operations (Robinson 2014).8 In this regard, the EDA works together with the EU Military Staff. The EDA also set up a Cyber Defence Research Agenda (CDRA) considered as a research and technology roadmap for the coming decade and appealing to coordination with other EU stakeholders, such as the Commission and the ENISA.

The other main EU institutional actor in cyber defence is the EUMS, located within the EEAS. Since the launch of EU’s Cybersecurity Strategy, the EEAS has been actively involved in mainstream cyber issues related to the Common Foreign and Security Policy (CFSP): cyber dialogues have been established with key strategic partners, namely, the USA, Japan, South Korea, India and China. The EEAS works closely with the member states and the Commission so as to promote a coordinated EU cyber diplomacy in international relations, characterised by regular cyber consultations between the EU and other international organisations and also with third countries? More precisely, the kingpin for cyber defence inside the EEAS is the EU Military Staff, which is the source of military expertise in the EU. Inside the EUMS, two directorates deal with cyber defence: the Concepts and Capabilities (CON/CAP) as well as the Communications and Information Systems (CIS). The former is responsible for developing concepts and doctrine in cooperation with the EDA, including cyber doctrinal aspects. For instance, the EUMS developed a European Concept for Cyber Defence for Military Operations and Missions in November 2016 (Rehrl 2018: 36). The latter provides communications and information systems planning expertise at both strategic and operational levels, including cyber-related issues. Last but not least, since 2018, the European Security and Defence College has been tasked with cyber defence education, training, evaluation and exercise to civilian as well as military staff.

However, member states remain the key players for the development of cyber defence capabilities, as with most other dual-use technologies. The motion on cyber defence adopted by the European Parliament in May 2018 is very clear on this: cyber defence remains a core competence for member states. As CSDP is an intergovernmental policy, this represents a strong limit to EU’s potential as acyber defence actor and to developing a consistent cyber strategic culture. At the member states level, the main actors are the national cyber commands when they exist, as in the cases of France or Germany, for instance. Should the EU experience a cyberattack with lethal consequences, the main principle to decide on what the response to oppose to such an attack (sanctions, hack back, etc.) should be, would rely on the intergovernmental principle of unanimity in the Council, as cyber defence remains a sovereign competence of the member states, where the EU can mainly act as a facilitator.

A governance completed by tools dedicated to cyber defence at the European level

Not only does EU cyber defence governance rely on the institutional actors presented above, but also on three specific tools included in the EU Treaties (TEU and TFEU). The first one is the solidarity and self-defence clause (Article 42 §7 TEU), which provides an institutional tool to address cyber incidents. Even though the clause does not state cyber defence as such, if the consequences of a large-scale cyberattack could legally qualify as an ‘armed aggression’, the clause could be invoked by the victim member state, as it has been by France after the terror attacks in November 2015. In such case, the EU member states should help the victim. But the use of this clause would raise the difficult question of the attribution of the cyberattack, in the same way as Article V of the NATO’s treaty does. Such an attribution to a specific state or state-sponsored hacker would necessitate a consensus among the member states within the European Council, which would make it difficult as it tackles diplomatic strings and strategic priorities which keep diverging among the EU member states, as will be shown in our final part.

Thus, a second possibility would prove more effective in case of an unattributed cyberattack: the solidarity clause included in Article 222 of the TFEU. The 2017 Cybersecurity Package emphasises this clause as a well-suited institutional tool in case of a cyberattack not qualifying as an armed aggression. In such a case, this would qualify the cyberattack as a disaster and EU institutions and the member states would then have to respond with solidarity, relying on Article 222.

The last tool included in EU cyber defence architecture is the Permanent Structured Cooperation (PESCO), as four projects among the 43 projects developed in this framework explicitly deal with cyber defence. PESCO was officially launched by the European Council in December 2017 and 25 member states participate voluntarily in one or several projects. PESCO relies on the principle of unanimity among the participating member states. The projects including cyber defence aspects mainly concern training and coordination and bring together leading countries and observatory countries. For instance, a Lithuania-lead project titled ‘Cyber Rapid Response Teams and Mutual Assistance in Cybersecurity' (CRRT) proposes to work on coordination in the area of cyber defence by developing penetration testing, joint capabilities and mutual operational support through Cyber Rapid Response Teams. This appeals to the case of EU battle groups for military conventional rapid response, as we show below.

This overview of EU cyber defence governance shows that EU cyber defence response is under construction and encounters the challenge of overlapping skills between CSDP cyber-related issues and global EU cybersecurity addressed by different agencies. Therefore, the EU as a cyber actor remains far from being coherent (Barrinha and Carrapico 2017). EU cyber defence requires cooperation between the multiple stakeholders, which is not accomplished yet. Building a global EU cyber strategic culture not only requires a good level of inter-institutional cooperation (Christou 2016) but also a common understanding of cyber priorities in the military domain. The concept of strategic culture helps us understand the challenges and limits experienced by the EU in the construction of its cyber defence governance.

The fragmentation challenge of EU cyber defence: a puzzle between the EU, the member states and NATO's competing sets of priorities

EU cyber defence is embedded in a global environment, which encompasses the member states cyber defence architectures, as cyber defence mostly relies on states’ sovereignty. The concept of strategic culture helps to grasp the difficulty of creating a European cyber defence governance in a context where many member states already have structured norms and preferences about cyber defence that differ from the EU level of ambition. As each national strategic culture is rooted in the countries’ historical and political path, this constitutes a solid frame by which national decision makers establish their preferences and priorities in defence policy. Assuming that strategic cultures play an important role in framing the governance of cyber defence fulfils the argument that dualuse technologies are not neutral, as stated in this book’s introduction, but relate to power as their governance and framing is based on a social construction rooted in each actors’ culture. This helps to explain the conflicting forces at work. Therefore, after underlining the limits of EU cyber defence governance at the EU level, this part will focus on the challenges to the development of a European cyber defence self-standing culture in a strategic environment shaped by the member states and NATO’s framing of cyber defence.10

The limits of the EU cyber defence governance

At the EU level, cybersecurity is still quite fragmented between its different components (cybersecurity, cybercriminality, cyber defence) (Barrinha and Carrapico 2017). If the Commission plays a crucial role as a policy entrepreneur in cybersecurity, cyber defence remains in the intergovernmental area of the Council. Cyber defence reflects well the dilemma of European strategic autonomy, which it is supposed to fuel: the ambition may be wide, but the concrete realizations are always limited by the member states’ concerns for their own strategic priorities.

The first striking element is that contrary to many states who frame cybersecurity primarily as a military threat giving a major role to the military institution in managing cybersecurity at the national level (like the US Cyber command set up in 2010 or the French or German cyber commands created since 2016-2017; O’Connell 2012), the EU has framed cybersecurity primarily as an economic and democratic challenge. This explains why cyber defence at the European level is still in its infancy and mainly focuses on prevention and resilience rather than on offensive capabilities as some member states do (Bendiek 2018). Therefore, in case of a massive cyberattack with lethal or conventional consequences, the burden of response would de facto fall on the member states and would be dependent on the unanimity principle.

A good example of this challenge is provided by PESCO. Even though it offers a way of building up EU cyber defence capabilities by committing the most willing states and having them work together within a constraining framework, the function of PESCO also limits the scope of such initiatives. The PESCO projects related to cyber defence aim at increasing the EU and member states’ resilience to cyber threats by pooling resources and developing more coordination between the different actors (including private actors). But these projects are not EU-wide and are ruled by unanimity: all the states involved in the projects have to agree on the deployment of a Cyber Rapid Response Teams and Mutual Assistance in Cybersecurity (CRRT) on their networks, for instance. The same kind of dilemma as the one raised by EU’s battle groups could lead to the project’s inefficiency in reality.11

Another limitation to the EU’s cyber defence governance is the scarcity of resources compared to the national resources dedicated by member states. The EEAS and the EDA combined currently disposed of a dozen staff working on cyber defence, whereas the French cyber command set up in 2017 aims at recruiting 4,000 staff over the next two years and NATO has disposed of several dozen staff. As Pupillo et al. underline, ‘the resources allocated by the EU are neither commensurate [...] nor adequate' for EU cyber defence to be effective (2018: 44). These limits also come from the fact that the EU, unlike NATO, is not a military alliance but an organisation based on a wide political project of integration. Thus, the EU frames cyber issues as a way of exerting a soft power and promoting its core values in cyberspace (Bendiek 2018; Dunn Cavelty 2018). This is, of course, quite different from the member states and NATO’s perspectives. Therefore, the EU mainly plays the role of a facilitator in cyber defence rather than the role of an actor per se. The member states remain responsible for the operational and strategic levels of cyber defence.

Diverging member states’ priorities: a constraining environment for EU cyber defence

What is true about EU cooperation challenges in CSDP in general is also true when it comes to cyber defence. We share the idea developed by Biehl. Giegerich and Jonas that ‘national strategic cultures are among the key factors that can explain why [...] progress on closer cooperation in security and defence remains slow and cumbersome’ (2013: 7-8). The lack of consensus between EU member

EU cyber defence governance 125 states about European defence in general reflects the range of different national strategic cultures, divergent military doctrines and strategic priorities within the EU and explains how difficult the achievement of European strategic autonomy, though claimed for few years, will remain. Cyber defence makes no exception. Many EU countries have started to include cyber into their defence strategies, even if disparity is high among the countries. Schematically, EU member states can be divided into three groups concerning cybersecurity and cyber defence (Christou 2016). The first group is composed of member states who invest in cyber defence and develop a cyber defence policy at the national level in order to dispose of the whole range of tools to face the cyber threats (France, UK, Germany, mainly). These states are also the ones that have been historically the most proactive in developing CSDP and EU military operations. To take the case of French cyber defence, the French government started to invest in cyber defence in 2010. The French government decided to invest over €1 billion and recruit about 4,000 persons for the development of French cyber defence in the coming years and a second cyber command was even launched in October 2019. The key document concerning the strategic culture shaping French cyber defence is the White Book on Defence and National Security of 2013. The White Book not only designates the cyberspace as falling within the state’s sovereignty but even identifies ‘offensive computer struggle’ as a ‘necessity’.12 The underlying principle is proportionate response in case of cyberattack. This example clearly shows that French cyber defence policy relies on French strategic culture rooted in France’s values of independence, autonomy and sovereignty in strategic matters and diverges from the EU’s cyber defence framework mostly based on coordination and prevention.

The German cyber defence policy as well shows important financial investment in cyber but mainly relies on civilian means completed by measures taken by the Bundeswehr as a military cyber command was set up in 2018 in Bonn. German cyber strategy is more oriented towards defensive measures, whereas France also aims at developing offensive cyber capacities. A second group is composed of member states like Sweden, Finland and the Baltic states, who started to develop cyber responses but rely on NATO cyber defence assets. A third group consists mostly of the other EU member states that have not, until now, manifested a strong awareness about cyber defence. This shows how differentiated the involvement and investment of EU member states in cyber defence remains, as it relies upon different representations about cyber defence shaped by their own strategic cultures. Moreover, there is no consensus among the member states about an increased role for the EU in cyber defence.13

EU, NATO and cyber defence: complementary or contestant?

Another element constraining EU cyber defence governance is the existence of a consistent NATO cyber defence policy. EU cyber defence is driven by animportant concern: to avoid as much as possible duplication with NATO cyber defence assets.14 NATO and the EU have different normative perspectives regarding cyber defence. NATO frames cyber threats as a direct challenge for transatlantic and national security, as stated in the 2010 Strategic Concept, whereas the EU primarily focuses on the economic and social implications of cyber threats and on the diplomatic aspects of its external dimension more than on the military aspects (cyber defence). NATO may be the most advanced international organisation regarding cyber defence. NATO approved its first Policy on Cyber Defence in 2008 (revised in 2011 and 2014) and established a CyberDefence Management Authority (CDMA) in 2008 and even a Cyberspace Operations Centre within NATO Command Structure in 2018 (Lete 2019). The Strategic Concept adopted in November 2010 hilly acknowledges cyber defence capabilities as a necessity for the Alliance (NATO 2010). NATO also created tools to prevent cyberattacks and cyber offensive capabilities with a central objective: to defend the Alliance’s own communications and information systems and to arouse its member states’ awareness on the need to protect critical infrastructures implied in contemporary military operations. At the NATO Summit in Wales, in September 2014, the organisation recognised cyber defence as part of the Alliance's core task of collective defence and therefore included cyber threats as relevant Article V material.

If for both organisations cyber defence primarily lies in the hands of national authorities, NATO has taken an evident lead on this issue and the EU has to find a way of competing with NATO without decoupling it in cyber defence (Lete 2019). The EU does not aim to provide direct assistance to its member states in case of cyberattack but to act as a facilitator to help them share best practices, whereas NATO does. There is also a difference between NATO owning its information and the computer networks used in military operations and the EU depending on the member states’ ICT infrastructures for CSDP missions. NATO started developing its own cyber defence culture, whereas the EU keeps looking for coherence and does not rely on a specific European cyber defence culture, therefore undermining EU’s quest for strategic autonomy.

However, the EU and NATO have enhanced their cooperation in cyber defence since their joint declaration at the Alliance summit in Warsaw in 2016 (NATO 2016). They regularly organise common training and exercises and develop information sharing in order to raise mutual trust (Lete 2019). Cooperation is even more needed in a context of limited financial resources: some experts suggest using the Berlin Plus agreements hi cyber defence (Robinson 2014). The EU and NATO have also concluded a technical agreement between their response teams for cyber incidents (NCIRC and CERT-EU) in February 2016 to intensify their cooperation on cyber defence. It has been used to commonly discuss cyber threats in the context of the 2019 European elections. Yet, the EU remains way behind NATO regarding cyber defence, even though strategic autonomy has become a leitmotiv as in European defence generally since the 2016 EU Global Security Strategy.


As part of its global effort on cybersecurity, the EU has started to invest normative and institutional efforts in cyber defence during the last decade. However, EU cyber defence remains beyond the scope of European ambition of strategic autonomy as its governance remains fragmented and its norms not really constraining. The member states keep framing cyber defence through their own strategic culture first, as it is a sovereign issue. This shows more generally that when it comes to strategic aspects of dual-use technologies, be it drones, cyber or Al, states remain the pivotal actor in their governance and can define the European level of governance to avoid risks for their sovereignty. This, therefore, limits the potentiality of a European strategic autonomy not only in cyberspace but also in international security in general. Thus, the EU develops initiatives in cyber defence, which remain to be fuelled with more substance. The EU has a cyber defence strategy still lacking in consistency and has designed a governance torn between the member states and European institutions. This can be explained by the weight of national strategic cultures framing cyber defence at the member states level and the still disputed existence of an emerging European strategic culture. Yet, EU cyber defence could be seen as a possibility for building a kind of cyber smart power at the European level, which would mean a kind of power that relates not only to persuasion and norm diffusion but also to a capacity for the use coercion if needed in cyberspace.


  • 1 This definition is inspired by Ventre (2011: 102).
  • 2 We will not discuss the debate surrounding the existence or lack of a common EU strategic culture which is much documented. See, for instance, Howorth (2002), Rynning (2003), Giegerich (2006), Norheim-Martinsen (2010, 2011), Biehl, Giegerich, Jonas (2013), Meyer (2013), Biava, Drent and Herd (2011) and Chappell and Petrov (2014).
  • 3 The governance of cybersecurity varies depending on the concerned area, Network and Information Systems having a different governance than cyber defence, for instance; for a general perspective on EU’s cybersecurity governance, see Christou (2016).
  • 4 October is traditionally the European cybersecurity month and 2019 edition’s motto was: ‘Cybersecurity is a shared responsibility’.
  • 5 We won’t enter here into the debate surrounding EU’s strategic culture, as it has been well documented in recent years: see, for instance, Howorth (2002), Rynning (2003), Meyer (2013), Giegerich (2006), Norheim-Martinsen (2010, 2011), Biava, Drent and Herd (2011) and Chappell and Petrov (2014).
  • 6 See EDA Cyber Defence Activities, at: activities-search/cyber-defence (accessed 27 October 2019).
  • 7 For instance, a pilot Decision-Making Exercise on Cyberspace Crisis Management took place in Lisbon in May 2014. The pilot exercise aimed at preparing strategic leaders for situations involving a major cyberattack.
  • 8 However, a Military Planning and Conduct Capability has been established in Brussels in June 2017 but does not deal with cyber defence. This permanent operation headquarters is currently dedicated to non-executive military missions.
  • 9 We come back to EU-NATO specific cooperation in the last section of this chapter.
  • 10 As 22 EU states are also NATO members, it certainly plays an important role in the way that the EU is trying to define its own path in cyber defence.
  • 11 EU battle groups have not yet been used, due to this unanimity principle.
  • 12 Livre blanc sur la défense et la sécurité nationale (2013), 96. At: www.defense.gouv. fr/actualites/memoire-et-culture/livre-blanc-2013 (accessed 6 October 2019).
  • 13 The lack of consensus also exists within NATO in this regard (see Joubert and Samaan 2014).
  • 14 And yet, some experts estimate that ‘finally, both NATO and the EU are pursuing similar activities in this area (albeit under different assumptions and limitations’ (Robinson et al. 2013: 6).


Barrinha, A. (2015), The EDA and the Discursive Construction of European Defence and Security. In K. Nikolaos and O. Iraklis (eds), The European Defence Agency’: Arming Europe. London: Routledge, 27—42.

Barrinha, A. (2018) Virtual Neighbors: Russia and the EU in Cyberspace. Insight Turkey 20(3): 29-42.

Barrinha, A. and Carrapiço, H. (2016) The EU’s Security Actorness in Cyber Space: Quo Vadis? In L. Chappell, J. Mawdsley and P. Petrov (eds), The EU, Strategy and Security Policy: Regional and Strategic Challenges. London: Routledge.

Barrinha, A. and Carrapiço, H. (2017) The EU as a Coherent (Cyber) Security Actor? JCMS: Journal of Common Market Studies 55(6): 1254-1272.! 111/ jcms. 12575.

Barrinha, A. and Carrapiço, H. (2018) European Union Cyber Security as an Emerging Research and Policy Field. European Politics and Society 19(3): 299-303. https://doi. org/10.1080/23745118.2018.1430712.

Barrinha, A. and Renard, T. (2018) The EU as a Partner in Cyber Diplomacy and Defence. In Jochen Rehrl (ed.), Handbook on Cybersecurity: The Common Security and Defence Policy of the European Union - Volume V. Vienna: EU Publications, 180-189.

Bendiek, A. (2018) The EU as a Force for Peace in International Cyber Diplomacy. SWP Comments, No. 19. April. Berlin: Stiftung Wissenschaft und Politik.

Biava, A., Drent, M. and Herd, G. (2011) Characterizing the European Union’s Strategic Culture: An Analytical Framework. Journal of Common Market Studies 1-22. https:// 1468-5965.2011.02195.x.

Biehl, H., Giegerich, B. and Jonas, A. (eds) (2013) Strategic Cultures in Europe: Security and Defence Policies across the Continent. Munich: VS Verlag.

Chappell, L. and Petrov, P. (2014) The European Union’s Crisis Management Operations: Strategic Culture in Action? European Integration online Papers (EIoP), 18, Article 2, 1-24.

Christou, G. (2016) Cybersecurity in the European Union: Resilience and Adaptability in Governance Policy. London: Palgrave.

Christou, G. (2019) The Collective Securitisation of Cyberspace in the European Union. West European Politics 42(2): 278-301.

Council of the European Union (2018) EU Cyber Defence Policy Framework. http://data.

Dunn Cavelty, M. (2013a) Cyber-Security. In A. Collins (ed.), Contemporary Security Studies, 3rd edn. Oxford: Oxford University Press, 362-378.

Dunn Cavelty, M. (2013b) A Resilient Europe for an Open, Safe and Secure Cyberspace. UI Occasional Paper no. 23, Swedish Institute of International Affairs.

Dunn Cavelty, M. (2018) Europe’s Cyber-Power. European Politics and Society 19(3): 304-320.

EEAS (2013) Cyber Security Strategy - Open, Safe and Secure. European Union External Action Service (EEAS). At: en.htni.

European Commission HR VP (2013) Joint Communication Cybersecurity Strategy of the EU: An Open, Safe and Secure Cyberspace, JOIN(2013) 1 final, Brussels, 2 July.

European Parliament (2014) EU Cyber Defence Policy Framework, Brussels, 18 November, 14 pages. At: www.europarl.europa.eti/meetdocs/2014_2019/documents/sede/ dv/sedel60315eucyberdefencepolicyframework_/sedel60315eucyberdefencepolicyframe work_en.pdf.

Giegerich, B. (2006) European Security and Strategic Culture: National Responses to EU's Security and Defence Policy. Baden-Baden: Nomos.

Howorth, J. (2002) The CESDP and the Forging of a European Security Culture. Politique européenne 4(8): 88-109.

Joubert, V. and Samaan, J.-L. (2014) L’intergouvernementalité dans le cyberespace: étude comparée des initiatives de l’Otan et de l’UE. Hérodote 152-153: 261-275. 152.0261

Lété, B. (2019) Cooperation in Cyberspace. In G. Lindstrom and T. Tardy (eds), The EU and NATO: The Essential Partners, 28-36. European Union Institute for Security Studies (EUISS).

Meyer, C. (2013) European Strategie Culture: Tacking Stock and Looking Ahead. In S. Biscop and R. Whitman (eds), The Routledge Handbook of European Security. London: Routledge, 50-59.

Moret, E. and Pawlak, P. (2017) The EU Cyber Diplomacy Toolbox: Towards a Cyber Sanctions Regime? EUISS, Brief 24, July. European Union Institute for Security Studies. At: sanctions.pdf.

NATO (2010) Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organization, 19-20 November. At: assets/pdf'pdfjpublications/20120214_strategic-concept-2010-eng.pdf (accessed 3 October 2019).

NATO (2016) Joint Declaration, North Atlantic Treaty Organization, Press Release, 8 July. At: (accessed 25 March 2019).

Norheim-Martinsen, P. (2010) EU Strategic Culture: When the Means Becomes the End.

Contemporary Security Policy 32(3): 517-534. 623055.

Norheim-Martinsen, P. (2011) Convergence Towards a European Strategic Culture? A Constructivist Framework for Explaining Changing Norms. European Journal of International Relations 11: 523-554.'T0.1177/1354066105057899.

O’Connell, M.E. (2012) Cybersecurity Without Cyber War. Journal of Conflict and Security’ Law 17(2): 187-209.

Pupillo, L., Griffith, M., Blockmans, S. and Renda, A. (2018) Strengthening the EU’s Cyber Defence Capabilities. CEPS Task Force Report. Brussels: Centre for European Policy Studies. At:

Rehrl, J. (ed.) (2018) Handbook on Cybersecurity: The Common Security’ and Defence Policy of the European Union. Volume V. Directorate for Security Policy of the Federal Ministry of Defence and Sports of the Republic of Austria.

Robinson, N. (2014) EU Cyber-Defence: A Work in Progress. EUISS, Brief No. 10, March.

Robinson, N., Walczak, A., Brune, S.-С., Esterle, A. and Rodriguez, P. (2013) Stocktaking Study of Military Cyber Defence Capabilities in the European Union (milCyberCAP): Unclassified Summary. Santa Monica, CA: RAND Corporation, Research Report no.

RR-286-EDA. At: RR286RAND_RR286.pdf.

Rynning, S. (2003) The European Union: Towards a Strategic Culture? Security Dialogue 34(4): 479-496. At:

Sliwinski K. (2014) Moving Beyond the European Union’s Weakness as a Cyber-Security Agent. Contemporary Security Policy 35(3) (December): 469-486. At: 10.1080/13523260.2014.959261.

Snyder, J.L. (1977) The Soviet Strategic Culture: Implications for Limited Nuclear Options.

Santa Monica, CA: Rand Corporation.

Solana, J. (2003) European Security Strategy: A Secure Europe in a Better World. Brussels: European Council. At:

Ventre, D. (2011) Cyberattaque et cyberdéfense. Paris: Lavoisier, Coll. Cyberconflits et Cybercriminalité.

8 Europe united

< Prev   CONTENTS   Source   Next >