Thierry Breton began his speech by reminding us that cybersecurity issues can no longer be addressed by Member States on their own—they must be handled at the European level.
He also highlighted the fact that the “European internal digital market” was the leading market in the free, democratic world: “This internal digital market is now structured by an organisation and regulations such as the DSA, the DMA and the Data Act. For the first time, we have a single market for data that operates with the same rules for everyone.”
For Thierry Breton, the industrial data revolution will be a much bigger wave than that seen in personal data. “This will generate a much bigger volume of data that will be the basis for changes to come, bringing new jobs and services,” he said. But in this field, we are only as strong as our weakest link. Our cyber-resilience must become an issue for Europe as a whole.
“The European Union, as a political and economic player as well as a player in global security, is becoming a growing target for all kinds of cyberattacks, with—for those behind these attacks—the goal of destabilising our systems,” Thierry Breton said.
Cyberspace is now an integral part of Europe’s defence doctrine
The Commissioner for the Internal Market also said that cybersecurity was now recognised as a contested space in the new European defence doctrine, just like maritime space and outer space. Like any contested space, we must all work together to protect it.
“This is a major paradigm shift. Cyberspace is now a part of our defence doctrine. To better handle cyber threats, we need cutting edge technologies, secure shared infrastructure, improved operational cooperation and structures of governance and effective sanctions,” he said.
This is the context behind Thierry Breton’s goal to establish a European shield to protect, detect, deter and defend.
Technology and regulation: the two pillars of protection
The “protection” aspect revolves around a clear aim to improve the European internal digital market’s resilience and security through an ambitious approach to technology and regulation. “In terms of technology, we are working to roll out a clear roadmap to identify our cybersecurity dependencies and to concentrate national European funding, notably through the European Defence Fund,” said Thierry Breton.
On the regulatory side, the NIS Directive introduced cybersecurity requirements for all key economic players in critical sectors, including data centres and public administrations.
Another key regulatory component is the “Cyber Resilience Act” proposed by Thierry Breton in November 2022. “This bill lays out minimum cybersecurity requirements for all products and software sold within the internal market. Self-certifications of compliance will be possible for 90% of products. But for thirty or so of the most critical products, such as industrial firewalls, routers and operating systems, we have set up a compliance test that will be carried out by third parties,” the European Commissioner said.
Increased detection and defence
With regard to detection, Thierry Breton reiterated the aim of drastically reducing the time taken to detect an attack, so that in the long term it will only take a few hours and not several months, like the current average of 190 days for sophisticated attacks.
In this regard, the European Commission proposed a “Cyber Solidarity Act” last April. This text provides for an infrastructure of six or seven SOCs (Security Operations Centres) to be set up to create a global detection system at the European level. “In terms of governance, this “cyber shield” will be a bit like a cyber version of our Galileo satellite connectivity and positioning architecture,” he said.
Regarding “Defence”, Thierry Breton recalled the importance of the “cyber emergency mechanism” which will also be covered in the Cyber Solidarity Act. This mechanism will be based on the principles of joint crisis management and mutual assistance. It draws inspiration from how European civil protection works in a spirit of solidarity to provide assistance in the event of a major disaster in an EU country, such as a fire or earthquake.
“It is a response branch that will rely on a pool of several thousand responders to mobilise certified, trusted, volunteer public and private service providers to support defence and mobilisation efforts in the face of an attack. This reserve will stand ready to respond upon request from any Member State,” he said.
An active policy of direct sanctions for better deterrence
Finally, to become a credible global player in the continent’s cybersecurity, or even cyberdefence, Europe must devise a genuine doctrine on cyberattacks and cyberdefence. “The aim is to increase Europe’s cyber deterrence capabilities. There can be no cyberdefence without deterrence. This doctrine must come with an active policy of direct sanctions. The EU already has a cyber diplomacy that allows it to impose tough sanctions, especially when there is strong evidence for who is responsible,” said Thierry Breton.
The European Commissioner for the Internal Market concluded, “However, to be credible, any deterrence must be supported by a genuine strategy on active, i.e., offensive, response capabilities, which remain in the hands of the Member States. We have committed considerable resources, for example in the European Defence Fund, to intervene upstream and help Member States finance key technologies.”
In the face of threats, Europe is organising its technology regulations of its shared infrastructure and solidarity to improve its defence and deterrence capabilities. This approach involves all Member States as well as its NATO allies, the first of which is the United States.