Written by Sofija Voronova and Piotr Bakowski.
|This paper is one of 11 policy responses set out in a new EPRS study which looks first at 15 risks facing the European Union, in the changed context of a world coming out of the coronavirus crisis, but one in which a war has been launched just outside the Union’s borders. The study then looks in greater detail at 11 policy responses the EU could take to address the risks outlined and to strengthen the Union’s resilience to them. It continues a series launched in spring 2020, which sought to identify means to strengthen the European Union’s long-term resilience in the context of recovery from the coronavirus crisis. Read the full study here.|
The issue in short: The challenge and the existing gaps
In a rapidly changing and increasingly interconnected world, the EU security landscape has become very complex and unpredictable. When commenting on the adoption of the July 2020 EU security union strategy, Commission Vice-President Margaritis Schinas described security as a cross-cutting issue, pointing to the ‘the false dichotomy between online and offline, between digital and physical and between internal and external security concerns and threats’.
Some of these threats are indeed of an external nature and their manifold impact on the bloc’s stability calls the distinction between internal and external security into question. The crisis at the EU’s eastern borders is one illustration of such a ‘hybrid threat‘, with the Belarussian regime seeking to destabilise the EU by instrumentalising migration flows and playing on the related insecurities of EU citizens. The current war in Ukraine is likely to have a major impact on the EU, extending well beyond the military and foreign relations spheres. Possible implications for internal security are already illustrated by reported attempts at trafficking for sexual exploitation, targeting persons fleeing Ukraine (mostly women and children), as well as cases of online fraud and cyber-attacks on critical infrastructure. They also include the risk of large-scale diversion of firearms, not least given Ukraine’s key role in the global arms trade, one that has only increased in recent years. Moreover, there is a possibility of criminals making use of the situation at the EU border with Ukraine to enter the EU territory using false identity documents.
Another set of security challenges relates to societies’ growing reliance on digital technologies and the internet. This ‘online dependency’ has raised the stakes regarding the potential impact of cyber incidents, in particular large-scale attacks targeting critical infrastructure and possibly leading to the disruption of essential services. While artificial intelligence (AI) can be used to tackle these threats, it is a double-edged sword as it can also be exploited for malicious ends. The proliferation of cybercrime and difficulties obtaining electronic evidence stored in foreign jurisdictions call for the modernisation of law enforcement and efforts to seek solutions at EU and international levels so that the work of crime-fighting authorities is not impeded by territorial boundaries.
The Covid-19 pandemic has impacted on the EU’s internal security in various ways. While many activities, such as working and schooling, moved online, so did criminal syndicates. According to Europol, the number of malware and ransomware attacks has surged, as has the availability of (mostly self-produced) child sexual abuse material. Moreover, extremist narratives and disinformation spread online may have fallen on fertile ground in the times of pandemic-related insecurity, potentially leading to further polarisation and radicalisation towards violent extremism.
The EU has gradually increased its capabilities in the field of internal security, developing an arsenal of bodies and instruments to address security threats, within the strict boundaries set by the EU Treaties. Nevertheless, issues remain regarding the extent of information sharing between Member States’ authorities and the use they make of EU judicial and police cooperation tools and agencies. As for the external aspects, while the as yet slow development of the common security and defence policy (CSDP) may present a range of obstacles to effective EU action, the Ukraine crisis seems to be providing impetus to overcome them.
Existing policy responses
Whereas security is primarily within Member States’ remit, according to Article 67(3) of the Treaty on the Functioning of the EU (TFEU), ‘the Union shall endeavour to ensure a high level of security’ through a variety of measures. In this vein, the EU has developed the ‘security union’ concept, based on the idea that the EU and its Member States need to shift from cooperating to protect the national security of each of them to protecting the collective security of the Union as a whole.
The new security union strategy, adopted in July 2020, adopts an integrated approach, aimed at ensuring security in both the physical and digital environments and takes into account the interconnection between internal and external security. The strategy sets four main priorities: achieving a future-proof security environment, tackling evolving threats, protecting Europeans from terrorism and organised crime, and building a strong European security ecosystem.
A future-proof security environment. Whereas cybersecurity is a prerogative of the Member States, over the years the EU has developed a complex and multi-layered cyber ecosystem, spanning an array of policy areas, both internal (justice and home affairs, digital single market) and external (diplomacy and defence). Under the new EU cybersecurity strategy, the Commission put forward legislative proposals to update the network and information security directive (NIS2) and the rules on critical infrastructure protection, to enhance, respectively, the cyber and physical resilience of critical entities and networks. It also intends to propose an EU Cyber Resilience Act in 2022. Work has started on setting up an EU joint cyber unit – a platform for operational cooperation, bringing together civilian, diplomatic, law enforcement and defence actors. Under its external action, the EU will continue to use its cyber sanctions regime, as part of its cyber diplomacy toolbox. A Member States’ EU cyber intelligence working group is also planned.
Tackling evolving threats. Faced with hybrid threats that are unprecedented, in both scale and diversity, the EU set out its approach to counter hybrid threats in the 2016 joint framework and the 2018 joint communication on bolstering hybrid resilience. The 2020 security strategy announced a new EU approach based on mainstreaming hybrid threat considerations into all policy initiatives. Commission is also aiming to develop situational awareness, with the EU Hybrid Fusion Cell at the EU Intelligence and Situation Centre (EU INTCEN) being the focal point for hybrid threat assessments. Another important objective is to modernise EU law enforcement, enhancing its capacity to conduct digital investigations and to use adequate tools, including electronic evidence, AI and big data analytics. The proposed EU e-evidence framework would allow competent authorities to request electronic data needed for investigation and prosecution directly from service providers, while the future EU AI act should regulate the use of AI in law enforcement, classified as ‘high risk’. In 2022, the Commission is also intending to suggest a way forward for lawful and targeted access to encrypted information in criminal justice.
Protecting Europeans from terrorism and organised crime. Tackling the terrorism threat has long been and remains a priority, as illustrated by the adoption of the new EU counter-terrorism agenda in December 2020. The main EU instrument in this area is the Combating Terrorism Directive, which harmonised definitions and sanctions for terrorist offences across the EU. The EU has also taken initiatives to prevent violent extremism, especially online, such as the regulation on dissemination of terrorist content online, to apply as of 7 June 2022, or the recent proposal to add hate crime and hate speech to the list of serious crimes with a cross-border dimension under Article 83(1).
The EU has continued to reinforce its framework for combating money laundering (AML) and terrorist financing (CFT), with an ambitious AML/CFT package presented in July 2021. The package provides for the establishment of a new EU authority: a decentralised EU regulatory agency to be in charge of AML/CFT supervision and supporting EU financial intelligence units (FIUs). The package also includes measures on crypto-assets, extending to such assets the obligation to report suspicious transactions and introducing a ban on anonymous crypto-wallets.
In order to prevent terrorists and criminals from easily acquiring firearms or reactivating de-activated weapons, the directive on the control of the acquisition and possession of weapons started to apply from 2018, accompanied by an implementing regulation on deactivation standards. The new 2020-2025 action plan on firearms trafficking aims to address the ‘remaining legal loopholes and inconsistencies in firearms controls that hinder police cooperation’ and to step up international cooperation, focusing on south-east Europe (western Balkans, Ukraine and Moldova).
A number of recent initiatives address other specific forms of crime. They include strategies and action plans against trafficking in human beings, drugs, organised crime and child sexual abuse online. A renewed action plan on migrant smuggling develops, for instance, an EU response to the instrumentalisation of irregular migration by State actors. As to human trafficking, the Commission is conducting an evaluation of the 2011 EU Anti-Trafficking Directive with a view to its possible review. Regarding the EU’s preparedness and response to public health-related risks, such as chemical, biological, radiological and nuclear (CBRN) threats, the Commission is building up strategic reserves of response capacities through the EU Civil Protection Mechanism.
A strong European security ecosystem. In a Europe with no internal borders, information sharing and data exchange between national authorities is of the utmost importance, in order to address complex cross-border threats. In December 2021, the Commission presented a police cooperation package, with proposals on information exchange between law enforcement authorities, on automated data exchange under a renewed Prüm framework, and on operational police cooperation. It complements and updates the already existing information exchange architecture, supporting border management and law enforcement cooperation and comprising a growing number of EU information systems, which rely increasingly on AI technologies. New legislation adopted in 2019 established interoperability rules between these systems, with technical solutions to be put in place by 2023 and to be managed by the eu-LISA. An important development was the decision to expand Frontex (transformed into a European Border and Coast Guard Agency) to include a standing corps of up to 10 000 operational staff by 2027. Improving management of the EU external borders (including in cases of health crises or hybrid attacks) is also one of the objectives of the ongoing Schengen reform.
The EU has continuously built on its institutional architecture, reinforcing the role of its agencies in the area of security and justice. In February 2022, the co-legislators agreed to strengthen Europol’s mandate, empowering the agency to cooperate more effectively with private parties, conclude international agreements, conduct research and innovation activities, and process big data sets. The Commission also made proposals on modernising the Eurojust case management system and on upgrading its Judicial Counter-Terrorism Register. It also took an initiative to extend the mandate of the newly created European Public Prosecutor Office (EPPO) to terrorism.
National level initiatives
The EU recognises the fact that in some areas, national, regional and local authorities may be best placed to address security threats. Radicalisation towards violent extremism and terrorism is one such area where the EU role has been limited to supporting the activities of various stakeholders, providing funding for research and collecting and disseminating best practices. This includes the activities of the Radicalisation Awareness Network (RAN), connecting frontline practitioners from across Europe with one another, as well as with academics and policymakers. The protection of public spaces is also mostly in hands of non-EU level actors, with the EU setting up forums for the systematic exchange of information, publishing guidance and providing funding. Regarding EU security-related funding, in the 2021-2027 multiannual financial framework (MFF), for the first time, a separate Heading 5 is dedicated to security and defence. The Internal Security Fund (ISF), allocated € 1.93 billion (current prices), is the main instrument aimed at ensuring EU internal security, by tackling terrorism and radicalisation, serious and organised crime and cybercrime.
EU action with external partners/international organisations
The transnational nature of many threats to EU internal security underscores the need for international cooperation. This could take form of international agreements between the EU and third countries and international organisations, as well as of agreements or working arrangements between EU agencies and their foreign partners. The 2001 operational agreement between Europol and the Interpol – allowing for the transfer of personal data – is one example of the latter. In April 2021, the Commission published a recommendation for a Council decision authorising the negotiations for a cooperation agreement between the EU and Interpol. The agreement, currently under negotiation, would be broader in scope and cover also other EU agencies, such as Eurojust, EPPO and Frontex. One of the principal benefits sought is the access of EU bodies to the whole range of Interpol’s databases.
Cross-border access to electronic evidence in criminal matters is an area regulated by a web of international agreements. The EU has been seeking to assert its role as a rule setter in this field: in parallel with the 2018 ‘e-evidence’ proposals, the Commission, on behalf of the EU, entered into negotiations on an agreement with the United States, where the largest service providers are based, and on the Second Additional Protocol to the Council of Europe Convention on Cybercrime (known as the ‘Budapest Convention’), devoted specifically to enhanced co-operation and disclosure of electronic evidence . Direct cooperation between foreign authorities and service providers is among the issues covered by these initiatives. As for the Protocol, the negotiations have been concluded and it is set to be open for signature in May 2022.
In 2019, the United Nations (UN) passed a resolution, introduced by the Russian Federation, with a proposal meant to serve as the baseline for developing a UN convention on cybercrime. The proposal largely extends the catalogue of cyber offences while making no reference to the protection of human rights and liberties (such as freedom of expression), thus raising issues with the UN members’ obligations under the existing treaties, such as the Budapest Convention. It has been strongly opposed by the EU.
Regarding hybrid threats, and cybersecurity in particular, since the Warsaw Joint Declaration of 2016, the EU has enhanced its cooperation with NATO and its agencies and related bodies (such as the Helsinki-based European Centre of Excellence for Countering Hybrid Threats). Countering hybrid threats and expanding coordination on cyber-security and defence are two of the seven areas for enhanced cooperation decided at the time. Exchanges of information and assessments, joint training and reciprocal participation in cyber-exercises are among ongoing activities in the cyber realm.
Obstacles to implementation
When the ‘security union’ concept emerged in 2016, some commentators called into question the achievability of such an ambition, pointing to the diversity and fragmentation of the ‘insecurity landscape’ among the Member States. One of the aims stated by the Commission was to close the gaps in cooperation and bring about a culture change, where information exchange is guided by the principle of the ‘need to share’ instead of the ‘need to know’. EPRS reports on the cost of non-Europe in the area of freedom, security and justice do indeed point to a lack of information-sharing among various EU and national information systems, and to the limited use made of the (analytical) support and coordination possibilities provided by EU agencies. The report on the fight against terrorism highlights the need for more and better impact assessments and evaluations of EU measures taken so far, as regards their effectiveness, efficiency and fundamental rights compliance.
While there is a wealth of EU instruments in the field of internal security, they are not always used to their full potential. The framework for police cooperation is fragmented and characterised by the coexistence of cooperation agreements between Member States with a range of EU instruments, such as the ‘Prüm Decisions‘ (currently under review). One consequence is uncertainty as to which rules national police should follow when intervening in another Member State. While information exchange between police forces has improved, Member States’ security and intelligence services are reluctant to cooperate through EU channels.
Similarly, in the area of cybersecurity, a 2019 EU Court of Auditors (ECA) report pointed to the fragmentation and complexity of the EU cybersecurity ecosystem. According to the ECA, there is a lack of measurable objectives, outcomes of EU action are rarely measured, and few policy areas have been evaluated. Among the challenges, the ECA points to the need to shift towards a performance culture with embedded evaluation practices and to develop a rapid detection and response capacity.
Another obstacle that can hinder the transposition of EU measures into national laws is the difference between national legal orders in general, and criminal laws in particular. For example, the recent evaluation of the Counter-Terrorism Directive showed that in some Member States challenges arose around classifying some types of conduct, e.g. violent extreme right-wing acts, as acts of terrorism.
Evaluations of the efficiency and effectiveness of the EU security-related measures have long been scarce. In 2017, the Commission issued a first comprehensive assessment of EU security policy. It concluded that EU intervention in this area has been relevant and appropriate. It stressed however the need for proper implementation of different instruments to ensure their effectiveness, as well as the necessity to update existing tools, adapting them to evolving threats. In 2020, Commission followed-up with a report taking stock of the implementation of internal security policies between 2017 and 2020, which points to a significant increase in the number of evaluations and reports conducted in this area and their positive impact on adapting the policy and legislative framework.
The ultimate challenge for EU security policy pertains to its very foundations, as it is supposed to be grounded in common European values, such as democracy, the rule of law and fundamental rights (including data protection). Many security-related instruments at both national and EU levels have been criticised for not respecting these values.
Policy proposals by experts and stakeholders
Given the primary role of decentralised agencies in EU internal security, many of the suggestions offered by experts and stakeholders focus on their desired evolution. For example, to address the problem of prosecutors and police having differing powers across the EU – which hampers their cooperation in the framework of Eurojust and Europol respectively – it has been proposed that the two agencies should be merged into a single EU criminal justice cooperation body. Less radical ideas for strengthening the links between them include relocating Europol and Eurojust to a single building, connecting them with a common IT system and creating a single data protection regime for these bodies.
Although Europol’s mandate is set to be further strengthened by the ongoing reform, the possibility of turning the agency into an FBI-type body, alluded to by the European Parliament in 2017, is not among options considered under the current negotiations. However, the idea has been repeatedly floated by political leaders and parties and the subject of academic debate. Such a development would entail granting the agency executive powers, such as to conduct its own investigations and make arrests, precluded though by the current legal framework (Article 88(3) TFEU provides for a supportive rule for Europol and stipulates that the ‘application of coercive measures shall be the exclusive responsibility of the competent national authorities’).
Likewise, calls have been made to form a ‘European intelligence agency’, with the academic world divided, however, on the issue of the feasibility of such a move and the best way forward for the EU to improve its intelligence capabilities. One author presented the idea of developing intelligence cells serving the president of the Council and the president of the Commission, rather than one central agency. Enhancing cooperation among existing European bodies is a less radical recommendation: a ‘transnational committee of politicians and security experts’ could be set up to analyse the necessary procedural and organisational changes.
Specific improvements have been proposed regarding cooperation between police and security and intelligence services. As first step, liaison officers could be seconded by Europol to the Counter-Terrorism Group (CTG) and vice versa. If successful, cooperation could then develop along the lines of the German Joint Counter-Terrorism Centre (GTAZ): Europol and the CTG would jointly recommend measures on persons of interest to national security and intelligence services whose refusal to act on such recommendations would need to be justified.
In the area of common foreign and security policy (CFSP), in 2018, before the process leading to the adoption of the Strategic Compass was launched, there was a suggestion to make use of enhanced cooperation under Article 329(2). The participating Member States would commit to a division of labour between their respective intelligence services that would work on jointly agreed thematic and regional priorities. A European circle of intelligence analysis would thus be set up whereby the planning and prioritisation of intelligence resources would be coordinated at EU level, the collection and initial processing of raw intelligence would remain at national level, and the EU-SIAC would provide the final evaluation, leading to the dissemination of intelligence reports to decision-makers and feeding into the next cycle. In parallel, political forums could be strengthened to streamline the use of intelligence by policy-makers (e.g. a European Security Council could be established, as proposed by former German Chancellor Angela Merkel).
Position of the European Parliament
In its 2020 resolution on the EU security union, the Parliament welcomed the new strategy, while emphasising the need to fully implement and evaluate existing EU legislation in this area, such as the interoperability of EU information systems. It also called for proper funding and staffing of EU agencies and bodies in the field of justice and home affairs (JHA) and reiterated its calls for the assessment of a potential extension of the European Public Prosecutor’s Office’s (EPPO) mandate, once it was fully operational.
In its 2018 resolution setting out the recommendations of the Special Committee on Terrorism, Parliament had already advocated strengthening the specialised EU agencies and services and providing them with adequate means, as well as expanding EPPO powers to tackle terrorism and organised crime. On this occasion, Parliament also urged the Member States and EU institutions to work towards a common strategic culture, and called for efforts to step up international cooperation. It also called for the setting up of an EU joint intelligence academy, with common standards, in order to combine resources and develop synergies, trust and a common intelligence culture.
In 2017, the Parliament made several proposals to further consolidate the EU’s institutional framework in the JHA area. One possibility would be to provide Europol and Eurojust with genuine investigation and prosecution competences and capabilities, possibly by transforming them into a genuine European Bureau of Investigation and Counter-Terrorism, with due parliamentary scrutiny. Another would be to establish a European investigation and intelligence capacity within Europol, under the control of the judiciary. In this context, Parliament recommended making security a shared competence, considering that security would be better ensured if it were not an exclusive competence of the Member States. The Parliament also proposed to set up a European Intelligence Office to support the EU’s common foreign and security policy (CFSP).
The 2021 resolutions on AI in criminal law and the EU’s cybersecurity strategy attest to Parliament’s attentiveness to the evolution of threats and challenges linked to technological progress and digital transformation, including those of a ‘hybrid’ nature. In this context, in its 2022 resolution on foreign interference, Parliament called on the EU institutions to further develop and boost the important work of structures such as EU INTCEN and Hybrid Fusion Cell, among others, and welcomed the establishment of the EU cyber intelligence working group within EU INTCEN with a view to advancing strategic intelligence cooperation. Parliament also recommended the creation of a joint cyber unit, to close the information sharing gap and enable full use to be made of existing structures, resources and capabilities, in order to protect the EU from serious cross-border cyberattacks.
|In focus: Intelligence cooperation in the European Union|
Under Article 4(2) TEU, ‘national security’ – and thus intelligence activities – remains the sole responsibility of the EU Member States. Article 73 TFEU leaves it to them to organise ‘such forms of cooperation and coordination between the national security services that they deem appropriate’.
Until now, EU Member States have not gone far in sharing or pooling intelligence at EU level. National intelligence and security services have traditionally favoured (mostly bilateral) informal exchanges through other channels. These include the ‘Club de Berne’, composed of the heads of security services of the EU Member States, Norway and Switzerland, and the Counter-Terrorism Group (CTG). The CTG also acts as the interface between the Club de Berne and the EU, as illustrated by its cooperation with Europol.
There are currently three intelligence bodies within the EU structure: the EU Intelligence and Situation Centre (EU INTCEN), the EU Military Staff Intelligence Directorate (EUMS INT) – both forming the Single Intelligence Analysis Capacity (SIAC), which combines civilian and military intelligence – and the EU Satellite Centre (SatCen). INTCEN, a directorate within the European External Action Service, produces strategic analysis based on information provided on a voluntary basis by national intelligence and security services, diplomatic reporting, etc. Having no operational capabilities, INTCEN does not generate its own intelligence, with SatCen being the only EU body to do so, based on commercially available satellite images. Europol is yet another EU body dealing with intelligence and its growing role in counterterrorism could translate into more EU-facilitated intelligence sharing between police and secret services. However, the agency’s activities in this respect have met with mistrust and ‘bureaucratic resistance’ by the latter.
In her 2021 State of the Union address, President von der Leyen proposed to improve the EU’s ‘situational awareness’ as the foundation for collective decision-making, by setting up a ‘Joint Situational Awareness Centre’. The discussions on this idea were undertaken in the context of the EU Strategic Compass for the CSDP, adopted in March 2022. The Compass includes plans to boost the EU’s intelligence capacities, e.g. SIAC and SatCen, to enhance situational awareness and strategic foresight. At least once every three years, the SIAC is supposed to review – in concert with Member States’ intelligence services – the ‘EU threat analysis‘, i.e. a classified report providing a ‘comprehensive, 360-degree’ analysis of the full range of threats and challenges faced by the EU.