EU member states have opened to the Commission’s proposal for a Joint Cyber Unit while remaining cautious to avoid overlapping existing initiatives.
In June, the European Commission proposed the establishment of a cooperation platform to pool expertise from national governments and facilitate member state information sharing.
At the time, internal market Commissioner Thierry Breton presented the Joint Cyber Unit as the “operation arm of the European Cyber Shield,” a mechanism for European public authorities and private players to identify and swiftly react to cyber threats.
The EU Council conclusions adopted on Tuesday (19 October) are somewhat more careful than the Commission’s proposal. EU countries are invited to ‘explore the potential’ of a joint cyber unit and how it would further contribute to the EU cybersecurity crisis management framework.
In particular, the document “underlines the need to avoid unnecessary duplication and to seek complementarity and added value in the further development of the EU cybersecurity crisis management framework, and to ensure alignment with existing mechanisms, initiatives, networks, processes and procedures at national and European level.”
In other words, national authorities commit to looking into the proposal but warn that careful consideration of the existing gaps are needed to avoid overlapping with existing initiatives, therefore advocating for a step-to-step approach.
“There are other elements to consider,” a Council official told EURACTIV, explaining that governments will look into the Joint Cyber Unit as part of a broader engagement to enhance the cyber resilience of the bloc.
The European Commission has presented a series of cybersecurity initiatives, including the revision of the Directive on Security of Network and Information Systems (NIS2), the Directive on the resilience of critical entities, and the Digital Operational Resilience Directive.
Last month, the Commission announced a Cyber Resilience Act, which is expected by the third quarter of next year. The proposal would set industry standards for the security of connected devices.
Industry representatives warned that the multiplication of legislative proposals might make the cybersecurity environment increasingly challenging for businesses, noting that the overlaps make the legal framework more confusing.
The Council’s position seems to go in a similar direction for the operational responses to cyber threats.
Existing structures include, but are not limited to, the Integrated Political Crisis Response (IPCR), the Cyber Crises Liaison Organisation Network (CyCLONe), the NIS Cooperation Group, the Joint Cybercrime Action Taskforce (J-CAT), the European Judicial Cybercrime Network (EJCN), and cooperation in the context of the Cyber Diplomacy Toolbox.
Faced with yet another proposal, EU countries felt the need to emphasise “the importance of streamlining existing processes and structures to reduce complexity.”
National governments also restated their national prerogatives, notably in competencies, mandates, and legal powers, while calling for a governance structure that ‘adequately’ considers all the countries involved.
“Member States have primary responsibility for the response to large-scale cybersecurity incidents and crises affecting them,” the member states say in their conclusions, adding that national security remains their sole responsibility.
[Edited by Alice Taylor]