The Network and Information Security Directive (NIS Directive) is one of the most important pieces of cyber legislation in the EU. Only four years after its entry into force, the European Commission is expected to table a revision of this cyber law by the end of the year. This is an excellent moment to consider this revision in the context of the red-hot debate over strategic autonomy and digital sovereignty in the EU. Doing so unearths some surprising ingredients that can be used in cooking up this revision and, as a bonus, produces a whiff of change for the EU Treaties.
Cyber Resilience Revisited
There has been a huge shift in political perceptions between 2013 and today. In 2013, the preoccupation was with “national security first”. In 2020, however, concern about sovereignty and strategic autonomy have become central political drivers. Importantly, it is no longer taboo to talk of EU sovereignty. In 2018, by contrast, half of Europe criticised European Commission President Juncker when he said in his State of the Union speech that “the hour of European sovereignty has come”. In the words of Bob Dylan, the times they are a-changin’.
Strategic autonomy goes far beyond cybersecurity. Strategic autonomy issues include raw materials autonomy to escape a Chinese stranglehold; health autonomy in response to COVID-19; energy autonomy, given tensions with Russia; and the creation of a “digital euro” to ensure monetary sovereignty; among others. The European Council Conclusions of 2 September 2020 had strategic autonomy as a Leitmotif.
Sovereignty is a familiar concept in political science, although it cannot be reduced to a single and unambiguous definition. Notions associated with the concept of sovereignty include territory, people, natural resources, authority and internal and external legitimacy (see Thomas Biersteker).
Until recently, strategic autonomy was virtually undefined. Military in origin, today the term has a much wider scope. It can be understood, in a broad sense, as a means to realise and defend sovereignty. A more up-to-date definition is: “strategic autonomy is the ability, in terms of capacity and capabilities, to decide and act upon essential aspects of the longer-term future in economy, society and democracy” .
What if strategic autonomy or sovereignty led the revision of the NIS Directive? The NIS Directive concerns cyber resilience, meaning protection against and ability to recover from cyber incidents. In the language of strategic autonomy, what then are the “cyber resilience capabilities and capacities” needed to keep our future in our own hands, in terms of our economy, society and democracy?
Surely, this includes, as in the current NIS Directive, cyber protection of selected critical physical infrastructures and services (such as for electricity, water and transport ) and critical digital infrastructure or services (currently including only three: cloud services, electronic marketplaces and search engines). That leaves a lot of digital and physical infrastructure and services uncovered. Many of those that have become essential to our economy, society and democracy already face acute threats. For example:
- On social media and in media in general, the daily reality now consists of active attempts to undermine legitimacy through attacks, intrusions, hacking and theft and misuse, such as the production and spread of fake news. Many mainstream political figures are very worried about the ongoing undermining of our democracy and values.
- Industrial and other physical infrastructures (e.g. steel plants, which have already been targets of attacks) are ever more based on Internet of Things (IoT), yet IoT security is almost fully in the hands of industrial consortia – in which there is significant Chinese participation – despite increasing critical dependence on it. The parallels to 5G security cannot be ignored.
These are just two examples. Cyber resilience is also lacking for:
- Critical intellectual property (IP) for our economic future. Cybertheft of IP is one of the greatest threats for the future of countries. Yet, there is no systematic and mandatory protection of IP, not even as a condition for use of EU research and development funds.
- The European domain name system .eu. The persistent attacks on DNS, the Internet domain name system, are a major concern for ICANN, the international organisation for domain name management. A 2016 cyberattack targeting the DNS provider Dyn made major Internet services unavailable for hours.
- Emerging European data spaces, such as those for industrial, public administrations, health and environmental data. These Europe-wide data infrastructures are essential to the EU’s industrial competitiveness as well as the fight against communicative diseases such as COVID-19.
- Education and training infrastructure. In the time of COVID, digital platforms have become indispensable for education and training, yet numerous security issues have been reported, and those platforms are largely in the hands of non-EU providers, such as Zoom.
The sovereignty perspective provides quite a different view on cyber resilience. It demonstrates why all critical assets for our economy, society and democracy must be considered and receive strong cyber protection. The revision of the NIS Directive provides the ideal opportunity to do so.
Pegging Down Competences
Of course, this is easier said than done. Just consider how revision of the NIS Directive looks from the legal perspective. A legal anchor (“legal basis”) in the Treaties is necessary to propose additional European law. Currently, Internal Market Article 114 of the Treaty on the Functioning of the European Union (TFEU) is the legal basis for the Directive. To address all the areas mentioned above, a revised NIS Directive would have to call on a broader range of articles from the Treaties. For some areas, it would be a struggle to find any legal anchor at all. Moreover, not every article provides as a strong mandate for EU-level action as the Internal Market article. And, as always, the EU legislative intervention must not get too close to national security, as “national security remains the sole responsibility of each Member State” (Article 4 of the Treaty on the European Union, or TEU). The following graphic gives an overview.
EU Sovereignty as a Triple Win
It is clear that, even if it were possible, including all these elements in a revised NIS Directive would be messy. Why is it so difficult to fully cover all areas where sovereignty is at risk without ending up with a messy EU cyber law? The problem is that “sovereignty” cannot simply and straightforwardly be used as a legal justification: the term sovereignty is mentioned just twice in the Treaties and those references are not applicable here (they are about UK sovereignty over two military bases in Cyprus).
Is the way forward then to bite the bullet and revise the Treaties? Some will say: don’t open the can of worms! Others will argue: it is far too complicated. Yet others insist: European sovereignty does not and should not exist. But avoiding the topic might be detrimental to Europe’s future. A mature debate about sovereignty in Europe is much-needed. Besides, Pandora’s box is already open. President von der Leyen expressed her openness to the idea of a treaty change as a consequence of the Conference on the Future of Europe.
Most important is to shift perspective on what sovereignty means in the digital age and for Europe in the coming decade. Properly understood, EU sovereignty is not a win-lose but a triple win. Why?
First, most EU countries are too small, on their own, to protect their critical assets against global cyberattacks. National sovereignty in the digital world is much more credible if countries pursue strategic autonomy in partnership with others. Indeed, EU countries already and constructively collaborate in this spirit within the current NIS Directive. That is de facto (even de jure) a form of pooled and shared sovereignty. In 2017, France said, “We need to build Franco-European strategic autonomy”. This expresses a perception of a win for national sovereignty within the EU.
Second, elements of true and full European sovereignty do exist. We will have more of them in the digital domain. Who owns .eu? Who own the European data spaces? No one but all Europeans in the EU. That is “win number two”: new sovereign assets that are truly European. The digital domain is the new territory where we can discover such sovereign assets. By the way, this is not such a recent discovery: the .eu law stems from 2003!
Third, sovereignty includes dimensions of both internal and external legitimacy. Internal legitimacy means the state being accepted as an authority and being effective inside its own territory and with respect to its own people. External legitimacy means being accepted and respected by foreign states. If the EU has strong capabilities, capacities and assets, it will be a respected and credible party for other states and gain external legitimacy. This is an enrichment, a growth of sovereignty. In the digital domain, digital strategic autonomy brings external legitimacy in cyberspace.
So, it’s time to admit it: European sovereignty is real, even if not always very strong.
EU Treaties That Are Fit for the 21st Century
All of this is not new. Most of the ideas in this piece are 75 years old. Yet, they suggest to consider that the Treaties need to be revised in order to be fit for the 21st century. There are two possibilities to do so.
First is to call a duck a duck. Article 3 of the TEU could clearly acknowledge that “the Union shall strengthen EU sovereignty in so far as this respects or enhances the sovereignty of the Member States and contributes to common Union assets and interests, or strengthens the Union’s position in the world”.
A second approach (which I owe to Thomas van Rijn, former Director of the European Commission’s Legal Service) would be a combination of smaller changes, although it might not cover all areas that need to be addressed. One change would be to enhance Article 26 of the TFEU with a clause such as: “The Union shall adopt measures with the aim of establishing or ensuring the functioning of the internal market […] in particular to safeguard the independence of the Union with respect to third countries”. Article 26 is an overarching article which is referred to by several other articles such as 114 on the Internal Market and 170 on Trans-European Networks. Article 179(1) on Research could be enhanced by adding an objective of protection of knowledge resulting from EU Research. This would not create new Union competences.
In conclusion, the EU needs a fresh perspective on sovereignty: one that views it as a triple win situation rather than a zero-sum game. A new coherent strategic direction for EU cybersecurity legislation will come as a huge bonus.
About the Author
Paul Timmers is research associate at the University of Oxford, adjunct professor at the European University Cyprus and visiting professor at Rijeka University. He is a former Director at the European Commission Directorate for Digital Society, Trust and Cybersecurity.