you're reading...
BLOG, Events

Cybersecurity in the EU Common Security and Defence Policy (CSDP)

Written by Zsolt G. Pataki with Victoria M. Joseph,

Blog post study Cybersecurity in the CSDP


Cybersecurity is an oft-used term today, and many seem familiar with its meaning. However, it is unclear where the responsibility for policy-making on cybersecurity and cyberdefence actually lies. While national security is sometimes accountable, the cyber domain does not confine itself to operating within traditional national borders, limiting the impact of legislation at national level.

With the cyberattacks that infiltrated many private and public networks across the world in May 2017, including the national healthcare system in the United Kingdom, it became clearer than ever that international cooperation against cyberthreats is the best solution. The 2007 cyberattack on the Estonian public and private infrastructure established new dimensions in the use of IT assets and networks. The event triggered a series of discussions, decisions, agreements and actions, both at the EU and international levels, on the use of IT. In February 2013, the European Union published its cybersecurity strategy, to protect the EU’s core values in the digital, as well as the physical, world. The EU also laid out five strategic priorities to address cyberthreats, including the development of a cyberdefence policy and capabilities relating to the Common Security and Defence Policy (CSDP).

At the request of the European Parliament’s SEDE Subcommittee, STOA launched a project in 2016 to identify cyber risks, as well as challenges and opportunities for cyberdefence in the context of the CSDP. The study was carried out by the European Union Agency for Network and Information Security (ENISA) and revolves around three thematic areas, namely: policies; capacity building; and the integration of cyber in CSDP missions, with the latter being the main focus of the study. The study also provides key policy options for the future.

The authors of the study take the possible necessity for wider cooperation and an extension beyond the CSDP for cybersecurity issues into consideration. This is because cybersecurity goes beyond technical capabilities and infrastructures. It involves human beings, social behaviours, the rule of law, and a harmonised vision from all cyberstakeholders at both EU and Member State levels. Building trust among the stakeholders is one of the top priorities.

The study identifies five key policy options for consideration on this issue:

  1. Maintain coherent cyberpolicies and strategies at the EU level: All EU-level cyberstakeholders (bodies, institutions, agencies) should coordinate and plan current and future capacity-building by taking CSDP considerations into account. Coherence is a major challenge for EU policies on cybersecurity.
  2. Promote cyberculture: An overwhelming percentage of successful cyberattacks are due to the human factor, rather than technical issues. Promoting a responsible cyberculture should receive a higher priority in Europe’s efforts to achieve a safer cyberspace, including the CSDP. Another key element concerning the maturity of cybersecurity is trust. The authors propose that as many trust-building activities between stakeholders as possible are fostered, from events, workshops and exercises to partnerships and common projects.
  3. Develop cyberskills: As cyberthreat sophistication evolves, cyberdefences need to be adopted and updated continuously, since the continuous evolution of cyberthreats requires personnel with up-to-date skills to handle increasingly sophisticated cyberchallenges. The development of cyberskills should be a continuous process integrated with operational training.
  4. Enhance legal and regulatory frameworks: The legal aspect of cybersecurity is lagging behind in areas of international cooperation between states, and between states and the private sector.
  5. Develop standards, organisations and capabilities: Building common standards (especially on ICT) and clear organisational structures spanning all levels of the CSDP, and supporting the development of cybercapabilities within the EU and its Member States. The authors propose that a new cybertaxonomy could be adopted across the EU.

Within the study, each of these five options is further broken down into specific policy options for the political/strategic, operational and tactical/technical layers. Further to these options, the study identifies some additional factors that should be considered, especially for the protection of military and civilian missions, personnel and infrastructure. These include the recommendation to tighten cyberdefence organisation; ICT standardisation; closer cooperation with the private sector within the CSDP context; and building greater alliances with international partners to help coordinate efforts for a safer cyberspace.

The study was widely discussed by experts and MEPs after a presentation to the SEDE Subcommittee meeting on 22 March 2017, and to the STOA Panel on 6 April 2017.

To keep up-to-date with this project and other STOA activities, follow our website, the EPRS blog, Twitter, and Think Tank website.

We value your opinion –we would be grateful if you could fill in a short feedback questionnaire


About Scientific Foresight (STOA)

The Scientific Foresight Unit (STOA) carries out interdisciplinary research and provides strategic advice in the field of science and technology options assessment and scientific foresight. It undertakes in-depth studies and organises workshops on developments in these fields, and it hosts the European Science-Media Hub (ESMH), a platform to promote networking, training and knowledge sharing between the EP, the scientific community and the media. All this work is carried out under the guidance of the Panel for the Future of Science and Technology (STOA), composed of 27 MEPs nominated by 11 EP Committees. The STOA Panel forms an integral part of the structure of the EP.


No comments yet.

Leave a Reply

Download the EPRS App

EPRS App on Google Play
EPRS App on App Store
What Europe Does For You
EU Legislation in Progress
Topical Digests
EPRS Podcasts

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3,549 other subscribers

RSS Link to Scientific Foresight (STOA)

Disclaimer and Copyright statement

The content of all documents (and articles) contained in this blog is the sole responsibility of the author and any opinions expressed therein do not necessarily represent the official position of the European Parliament. It is addressed to the Members and staff of the EP for their parliamentary work. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy.

For a comprehensive description of our cookie and data protection policies, please visit Terms and Conditions page.

Copyright © European Union, 2014-2019. All rights reserved.

%d bloggers like this: