Written by Stefano De Luca and Tambiama Madiega.
|This paper is one of 10 policy responses set out in a new EPRS study which looks first at 15 risks facing the European Union, in the changed context of a world coming out of the coronavirus crisis, but one in which a war is raging just beyond the Union’s borders. The study then looks in greater detail at 10 policy responses available to the EU to address the risks outlined and to strengthen the Union’s resilience to them. It continues a series launched in spring 2020, which sought to identify means to strengthen the European Union’s long-term resilience in the context of recovery from the coronavirus crisis. Read the full study here.|
The issue(s) in short: The challenge and the existing gaps
A range of events may affect the functioning of internet infrastructure, including unintentional technical failures, cyber-attacks, physical attacks to the core infrastructure, technology dependency creating backdoors for spying activities, and the rise of internet fragmentation (also called ‘splinternet’).
Resilience against natural disasters and assuring connectivity without disruptions: Global internet connectivity is at risk from climate disasters such as flooding, storms and hurricanes, as these types of extreme weather events are becoming more likely due to climate change. Because of rising sea levels, telecoms conduits in coastal areas might be surrounded by water in the next 10 years. Unintentional severing of submarine cables linked to human activities represents another potential cause of internet disruption. To tackle such unintentional technical failure, global common efforts to fight climate change and to build future-proof connectivity infrastructure should be put in place.
Sophisticated cybersecurity threats by state and non-state actors are on the rise in Europe: According to a recent report, EU countries have seen a sharp increase in cyber-attacks in 2023, probably linked to the conflict in Ukraine; this type of cyber war is targeting critical national infrastructure. There are growing concerns about links between malicious cyber activities and disinformation, which also affects internet users’ trust. There is a global shortage of skilled cybersecurity professionals to help businesses and organisations defend themselves against cyber-attacks – Europe alone is estimated to be short of between 260 000 and 500 000 such workers. Improving EU cybersecurity for large-scale attacks, affordability of the more advanced cybersecurity technologies for telecoms infrastructure (e.g. quantum communication infrastructure) and cyber defence exercises are key to avoiding internet disruptions.
Protecting key connectivity infrastructure from physical attacks: In January 2022, the submarine cable connecting Norway with the Arctic satellite station was mysteriously severed; in May 2023, NATO’s intelligence chief warned that Russia might sabotage submarine cables to punish Western nations for supporting Ukraine; and in October 2022, Russia threatened to shoot down Western satellites helping Ukraine. Building a comprehensive strategy for patrolling strategic submarine cables points with allies, improving the EU’s capability to repair connectivity infrastructure, and creating connectivity redundancy through the presence of alternative infrastructure (e.g. an EU low-earth-orbit ‘LEO’ satellite constellation serving as a back-up to the current European internet) should be further developed to respond to potential challenges.
Limiting dependence on foreign technology in the EU connectivity sector: Most European countries have taken measures to restrict or prohibit the use of high-risk vendors to build national 5G infrastructure. However, positions on banning Chinese equipment (e.g. Huawei and ZTE) in the roll-out of 5G networks on the grounds of significant intelligence and operational risks differ among NATO allies and EU Member States. The future EU satellite system would guarantee fewer dependencies on third-country infrastructure (e.g. Starlink) and provide secure telecommunications so that EU information does not fall under foreign privacy and data management laws. Keeping EU data secure is also related, to some extent, to ownership or control of submarine cables and cloud ecosystems. Various reports have accused China of planning to exploit the construction of submarine cable networks to spy on other countries; the same fear is shared by China, which is reportedly impeding submarine internet cable projects near its borders. Furthermore, the EU cloud ecosystem is now dominated by foreign companies, meaning that the EU will have to accept long-lasting foreign dependency and, thus, lasting risks to its strategic autonomy, with potential concerns for access to EU data. Meanwhile, scrutiny of foreign acquisition of EU strategic assets that might pose a risk to security (EU foreign investment screening mechanism) is increasing, specifically over Chinese investments.
Addressing the risk of internet fragmentation: The vulnerabilities of internet infrastructure increasingly relate to internet fragmentation or splinternet, i.e. the different ways the internet’s technical architecture evolves due to technological, commercial and political factors. A number of recent examples show how the global internet is increasingly morphing into different infospheres. The EU has long argued for greater autonomy in the digital field and the US is also adopting this approach (for instance, a bill has been introduced recently to prohibit the Chinese-based TikTok app from being downloaded on US devices, given security issues) while China, Russia and India are actively seeking to develop their own internet, distinctively different from the rest of the web. China’s support for a ‘cyber sovereignty’ model under which countries should choose their own path of network development and governance model (including the use of technical standards like IPv6) raises many issues with regard to control of the internet. Furthermore, a recent report shows a surge of internet shutdowns due to political factors such as protests or armed conflicts.
Position of the European Parliament
Parliament has repeatedly called for action at EU level to tackle hybrid threats and address possible failures of critical infrastructure, including communications networks. In its landmark resolution on the state of EU cyber defence capabilities – adopted in 2021 – Parliament articulated the need for the EU to address cyber threats in an international context. It stressed that the EU is increasingly involved in hybrid conflicts with geopolitical adversaries that destabilise democracies, and called on all Member States and the EU to show leadership during discussions and initiatives under the auspices of the UN and to take a proactive approach to the establishment of an internationally shared regulatory framework for tackling cyber threats. Parliament also called for increased EU coordination on establishing collective attribution for malicious cyber incidents and urged Member States to implement redundancies into their critical infrastructure systems, such as electricity generation and strategic communications, at all levels. Furthermore, in the context of Russia’s aggression against Ukraine, Parliament highlighted the need for the EU to bolster its own resilience to hybrid attacks and to help improve its allies’ resilience capacities against possible Russian attacks in the areas of defence, cybersecurity and strategic communication.
EU lawmakers have endorsed the quest for technological sovereignty on many occasions. Parliament called on the Commission to develop a strategy to reduce Europe’s dependency on foreign technology in cybersecurity, particularly towards China. Parliament also called for the EU to develop effective strategies in digital policy in order to use technological standards and the open internet to support free spaces and restrict oppressive technologies. Furthermore, Parliament called on the Member States to make sure that public institutions and private companies involved in ensuring the proper functioning of critical infrastructure networks (e.g. telecoms networks) undertake some risk assessments linked to dependence on external suppliers of hardware and software technologies. In a recent resolution, Parliament asked the Council and the Commission to develop an ambitious, binding ICT supply chain security framework and to exclude the use of equipment and software from manufacturers based in high-risk countries, particularly China and Russia.
Finally, in 2009 Parliament adopted a key resolution setting out its view on internet governance. It stressed that, to maintain the internet as a global public good, internet governance should be based on a broad, balanced public-private sector model, should avoid attempts by state or supra-national authorities to control the flow of information on the internet, and should rest on a multi-stakeholder process that provides an effective mechanism for promoting global cooperation. In 2015, Parliament reiterated its commitment to the multi-stakeholder model of internet governance and emphasised the importance of completing the globalisation of the internet’s core functions and organisations.
|In focus – Quantum communication infrastructure|
Quantum technology is increasingly considered around the world as an emerging, highly strategic technology that could play an important role in safeguarding critical infrastructure and personal data security.
A 2022 Joint Research Centre report stressed how deploying quantum communication infrastructure would strengthen the cybersecurity protection of European telecoms networks as well as the transmission of very sensitive information by using robust cryptography systems.
Among its several goals, Digital Decade, Europe’s overarching digital transformation strategy, envisages Europe ‘being on the cutting edge of quantum capabilities by 2030’. To achieve this goal, the EU is promoting various programmes, including the deployment of a secure quantum communication infrastructure. Such an infrastructure will include a terrestrial segment that relies on fibre networks and a space segment based on satellites.
EU policy responses (Commission and Council responses so far)
Achieving more resilient and future-proof connectivity by 2030: With the Path to the Digital Decade programme, the EU set its Digital Decade targets, including having all EU households covered by a fixed gigabit network (1Gbps) and all populated areas covered by 5G by 2030. The European Electronic Communications Code (EECC) sets common rules on how electronic communications networks and services are regulated in the EU; the general aim of the EECC is to promote deployment, access to and take up of ‘very-high capacity networks’ (VHCN, e.g. fibre and 5G). Fibre networks seem to be more resilient to natural disasters, and the EU is striving to be the first climate-neutral continent by 2050. With the Broadband Cost Reduction (BCRD), the EU lowered entry barriers and costs related to network deployments by setting out harmonised rules on access to the physical infrastructure of all utilities for the purpose of building broadband networks (ducts, poles, masts, etc.). The ‘Connectivity Toolbox‘, a non-binding recommendation agreed by Member States in March 2021, includes 22 best practices to help reduce VHCN network deployment costs. In addition, many funding initiatives are supporting the deployment of broadband networks in rural, remote and other less well-served areas, such as the Connecting Europe Facility (CEF Digital), post-COVID-19 recovery funds and national state aid initiatives. To help achieve the Digital Decade connectivity targets, the Commission proposed a connectivity package in February 2023 including the Gigabit Infrastructure Act (GIA), a draft recommendation to promote gigabit connectivity, and an exploratory consultation on the future of electronic communications infrastructure.
Reinforcing EU capacities to tackle cyber threats: The EU cybersecurity strategy aims to ensure a global and open internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe. In this context, a directive on measures for a high common level of cybersecurity across the Union (NIS 2) has been finalised and the EU Cybersecurity Act has strengthened the role of the EU cybersecurity agency (ENISA) and is promoting a voluntary EU cybersecurity certification scheme for ICT products, services and processes. The EU recently proposed the EU Cyber Resilience Act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements. The quantum infrastructure initiative (EuroQCI) will safeguard sensitive data and critical infrastructure by adding a new layer of encryption and security in the field of telecommunications. As far as cyber defence capabilities are concerned, the EU has approved the Strategic Compass, which, among its actions to strengthen EU security and defence policy by 2030, lays out plans to create an EU hybrid toolbox to coordinate EU and Member State responses to hybrid attacks. The EU also plans to create EU cyber rapid response teams, which would provide tailored national, civilian and military expertise to support the EU and partner countries in countering hybrid threats. The Commission has recently proposed the EU Cyber Solidarity Act to reinforce capacities in the EU to detect, prepare for and respond to the growing cybersecurity threats and attacks across the EU. Finally, to answer the EU’s cybersecurity workforce needs, the Commission adopted the Communication on the Cybersecurity Skills Academy in April 2023.
Reducing EU technology dependency in the field of connectivity: As far as 5G technology dependency is concerned, the Commission published the EU toolbox on 5G cybersecurity, in which it outlined a set of non-binding key actions to ensure the security of the networks, such as limiting dependency on a single supplier (multi-vendors strategy) and assessing the risk profile of supplies. In a 2023 communication, the Commission stressed that Chinese vendors Huawei and ZTE represent a materially higher risk than other 5G suppliers. Therefore, Member States’ decision to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the EU toolbox on 5G cybersecurity, and those suppliers will be progressively phased out from existing connectivity services of the Commission’s sites. The new regulation on the Union secure connectivity programme entered into force in March 2023; building on EU-funded initiatives for the period 2023-2027, the programme will develop an LEO satellite constellation to secure communication and avoid critical dependencies on non-EU infrastructure. The Global Gateway strategy, launched in 2021, also aims to ensure secure and resilient routes of international communication infrastructure, such as the BELLA programme for submarine cables; the EU is planning a Black Sea submarine cable to reduce reliance on Russia. Furthermore, in its 2023 joint communication on an ‘enhanced EU maritime security strategy for evolving maritime threats’, the EU has identified a number of key future actions, including promoting international cooperation on information exchange, and surveillance of critical maritime infrastructure such as submarine cables; and improving the current EU risk assessments on submarine cables and the risks and threats arising from foreign direct investment (FDI) in maritime infrastructure. Gaia-X aims to create a federated cloud data infrastructure at European level and ensure a secure environment for the data of citizens, businesses and governments. Finally, the EU has implemented a regulation establishing a framework for screening FDI inflows into the EU on grounds of security or public order. To address the risk of the EU increasingly relying on a non-EU domain name system (DNS) resolver to access a webpage and tackle potential internet disruptions due to cyber/technical incidents, the EU would support the deployment of European DNS resolver service infrastructure (DNS4EU) and encourage EU companies, internet service providers and browser vendors to diversify their dependence on foreign DNS resolution services.
Addressing the risk of physical attacks on internet networks: The EU has been taking steps in recent years to better face possible attacks on its communications infrastructure. EU lawmakers adopted the directive on the resilience of critical entities (CER) in December 2022, which aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities in a range of sectors – including digital infrastructure – that provide vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. The CER directive requires Member States to identify critical entities, perform risk assessments and report any disruptions; it also requires them to increase resilience and conduct regular stress tests, including on submarine cables. Finally, in the multilateral context, in February 2023 NATO announced the creation of a critical undersea infrastructure coordination cell at NATO Headquarters and has established a new NATO-EU taskforce on resilience and critical infrastructure protection working on better understanding threats to critical submarine infrastructure and sharing best practices on cooperation and coordination. Furthermore, the EU is promoting international cooperation on information exchange and the surveillance of critical maritime infrastructure, including submarine cables, in accordance with Council Recommendation 2023/C 20/01 on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure.
Addressing the risk of internet fragmentation: The EU has launched or joined a series of new multilateral and bilateral initiatives to promote an open and global internet. At multilateral level, in the context of the Global Gateway strategy, the EU committed to funding the deployment of third countries’ infrastructures with standards and protocols that support an open, plural and secure internet in line with EU policies. The Commission also works at international level with other global players to shape the development of the internet and means of telecommunication through the global digital compact concept developed under the UN. In this respect, the EU proposes to promote a set of commitments to avoid internet fragmentation. Furthermore, the Group of Seven (G7), to which the EU belongs, committed to cooperating on making visible and tackling the tactics of digital authoritarianism, and to strengthening cooperation in addressing practices such as internet shutdowns. At bilateral level, in the context of the Transatlantic Trade and Technology Council (TTC), the EU and the US have pledged to advance the principles of the Declaration for the Future of the Internet, including fostering a global internet, and oppose the increasingly-used practice of government-imposed internet shutdowns. The EU and the US have created a multi-stakeholder group of technical experts tasked with documenting internet shutdowns and their effects on society; the group will also encourage compatible standards and regulations based on shared democratic values. This approach is expected to reduce the gap between the regulation of platforms that affect the entire internet ecosystem and foster technical and commercial internet fragmentation.
Obstacles to implementation of response
Addressing the investment gap for future-proof and more resilient network infrastructure deployment is key to meeting the Digital Decade 2030 targets and would require large-scale EU public funding. Reports commissioned by large telecom operators estimated that an additional €150 billion of investment is needed for full 5G rollout, while another €150 billion is required to upgrade existing fixed infrastructure and roll out fibre networks to gigabit speeds in Europe. According to a study prepared for the Commission, the latest estimates quantify the investment still needed in network infrastructure to reach the 2030 targets at around €174 billion.
Lack of collective situational awareness of cyber threats through a systematic and comprehensive information sharing system and a common approach to network equipment deployment is an obstacle for the EU, as the security of networks cuts across national and EU competences and affects national security. For instance, the recent report on Member States’ progress in implementing the EU toolbox on 5G cybersecurity stressed how there are still differences in the state of implementation of specific measures between Member States. Furthermore, the report recommended that Member States should implement the non-binding toolbox without delay, considering the importance of the connectivity infrastructure for the digital economy and dependence of many critical services on 5G networks. The Commission also requested ENISA to develop a candidate European cybersecurity certification scheme for 5G networks (EU 5G scheme) under the Cybersecurity Act. However, such schemes are voluntary – unless otherwise specified by EU or Member State regulations – and ENISA will have to encourage and monitor the adoption of shared standards under the Cybersecurity Act.
A challenge to the EU’s critical infrastructure protection efforts is that Member States are reluctant to cooperate. For instance, some Member States have expressed reluctance to share information about their critical infrastructure – particularly submarine cables – and push back on involving the EU in collaborating on this matter. With regard to the investment promises of the Global Gateway strategy, there are uncertainties over whether sufficient funding can be mobilised and it remains to be seen if the approach of bringing together the EU, financial institutions and Member States will deliver.
The EU foreign investment screening mechanism (FDI legal framework) falls short of delegating any veto or enforcement rights to the EU. This means that Member States have the final word on FDI controls, on top of which the absence of screening mechanisms in some Member States diminishes the effectiveness of the EU framework. The Commission is also in the process of evaluating the current framework and will propose its revision before the end of 2023.
The EU lacks a coherent approach to the internet fragmentation phenomenon. While committing to promote the development of an open internet, the EU has increasingly passed measures to better control its digital environment. Achieving ‘technological autonomy’ or ‘digital sovereignty’ – for instance through the development of a sovereign EU cloud, which could imply data localisation in the EU, or platform regulation like the Digital Services Act that imposes more stringent rules on internet intermediaries in the EU than in other jurisdictions – have been seen as fostering fragmentation. The EU lacks an articulated and coherent approach to address the technological, commercial and political factors that contribute to internet fragmentation, while a number of digital files (e.g. DSA, DMA, AI Act, Data Act) – which are currently being implemented or discussed by EU lawmakers – have direct implications for the openness and unity of the internet.
Policy gaps and pathway proposals
Supporting technology migration to fibre networks: There are voices arguing that one way to mitigate disruption of the network linked to natural disasters such as weather events would be to replace copper wiring with more resilient optical fibre cables. The authors of a 2020 study flagged how modern fibre networks are 70-80 % more reliable than copper ones and require less operational maintenance. The study suggested that Member States and the EU might take some action to ease the migration from copper to fibre networks, such as reducing the timeframe for copper decommissioning or intervening on wholesale copper prices. Specifically, the EU could update the relevant EU texts to speed-up technology migration (e.g. EECC, 2010 NGA Recommendation, 2013 Costing and Methodologies Recommendation).
Investing in cyber skills capacity: The EU should invest in building the capacity to improve the attribution of cyberattacks and to address incidents. Ensuring appropriate funding for training skilled cybersecurity professionals needed by the sector is key to protecting Europe’s critical infrastructure.
Fostering quantum-based cybersecurity: The European Joint Research Centre report of 2022 stressed how the EU’s investment and research in developing quantum communication infrastructure can play a role in protecting European terrestrial fibre and satellite infrastructure from cyberattacks.
Physical protection of submarine cables: Various authors have presented ideas on how to protect submarine internet cables in Europe. The creation of cable protection zones (e.g. banning certain types of anchoring and fishing) in critical areas within national waters would help to avoid unintentional severing of cables by following the examples set in Australia and New Zealand. In this respect, a European Parliament analysis suggested that Parliament could invite maritime authorities to suggest solutions. A 2022 policy brief by the Atlantic Centre considered investing in submarine cables’ sensors/detection systems on critical points to be a useful tool to detect potential physical threats; Member States should envisage the use of such detection systems as part of licence requirements for landing submarine cables and the EU could sponsor research in this field and make recommendations on the allocation of licences. Finally, following the example of the Australian government, which appears to have concluded that ownership of certain submarine cables is of strategic concern, a European Commission study recommends that the EU create a comprehensive and common approach to support EU-based companies in the development and construction of new secure submarine cable routes. A European review of submarine cable ownership and risk assessment for future submarine cable projects might help in making potential strategic decisions.
Protecting EU strategic infrastructures from cyber threats: The European Court of Auditors (ECA) is worried about divergent polices on 5G suppliers among Member States and has recommended that the Commission assess the potential impact of a Member State building its 5G networks using equipment from a vendor considered to be high risk in another Member State. According to the ECA, such a scenario could impact cross-border security and even the functioning of the EU single market itself. The authors suggested taking a more general vendor-agnostic approach when assessing security of network infrastructure or components (e.g. 5G or submarine cable systems), by implementing technical testing facilities at national level, because poor quality software might also be a greater risk for cyber resilience than ‘backdoors’. In this respect, establishing a compulsory EU-wide certification scheme (and not merely a voluntary one, as is the case today) would be a step forward in ensuring a truly safe environment, especially for 5G networks, and could help establish the EU as a standard-setter in the field of cybersecurity. Similarly, the Commission could take further initiatives to support the comprehensive implementation of the non-binding 5G toolbox in case of lack of action by Member States.
Developing an EU strategy and tools to avoid internet fragmentation: While the ‘Brussels effect’ (i.e. the ability of the EU to export its legal and commercial standards at the global level) could pave the way for convergence of legislation across the world (as for the GDPR), the EU must be complemented by a strategy to build international alliances, especially in areas where Europe has dependencies and gaps. Against this background, a European Parliament study recommends setting up an EU interinstitutional working group on digital diplomacy including the Parliament, the relevant Commission services (i.e. the Service for Foreign Policy Instruments (FPI), as well as DG INTPA, DG NEAR and DG CNECT) and the European External Action Service (EEAS) to develop a joint action plan on digital diplomacy. The working group would work on the international dimension of digital policy, both to export EU standards and principles and to build alliances around the European model. Furthermore, there should be an impact assessment mechanism to assess if the EU initiatives that may act as factors of divergence are proportionate. This approach would allow the EU to develop a consistent approach towards internet fragmentation.
Supporting a multilateral approach to internet governance: Tackling internet fragmentation will require the EU to strengthen its engagement at multilateral level. Some academics have called for establishing clear norms regarding prohibitions against internet shutdowns and long-term internet controls and creating a multilateral entity responsible for codifying and enforcing this norm. Others argue that a co-regulatory approach to internet platform governance would help to align different legal systems and societal norms. The UN has outlined possible solutions to reinforce the multi-stakeholder governance of the internet and address the risks of internet fragmentation that will be discussed in the 2024 Summit of the Future. Accordingly, it has been proposed that nations commit to avoiding blanket internet shutdowns, take only proportionate, non-discriminatory and targeted measures to control internet content in accordance with international human rights law, and refrain from actions that would disrupt, damage or destroy critical infrastructure that provides services across borders and underpins the general availability and integrity of the internet. In the same way, the different internet governance institutions and initiatives (e.g. ICANN, the Internet Society, the UN) should focus on building norms and principles that can unify the evolving distributed internet governance system. Against this background, the EU could build alliances (multilateral or bilateral) to foster the adoption of international communication standards in line with its principles.