Digital Innovation Summit Bucharest 2025 | European cooperation on cyberdefence
European Union Policy
Since the beginning of the war in Ukraine, European authorities have become increasingly aware of the growing threats to our Union. NATO says we are between peace and war. In this twilight zone, hybrid attacks occur often. Sometimes physical attacks, but numerous cyber-attacks take place every single day on our continent. These attacks target the armed forces, but also governments, critical infrastructure and numerous companies. You all know that .
In response, the new European Commission developed an unprecedented programme now called Readiness 2030. On 19 March they announced a proposal to raise 650 billion euro in member state bonds and 150 billion euro in European loans. The latter is a proposed regulation for the Security Action For Europe - SAFE plan. All that money is intended to be used to improve defence related capabilities based on the white paper published on the same day by the new High Representative Kaja Kallas, and the new Commissioner for Defence and Space, Andrius Kubilius.
On cyberdefence, the white paper focusses on the growing threat from state actors. These hybrid threats often target Defence systems, but certainly also critical infrastructure and other parts of the economy.
To this end the white paper mentions that both defensive and offensive cyber capabilities are needed to ensure our protection and freedom in cyberspace. Innovation is key to achieve this goal and will be supported by European Union funds as well as the European Investment Bank.
Remarks and recommendations to these plans
The Commission proposes to develop cyber defence capabilities together with Member States. In my view we should step away from Member States as main actors and develop capabilities together as European Union. That would be much more effective and allow the use of all collective knowledge available in the Union.
As Eurodefense network, we have proposed to change the policies for contracting Defence and security industry. Technology development should be concentrated in only a few technology clusters throughout Europe. Three or four for each technology area to ensure competition and resilience. Not 26 Member States developing the same.
Romania is a highly respected Member State when it comes to cyber. These capabilities could further grow to a recognised European cyber technology cluster in your nation. In terms of the requirements for the SAFE plan, Romania could join forces with another Member State to propose a significant innovation plan for cyber security using these funds. Estonia could be a good candidate as this Member State is particularly active in IT and cyber.
Legal and technological recommendations
What lacks in my view in current plans is an intention to much better investigate the sources of cyberattacks. Too often we just don’t know if an attack is carried out by a criminal or state actor. And we know even less certain which state actor it is. As European Union we could focus on sharing knowledge and increase research activities to better determine the source, intentions and capabilities of an attacker. That would better allow us to counter these attacks. Also on other levels of policy and diplomacy.
On the legal side, Member State policies for classification levels and requirements vary throughout the European Union. That limits effective development of technology as it is not possible to adhere to all requirements simultaneously.Therefore, innovation should go hand in hand with development of European standards, in a way that cyber capabilities and protection could be sold, purchased and used throughout the European Union.
For more effective prevention, it seems useful to use as much open source software as possible. Artificial intelligence will be increasingly capable to find potential malicious code and other vulnerabilities in these open systems. This is much needed, as adversaries will also use artificial intelligence to target our systems more effectively.
Another line of defence could be to make penetration testing compulsory and certifiable for organisations and companies in defence and critical infrastructure. This would contribute to the resilience. At least against know threats.
Looking at cyberdefence for critical infrastructure from another angle we see that security authorities try to cover all potential risks. That is important, but it often makes life miserable for anyone involved as they cannot use modern technology available to anyone else. Too much security is crippling.
Last week we could see this causes even the highest ranking authorities in the United States to use the free messaging system Signal for highly sensitive information exchange. When they do that, who does not!
The lesson from this incident is that the secure systems available for sensitive information exchange and storage are way too rigid and inflexible for practical use. In Europe we should do better and develop advanced and user friendly technologies for this purpose. When banks can do so and protect our money, that should be possible for governments and their suppliers too.
Follow up
During the coming months, the European Commission will develop a roadmap for cyber defence. In my view it is important to share the results of conferences like today with the Commission to develop this roadmap. The national government or associations like Eurodefense could act as a conduit for this.
Picture: Palace of the Parliament, Bucharest by Jorge Franganillo, CC BY 2.0