European cyber sovereignty: dream or reality?

The more Europe falls victim to cybercrime, the more it tends to set itself up as a true sovereign power in the field of cybersecurity to better defend itself. This was the conclusion drawn by the participants in the plenary session of the FIC 2022 entitled « Europe as a normative power. What next? » However, the existence of European sovereignty is not obvious.

Indeed, as Henri Verdier, Ambassador for Digital Affairs at the Ministry of Europe and Foreign Affairs, reminded us, for those who are attached to the French concept of sovereignty (i.e. power emanating from the will of the people), European sovereignty can only be contradictory since there is no such thing as a European people. Yet sovereignty can simply be seen as the freedom to do or not to do, or in other words, autonomy.

It is this definition of sovereignty as autonomy that was retained by the participants to qualify European sovereignty as an ideal to be achieved in the field of cybersecurity. « Sovereignty means controlling our destiny, » explained Guillaume Poupard, Director General of the ANSSI. It is a kind of « strategic autonomy, (…) the freedom to make decisions that concern us, » said Henri Verdier.

Thus, it is through this autonomy that Europe will succeed in becoming a powerhouse, not only in terms of innovation in the cyber industry to better face international competition, but also in terms of « the ability to establish rules beyond the single market (…) to our neighbours and other regions of the world, » as explained by Daniela Schwarzer, Director for Europe and Eurasia at Open Society Foundations.

Therefore, the sovereignty of the European Union (EU) in the field of cybersecurity would mean its ability to become autonomous in both technological innovation and normative production to be able to set itself up as a power capable of facing international competition and exporting its standards in this field to strengthen its global influence. But is it really taking this path?

Cooperation: a « joint ambition » for european autonomy

« Europe is moving forward and almost speaking with one voice, » Guillaume Poupard said. According to him, a few years ago, « the question was to know who, from the European institutions (…) or from the Member States (…), was going to attract the questions of sovereignty and autonomy to itself. »

We now see that a real « joint ambition » between all the Member States is emerging: an ambition of cooperation « that has become natural in Europe » in the field of cyber security (according to Olivier Onidi, Deputy Director General of the Directorate General for Migration and Home Affairs at the European Commission) and which is the necessary condition for giving the EU autonomy as a means of achieving its cyber sovereignty. Therefore, Daniela Schwarzer insists that we must « define the concept of sovereignty not as a loss of sovereignty if we cooperate (…) all together but rather as a recovery of sovereignty. »

As Pierre Berthelet wrote in the January issue of the Revue de la gendarmerie nationale, this European cooperation in cybersecurity can be approached through a « national sovereignty approach, » a « transnational flows approach, » or a « European integration approach. » It seems that the last two approaches are now favoured.

Indeed, Guillaume Poupard notes that, in line with the transnational flows approach, European networks are increasingly forming and « working. » This is the case for cyber defence, as stated by General Didier Tisseyre, Commander of Cyber Defence, who is convinced that the French Presidency of the Council of the European Union (FPEU) has enabled, by means of numerous meetings and forums, the activation of multiple networks, not only between all the military CERTs but also between the cyber defence commanders of the different Member States.

Olli Ruutu, Deputy Director General of the European Defence Agency, explained that « cooperation and communication channels have been developed in the field of cyber defence. » Aware of the need to accelerate this process, he announced the creation of an « operational network » to share information more effectively in order to guarantee better European cybersecurity.

It is partly through this type of cooperation, based on of a multiplicity of transnational networks, that the « digital commons » (as Henri Verdier calls them) will be developed as a « non-rival vision of sovereignty. » Or, as Guillaume Poupard would say, cooperation viewed as an « ecosystem » that is also structured as a genuine European integration.

Indeed, in the field of cybersecurity, the EU is developing its own secondary legislation as a result of institutionalised cooperation between its Member States. This includes, for example, the well-known General Data Protection Regulation (GDPR) of 2016, but also the Cybersecurity Act of 2019 (which gives ENISA, the European Cybersecurity Agency, a permanent mandate and defines a European cybersecurity certification framework), as well as the very recent Digital Services Act (DSA) complementing the Digital Markets Act (DMA) in order to crack down on illegal content posted on digital platforms.

Not to mention the 2021 revision of the NIS Directive that « will move the lines, » according to Guillaume Poupard. Not only does it extend its cybersecurity obligations to a larger number of actors (those in « essential sectors » such as energy or transport as well as those qualified as « important » such as postal services or waste management) but it also allows for the intensification of information sharing between the EU and its Member States by creating, for example, a European vulnerability database promoting cooperation and ultimately European autonomy.

Finally, since the EU’s cybersecurity autonomy is enhanced by greater collaboration through multiple networks and increased integration, cyber sovereignty power necessarily grows. But there is still some way to go…

European cyber sovereignty not (yet) achieved

Although the EU has made it possible to « pool certain tools that are often very rare » (such as a « decryption station » within Europol), « European solidarity » still needs to be strengthened, according to Guillaume Poupard.

And this European solidarity will necessarily involve collaboration between the public and private sectors at the service of a common goal. This would, for example, make it possible to reinforce autonomy by means of information sharing, and thus to strengthen sovereign power: « the increase in power (…) now requires the production, storage, accessibility, and operationality of information, » as Lyotard so rightly wrote in The Postmodern Condition.

In addition, it is now necessary to « use our digital diplomacy » to extend our cybersecurity standards internationally, as Cyril Dujardin, Director of Digital Security Activities at Atos, explained.

In the face of the war in Ukraine, it is therefore essential for the EU to use instruments that strengthen its sovereignty if it wants the emerging new order not to be organised without it. By attributing the cyberattack on the KA-SAT satellite to Russia, it has acted in this direction and demonstrated that its cyber sovereignty is no longer just a dream…