Fresh EU legislation to centralise the bloc’s cybersecurity response has been lambasted by industry experts with 24 out of 27 EU member states lobbying to have the proposals stalled due to national security concerns.
Brussels is trying to plug a perceived gap in Europe’s cyber defences brought into focus by the Ukrainian war, and at the same time clarify the EU’s exact role in preparation for cyberwarfare relative to individual member states.
The Cyber Solidarity Act was proposed by the EU Commission last month and agreed to designate €1.1 billion to cybersecurity defences through public-private partnerships. The involvement of the private sector is a specific cause for concern for national governments.
The moves to harmonise cybersecurity protocols parallel wider attempts by Brussels to militarise in response to the crisis in the East, but critics are warning that the EU is unsuited to manage defence policy for all its 27 member states.
The Act envisages greater cross-border cooperation and the creation of regional cybersecurity hubs that would be active from 2024. Currently, NATO and member states set most of the cybersecurity policies, with the European Parliament beefing up their cybersecurity standards in March.
EU institutions have already come under attack from what is believed to be Russian hackers. This has raised concerns that Brussels is unprepared to take up cybersecurity duties for the entire union.
There has been confusion about the EU’s cyber defence protocols in recent months. Both the European Commission and the EU’s foreign service wing, the EEAS, have established competing cyber intelligence divisions.
An exposé by the Financial Times revealed disunity among member states recently. According to the newspaper, all but three member states object to plans to centralise cybersecurity responsibilities under the Cyber Solidarity Act.
According to leaked documents, national governments fear that they will be deprived of their ability to manage national security under the terms of the new cybersecurity legislation. Member states also expressed dismay over the role of private companies in the management of sensitive data. EU states are anxious to guard state secrets from rival governments, which means the collaboration on cybersecurity is a cause for concern among national intelligence agencies due to the potential for abuse.
These concerns were echoed by Dr. Norman Lewis, a technology expert and visiting fellow at the think tank MCC Brussels, who says that the Cybersecurity Solidarity Act illustrates the tensions between EU and national governments:
Indeed, even countries usually trigger-happy about integration have recognised that this goes too far … Given how important cyber security is, and will be, for nation-states, tensions are bound to be exposed between the desire by EU elites to wield power in this area and nations concerned with their security.
Dr. Lewis criticised the EU’s tendency to strangle tech innovation at a recent event hosted by The European Conservative in March.
Late to the game when it comes to setting defence policy, Brussels is an unwelcome intrusion for member states jealously guarding control over national security. Likely to get bogged down in internal wrangling and bureaucracy, the EU Cyber Solidarity Act is a token effort for Brussels to maintain its place in the big leagues after a year of being sidestepped by NATO and member states in the course of the war in Ukraine.
