What is the EU Cyber Diplomacy Toolbox?
The EU Cyber Diplomacy Toolbox is a joint EU diplomatic response to malicious cyber activities. This is part of the EU's approach to cyber diplomacy within the Common Foreign and Security Policy, and it contributes to conflict prevention, the mitigation of cybersecurity threats, and greater stability in international relations. It influences the behaviour of potential aggressors.
The EU diplomatic response to malicious cyber activities is proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of each cyber activity. All diplomatic efforts promote security and stability in cyberspace through increased international cooperation, and reduce the risk of misperception, escalation and conflict that may stem from ICT incidents.
Understanding the Cyber Diplomacy Toolbox.
On 14 March 2017, the European External Action Service (EEAS) and the European Commission presented a paper on a joint EU diplomatic response to cyber operations.
The paper was examined by the Horizontal Working Party on Cyber Issues, established in 2016, responsible for coordination of Council's work on cyber issues (mainly the cyber policy and legislative activities).
The main objectives of the Horizontal Working Party on Cyber Issues are:
- ensuring a horizontal working platform providing for harmonisation and unified approach on cyber policy issues,
- coherent progress in the cyber domain, while keeping up with cyber threats,
- identify and expand cooperation with Council preparatory bodies and other relevant actors,
- information-sharing on cyber issues both among EU countries and national bodies,
- setting EU cyber priorities and strategic objectives as part of a comprehensive policy framework,
- representation of the EU in accordance with the strategic EU cyber policy objectives.
The paper was sent to the Horizontal Working Party on Cyber Issues from the Political and Security Committee (PSC), responsible for the EU's Common Foreign and Security Policy (CSFP) and the Common Security and Defence Policy (CSDP).
The Political and Security Committee (PSC):
- monitors the international situation
- recommends strategic approaches and policy options to the Council
- provides guidance to the Military Committee, the Politico-Military Group and the Committee for Civilian Aspects of Crisis Management
- ensures political control and strategic direction of crisis management operations.
The PSC is composed of member states' ambassadors based in Brussels, and is chaired by the representatives from the European External Action Service. It meets twice a week, or more often if necessary.
On 6 June 2017, the final text of the draft Council Conclusions was submitted to PSC with several additions, with a view to their adoption by the Council. On 19 June 2017, the Council of the European Union adopted the draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities ("Cyber Diplomacy Toolbox").
The toolbox includes diplomatic "restrictive" measures within the EU Common Foreign and Security Policy that can be used against malicious operations directed against member states in cyberspace. The response must ne proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.
According to the toolbox, it is very important for EU member states to unify their diplomatic response against malicious cyber activities, to strengthen the security of European countries.
What has happened after the adoption of the Cyber Diplomacy Toolbox?
On 17 May 2019, the Council of the European Union adopted:
- Council Decision (CFSP) 2019/797, and
- Council Regulation (EU) 2019/796.
The Decision and the Regulation cover substantial elements of the EU Cyber Diplomacy Toolbox, and measures against cyber attacks threatening the European Union, or its Member States.
On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy.
The new EU Cybersecurity Strategy is a key component of Shaping Europe's Digital Future, the Recovery Plan for Europe, and the EU Security Union Strategy. It will bolster Europe's collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. Whether it is the connected devices, the electricity grid, or the banks, planes, public administrations and hospitals Europeans use or frequent, they deserve to do so with the assurance that they will be shielded from cyber threats.
The new Cybersecurity Strategy also allows the EU to step up leadership on international norms and standards in cyberspace, and to strengthen cooperation with partners around the world to promote a global, open, stable and secure cyberspace, grounded in the rule of law, human rights, fundamental freedoms and democratic values.
You may visit:
The EU’s Cybersecurity Strategy for the Digital Decade:
What has happened after the EU’s Cybersecurity Strategy for the Digital Decade?
The European Cyber Resilience Act
The Digital Operational Resilience Act
The European Cyber Defence Policy
The Strategic Compass of the European Union
The June 2017 Draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities ("Cyber Diplomacy Toolbox"). The Council of the European Union adopted the following conclusions:
1. The EU recognises that cyberspace offers significant opportunities, but also poses continuously evolving challenges for EU external policies, including for the Common Foreign and Security Policy, and affirms the growing need to protect the integrity and security of the EU, its Member States and their citizens against cyber threats and malicious cyber activities.
The EU recalls its conclusions on the EU Cybersecurity strategy, in particular its determination to keep cyberspace open, free, stable and secure where fundamental rights and the rule of law fully apply. It also recalls its Conclusions on Cyber Diplomacy, in particular that a common and comprehensive EU approach for cyber diplomacy could contribute to conflict prevention, the mitigation of cybersecurity threats and greater stability in international relations.
The EU and its Member States note the importance of the ongoing EU cyber diplomacy engagement and of the need for coherence among the EU cyber initiatives to effectively strengthen the cyber resilience, and are encouraged to further intensify their efforts on cyber dialogues within the framework of effective policy coordination, and emphasise the importance of cyber capacity building in third countries.
2. The EU is concerned by the increased ability and willingness of State and non-state actors to pursue their objectives by undertaking malicious cyber activities of varying in scope, scale, duration, intensity, complexity, sophistication and impact.
The EU affirms that malicious cyber activities might constitute wrongful acts under international law and emphasises that States should not conduct or knowingly support ICT activities contrary to their obligations under international law, and should not knowingly allow their territory to be used for internationally wrongful acts using ICTs, as it is stated in the 2015 report of the United Nations Groups of Governmental Experts (UN GGE).
3. The EU recalls its and its Member States' efforts to improve cyber resilience in particular through the implementation of the NIS Directive and the operational cooperation mechanisms provided therein, and that malicious cyber activities against information systems, as defined under EU law, constitute a criminal offence and that effective investigation and prosecution of such crimes remains a common endeavour for Member States.
The EU and its Member States take note of the ongoing work of the United Nations Groups of Governmental Experts on Developments (UN GGE) in the Field of Information and Telecommunications in the context of international security, building on the 2010, 2013 and 2015 reports, and are encouraged to strongly uphold the consensus that existing international law is applicable to cyberspace.
The EU and its Member States have a strong commitment to actively support the development of voluntary, non-binding norms of responsible State behaviour in cyberspace and the regional confidence building measures agreed by the OSCE6 to reduce the risk of conflicts stemming from the use of information and communication technologies.
The EU reaffirms its commitment to the settlement of international disputes in cyberspace by peaceful means, and that all of the EU’s diplomatic efforts should as a priority be aimed at promoting security and stability in the cyberspace through increased international cooperation, and at reducing the risk of misperception, escalation and conflict that may stem from ICT incidents. In that regard the EU recalls the UN General Assembly call to the UN Member States to be guided by the UNGGE reports' recommendations in their use of ICTs.
4. The EU stresses that clearly signaling the likely consequences of a joint EU diplomatic response to such malicious cyber activities influences the behavior of potential aggressors in cyberspace thus reinforcing the security of the EU and its Member States.
The EU reminds that attribution to a State or a non-State actor remains a sovereign political decision based on all-source intelligence and should be established in accordance with international law of State responsibility. In that regard, the EU stresses that not all measures of a joint EU diplomatic response to malicious cyber activities require attribution to a State or a non-State actor.
5. The EU affirms that measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures, adopted under the relevant provisions of the Treaties, are suitable for a Framework for a joint EU diplomatic response to malicious cyber activities and should encourage cooperation, facilitate mitigation of immediate and long-term threats, and influence the behavior of potential aggressors in a long term. The EU will work on the further development of a Framework for a joint EU diplomatic response to malicious cyber activities, guided by the following main principles:
• serve to protect the integrity and security of the EU, its Member States and their citizens,
• take into account the broader context of the EU external relations with the State concerned,
• provide for the attainment of the CFSP objectives as set out in the Treaty on the European Union (TEU) and the respective procedures provided for their attainment,
• be based on a shared situational awareness agreed among the Member States and correspond to the needs of the concrete situation in hand,
• be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity,
• respect applicable international law and must not violate fundamental rights and freedoms.
6. The EU calls on the Member States, the European External Action Service (EEAS) and the Commission to give full effect to the development of a Framework for a joint EU diplomatic response to malicious cyber activities and reaffirms in this regard its commitment to continue the work on that Framework in cooperation with the Commission, EEAS and other relevant parties by putting in place implementing guidelines, including preparatory practices and communication procedures and to test them through appropriate exercises.
Council Conclusions on Cyber Diplomacy, 11 February 2015.
The Council of the European Union,
RECOGNISING that cyberspace issues, in particular cyber security, the promotion and protection of human rights in cyberspace, the application of existing international law, rule of law and norms of behaviour in cyberspace, Internet governance, the digital economy, cyber capacity building and development, and strategic cyber relations offer significant opportunities, but also pose continuously evolving challenges for EU external policies, including the Common Foreign and Security Policy,
AFFIRMING that the EU and its Member States should address these cross-cutting multifaceted issues with a coherent international cyberspace policy that promotes EU political, economic and strategic interests and continue to engage with key international partners and organisations as well as with civil society and the private sector,
UNDERLINING that such policy should build on existing policy documents, in particular the Council Conclusions on the Digital Agenda for Europe, on the first anniversary of the EU Strategic Framework and Action Plan on Human Rights and Democracy, on the EU Cyber Security Strategy, and on Internet governance,
BEARING IN MIND the recent terrorist attacks in France and AFFIRMING the need for a comprehensive approach in the fight against terrorism that includes various actions in different policies, including in the area of transport, finance, information technologies and in relations with third countries, as stipulated in the joint statement of the Justice and Home Affairs Ministers at their informal meeting held in Riga on 29 and 30 January 2015,
REAFFIRMING the EU’s position that the same norms, principles and values that the EU upholds offline, notably the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Convention on the Rights of the Child and the EU Charter of Fundamental Rights, should also apply and receive protection in cyberspace,
RECALLING the crucial importance of promoting and protecting a single, open, free and secure cyberspace which fully reflects and respects the core EU values of democracy, human rights and the rule of law,
EMPHASISING the importance of trust through enhanced availability, security, reliability and interoperability of online communications and noting that the secure flow and handling of data is contributing to economic growth,
CONSIDERING that the growing number of international fora, bilateral and multilateral meetings and processes on cyberspace issues poses challenges to all stakeholders in ensuring appropriate participation,
ACKNOWLEDGING that developing an overarching and coherent narrative on EU cyber issues is crucial in the face of expanding and complex international discussions,
HEREBY
REGARDS as essential and crucial the further development and implementation of a common and comprehensive EU approach for cyber diplomacy at global level that:
• promotes and protects human rights and is grounded on the fundamental EU values of democracy, human rights and the rule of law, including the right to freedom of expression; access to information and right to privacy,
• ensures that the Internet is not abused to fuel hatred and violence and safeguards that the Internet remains, in scrupulous observance of fundamental freedoms, a forum for free expression in full respect of law,
• promotes a cyber policy informed by gender equality,
• advances European growth, prosperity and competitiveness and protects EU core values, inter alia, by strengthening cybersecurity and improving cooperation in fighting cybercrime,
• contributes to mitigation of cybersecurity threats, conflict prevention and greater stability in international relations through the use of diplomatic and legal instruments,
• promotes the efforts to strengthen the multi-stakeholder model of Internet governance,
• fosters open and prosperous societies through cyber capacity building measures in third countries that enhances the promotion and protection of the right to freedom of expression and access to information and that enables citizens to fully enjoy the social, cultural and economic benefits of cyberspace, including by promoting more secure digital infrastructures,
• promotes the sharing of responsibilities among relevant stakeholders, including through cooperation between the public and private sectors as well as research and academic institutions on cyber issues,
NOTES that these Council Conclusions are without prejudice to the distribution of competences between the EU and its Member States and the allocation of powers between the EU institutions, AND
INVITES the EU and its Member States to work together, respecting each other's areas of competence and the principle of subsidiarity, in response to the strategic objectives set out in these Conclusions.
Promotion and Protection of Human Rights in Cyberspace
UNDERLINES that individuals' human rights and fundamental freedoms as enshrined in the relevant international instruments must be respected and upheld equally online and offline and WELCOMES the fact that this principle has been also affirmed by the UN Human Rights Council5 and General Assembly,
CALLS UPON the EU and its Member States:
• to promote and protect human rights and fundamental freedoms in cyberspace, including freedom of expression, access to information, assembly and association, privacy, effective remedy and a fair trial and to strongly uphold and firmly defend their common positions in the relevant regional and global fora,
• to actively contribute to the enforcement of international human rights obligations in cyberspace,
• to protect human rights of victims of serious and organised crime in cyberspace by promoting effective investigations and prosecutions, allowing competent authorities to gain timely access to electronic evidence, with full respect to international law and fundamental rights including the protection of personal data,
• to encourage exchanges of good practices on the promotion and protection of fundamental rights in cyberspace with all relevant stakeholders, in particular the freedom of opinion and expression and the right to privacy,
• to promote a universal, affordable and equal access to the Internet and in particular the empowerment of women and girls in policy development and use of Internet,
INVITES the EU and its Member States to promote the implementation and make better use of the EU Guidelines on the Freedom of Expression online and offline and of the EU Guidelines on Human Rights Defenders, namely by:
• developing and promoting best practices to ensure respect for human rights online, including in the framework of the export of technologies that could be used for surveillance or censorship by authoritarian regimes,
• supporting the efforts of third countries to increase and improve their citizens' access to and secure use of information and communication technology (ICT) and the Internet,
• raising awareness and empowering stakeholders to use ICT and the Internet to promote human rights and fundamental freedoms in cyberspace,
Norms of behaviour and application of existing international law in the field of international security
WELCOMES the work done within the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, notably its 2013 report, and the consensus achieved that international law, in particular the Charter of the United Nations, is applicable to cyberspace and is essential to reduce risks and maintain peace and stability,
WELCOMES the adoption of a first set of Cyber Security Confidence Building Measures in the OSCE framework and LOOKS FORWARD to their implementation as well as to the development of measures aimed at enhancing confidence and cooperation,
REITERATES the EU’s and its Member States' commitment to actively support the development of such measures, through a consolidated and coordinated approach and including in other regional fora such as the ASEAN Regional Forum to reduce the risk of misperceptions in their relations and encourages greater Member States' engagement to this end,
ENCOURAGES the EU and its Member States:
- to focus efforts in a coherent and coordinated manner and contribute actively to the achievement of a global common understanding on how to apply existing international law in cyberspace and to the development of norms for responsible state behaviour in cyberspace with a view to increasing transparency and trust, consistent with existing international law provisions,
- to strongly uphold the principles regarding State responsibility for internationally wrongful acts and to take the initiatives necessary at national, regional and international level to ensure that they are fully respected and enforced in cyberspace,
- to strongly uphold the position that existing international law is applicable in cyberspace, EMPHASISES the key role played by the EU and its Member States in international cyberspace policy debates and events, such as the "London process" and its follow-up conferences in Budapest and Seoul, and ENCOURAGES them to continue their efforts to support the next Global Conference on Cyber Space in the Hague in 2015, by contributing to the positive development and progress of that process while ensuring consistency of the messages delivered from the EU side,
RECALLS its recently adopted Conclusions on Internet Governance8 which contain the EU's position on this issue and STRESSES the importance of those Conclusions given that Internet governance is an integral part of the common and comprehensive EU approach for cyber diplomacy,
RECOGNISES that Internet and digital technology have become the backbone of economic growth of the EU internal market and a critical source which all economic sectors rely on,
UNDERLINES the need for the EU to advance the digital single market and to promote its regulatory framework in order to further develop competitive and sustainable European digital enterprises and e-commerce,
EMPHASISES that the digital economy can only reach its true potential by ensuring the protection of data online as well as of the underlying infrastructure and areas that face increasing opportunities and challenges with innovative technologies such as cloud, mobile and social computing and analytical tools applied to Big Data,
ACKNOWLEDGES the importance of cross-border data flows for promoting growth and economic development and of ensuring trust through the availability, security, reliability and interoperability of online communications,
ACKNOWLEDGES the importance of the EU in playing an active role in ICT standard setting, pursuing as far as possible the development of global or globally interoperable standards ensuring a high level of security, promoting competitive, cross-border online trade and new business models through inclusive and bottom-up processes and taking into account the on-going work in the OECD framework, including on taxation-related issues,
ENCOURAGES the EU and Member States together with the private sector, technical and academic communities and civil society to work towards the enhancement of open, interconnected and trustworthy solutions to create a dynamic, competitive and conducive environment for European industries and services ensuring that the EU stands out as a global player and as a market for investment and innovation,
INVITES the EU and its MS:
– to place specific emphasis on further promoting the EU digital single market and enhancing IT security, promoting digital trust and enabling greater use of ICTs and ICT driven growth;
– to move forward the relevant negotiations within the respective international and multilateral fora as well as to support the inclusion of the digital economy in their respective agendas;
– to systematically consider addressing challenges related to data protection in cooperation with key international partners and countries, and to maintain a high level of IT-security, including relevant standards, and in doing so, to explore the avenues to promote the interoperability and portability of users’ content and data between different digital platforms;
– to promote the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data as a minimum standard for data protection in third countries,
– to support market access in a spirit of reciprocal and mutual benefit with third countries when negotiating free trade agreements taking into account EU values and norms, including data protection,
Cyber capacity building and development
REITERATES the importance of cyber capacity building in third countries as a strategic building block of the evolving cyber diplomacy efforts of the EU towards the promotion and protection of human rights, rule of law, security, growth and development,
EMPHASISES the importance of access to and use of open and secure ICTs for enabling economic growth and innovation, accelerating progress and driving political, social and economic development worldwide,
RECOGNISES the need to promote the rule of law and to combat the increase in organised crime and unlawful acts in cyberspace, in line with human rights law and international mutual legal assistance agreements,
CONTINUES promoting the Council of Europe Convention on Cybercrime as a framework for international cooperation,
STRONGLY ENCOURAGES the EU and its Member States to:
– develop a coherent and global approach to cyber capacity building, which on one side brings together technology, policy and skills development within a broader and overreaching EU development and security agenda, and on other side facilitates the design of an effective EU model for cyber capacity building;
– make cyber capacity building an integral part of wider global approaches in all cyberspace domains, including through close cooperation with academia and the private sector as well as European Union Network and Information Security Agency (ENISA), the European Cybercrime Centre within Europol and the EU Institute for Security Studies;
– support new initiatives on cyber capacity building that take stock of, build on, and complement existing initiatives emphasising the importance of access to and use of unhindered, uncensored and non-discriminatory use of open and secure ICT for fostering open societies and enabling economic growth and social development;
– promote sustainable cyber capacity building, when appropriate, together with international partners, as well as streamlining and prioritising funding, including by making full use of the relevant EU external financial instruments and programmes;
– promote the Council of Europe Convention on Cybercrime internationally as the legal framework of reference for international cooperation in fighting cybercrime at a global level and support third countries to accede to the Convention and to introduce a minimum national legal framework to combat cybercrime as well as to develop the necessary investigation and prosecution capacities;
– tackle growing cyber threats and challenges by increasing resilience of critical information infrastructure and by reinforcing close cooperation and coordination among international stakeholders through initiatives such as the development of confidence building, common standards, international cyber exercises, awareness-raising, training, research and education, incident response mechanisms,
– leverage the expertise of national cyber organisations, including computer security incident response teams, high-tech crime units and other competent national bodies,
Strategic engagement with key partners and international organisations
RECOGNISES that due to the global cross-cutting nature, scope and reach of the digital realm, most of the policy decisions on cyberspace-related issues have international implications that necessitate active international engagement, collaboration and coordination in the EU,
EMPHASISES that many recent cyberspace developments have taken place in different international organisations, in particular the UN, Council of Europe, OSCE, OECD, NATO, AU, OAS, ASEAN, ARF, etc.,
ENCOURAGES the EU and its Member States to prepare cyber dialogues within the framework of effective policy coordination, avoiding duplication of efforts and taking into account the broader EU political and economic interests, collectively promoted by all EU actors,
RECALLS that structured and overarching EU strategic cyber consultations have already been launched with the US, China, Japan, India, South Korea and Brazil, and that negotiations to launch such discussions are currently on-going with other partners; in addition numerous sectorial dialogues are on-going on ICT, organised crime and human rights, with the aim of building trust and confidence as well as providing platforms for exchanging best practices, promoting human rights and the rule of law, improving security and tackling issues of common concern,
REAFFIRMS the call in the EU Cybersecurity strategy:
• to seek Member States’ cyber policy expertise and their experience from bilateral engagements/cooperation to develop common EU messages on cyberspace issues,
• to work towards achieving a coherent EU international cyberspace policy by increasing engagement with key international partners and organisations, by improving coordination of global cyber issues, mainstreaming the strategic external relations and improving internal consultations;
• to support the creation of relevant national policies, strategies and institutions in third countries with the aim of enabling the full economic and social potential of ICT, developing resilient systems and mitigating cyber risks for the EU;
INVITES the EU and its Member States:
– to ensure that the European activities in cyberspace and national policies, law and initiatives are designed in a way to allow for a coherent approach and avoid duplication;
– to improve coordination of dialogues with partners and to engage them in bilateral, regional or global settings;
– to maintain close relations with the relevant international organisations where the major cyber developments are taking place;
– to engage civil society organisations, the private sector, technical and academic communities, where appropriate, in shaping and implementing EU cyberspace policy;
– to share information on their bilateral cyber consultations,
AND
ENCOURAGES the EU and its Member States to support on-going implementation of these Conclusions by keeping EU strategic objectives under constant review and by setting up EU cyber diplomacy policy priorities,
INVITES the Member States, the Commission and the High Representative to regularly report to the Council on the implementation of these conclusions and ENCOURAGES the regular collaboration between the competent Council preparatory bodies, in particular with the Friends of the Presidency Group on Cyber Issues which should continue serving as a comprehensive crosscutting forum for EU cyber policy coordination and cooperation.