Over the past few months, the EU institutions have moved at face pace to launch legal acts essential for building the resilience of critical infrastructure in Europe. These primarily include legislative acts such as the Cyber Resilience Act (CRA), which introduces cybersecurity requirements for all products connected to other devices and networks – it is the basic security for the Internet of Things (IoT) in the single market. The reform of the Network and Information Security Directive (NIS-2) has already been negotiated between the Council and Parliament and is expected to be adopted by the end of the year. Here, the scope of addressees for the implementation of minimum standards and reporting obligations of infrastructure operators has been significantly expanded. The legislative initiatives are essential building blocks for securing the digital single market. These policies are financially underpinned by generously endowed "Digital Europe" and "Horizon 2030" budgets. But that's not all - the cybersecurity of the single market forms the basic protection for EU cyber defense: Given the Strategic Compass, the Council conclusions on the elaboration of an EU cyber posture, now presented in November by the COM Communication on Cyber Defense, the spill-over effects from sectoral to hard security of Europe are unmistakable.
Far-reaching and rapid EU measures, which were hardly enforceable before Russia's war of aggression against Ukraine, have been launched at a brisk pace in recent months. Whether they can be understood as major steps toward cyber defense, however, remains to be seen. After all, the pooling of information on the threat situation in the cyber and information space at EU level – whether in the EU Intelligence and Situation Center (EU-INTCEN) or in the EU Cyber Joint Unit – must be flanked by concrete national legislation in the coming months so that the EU can also effectively implement its new task in cyber defense.
National parliaments need to act
To ensure that the EU can continue to fulfill this task in the future, national parliaments must grant competencies for active cyber defense to national and indirectly to European security authorities. The acute threat to essential infrastructures and value-added processes in the single market increases the time pressure for regulation. Transfers of competencies from the national level to the EU level are long overdue in cyber defense.
It should not be easier to implement the numerous initiatives to build up cyber defense since 2018 in the Permanent Structured Cooperation (PESCO) and coordinated via the European Defense Agency more quickly and seriously than before. In view of the threat situation in Europe, there is no more time for tough, lengthy coordination processes. The member states and the EU Commission are called upon to promptly establish proposals for competence clusters and consortia within the framework of a private-public partnership, the funds of which will ultimately also meet the requirements of the European Court of Auditors. After all, the funding provided through the European Defense Fund and the Peace Facility cannot flow until there are digital and technological innovations worth supporting with EU money.
Time pressure requires certification of PPP in cyber defense
The resources (personnel, finances and expertise) of state security agencies are are under significant strain due to their role in independently maintaining problem-adequate cybersecurity measures - to the benefit of Europe's cybersecurity as a whole. However, they remain an important building block. Despite the high pressure from the threat situation in Europe to be able to act quickly and effectively, the necessary involvement of private expertise to avert danger must urgently be reconciled with democratic and constitutional requirements. This is the only way to overcome the mistrust in national arenas about a transfer of competence to the EU level.
A fast pace implementation of the steps outlined by the EU Communication is necessary in view of the current threat situation in cyberspace. The solidarity clause set out in Art. 222 can provide momentum for this . To activate it, the disclosure of threat situations in the 27 member states is needed, which in turn requires the lived solidarity of Europeans through the empowerment of the EU institutions. While the urgency to act has recently been established, the ball is now also in the court of national parliaments to enable the transfer of competenciesnecessary to give the EU, not only political responsibility to solve the problem, but also the legal basis to act accordingly. t. At the very least, the EU has put down important stakes for Europe's cyber defense, creating important preconditions for the worst-case scenario. The member states must now follow suit legislatively and create the legal prerequisites domestically.