Joint Committee on European Union Affairs debate -
Wednesday, 24 Nov 2021

Ar son an chomhchoiste, ba mhaith liom fáilte a fhearadh roimh an Uasal Olli Ruutu, príomhfheidhmeannach, European Defence Agency. I dtús báire tá cúpla líne le rá agam ar cheist na pribhléide agus rudaí eile.

Before we begin, I wish to deal with the issue of privilege and with some housekeeping matters. I welcome Mr. Olli Ruutu, deputy chief executive of the European Defence Agency. As Gaeilge, I gave Mr. Ruutu a promotion and called him the príomhfheidhmeannach agus ba chóir go dtabharfar leas-phríomhfheidhmeannach air, which is deputy chief executive.

All witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or to otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. Therefore, if the witnesses’ statements are potentially defamatory of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative that they comply with such direction. For witnesses attending remotely outside of the Leinster House campus, there are some limitations to parliamentary privilege and as such they may not benefit from the same level of immunity from legal proceedings as a witness physically present does. Witnesses participating in this committee session from a jurisdiction outside of the State are advised that they should also be mindful of the domestic law and how it may apply to the evidence that they give. Members are reminded of the long-standing parliamentary practice to the effect that that they should not comment on, criticise or make charges against a person outside of the Houses or an official either by name or in such a way as to make him or her identifiable.

For anyone watching this meeting, Oireachtas Members and witnesses now have the option of being physically present in the committee room or to join the meeting remotely by MS Teams. I remind members of the constitutional requirement that members must be physically present within the confines of the Leinster House complex in order to participate in public meetings. I will not permit a member to participate where they are not adhering to this constitutional requirement. Therefore, any member who attempts to participate from outside of the precincts will be asked to leave the meeting. In this regard, I will ask any member participating by MS Teams that prior to making their contribution to the meeting they confirm that they are on the grounds of the Leinster House campus.

If members are attending within the committee room, they are asked to exercise personal responsibility to protect themselves and others from the risk of contracting Covid-19. They are strongly advised to practice good hand hygiene and have at least one vacant seat between themselves and others attending. I believe that everybody knows the drill in this regard at this stage. Without further ado, I call Mr. Ruutu to make his opening statement.

Good morning to the Chairman and the distinguished members of the joint committee. It is a real pleasure to speak to them today about the EU's cybersecurity strategy, which was released last December as a joint communication of the Commission and the high representative. I am joined by Mr. Wolfgang Roehrig, who is our head of unit for information security at the European Defence Agency, EDA, and who will be very glad to take questions from members after my introduction.

Given my position as deputy chief executive of the EDA, and in line with the agency’s mandate, I will address today’s topic from a defence capability development perspective. It is from that perspective that EDA was involved in preparing the strategy, given the responsibility of Mr. Josep Borrell as head of the agency. We worked closely with the European External Action Service on the defence-related parts of the strategy.

My message today is clear: achieving greater EU digital sovereignty will require a joint endeavour across the EU, bringing together civilian and defence efforts and leveraging synergies where relevant. I will address three dimensions where this will be necessary: policy; capabilities and technologies; and resilience.

On the policy perspective, building on the EU global strategy and the Council’s strategic agenda on the one hand, and on the security union cybersecurity strategies on the other, there would be clear benefits to defining a common approach to digital sovereignty at EU level. I have no doubt the strategic compass, which is currently being prepared, will contribute to this wider objective. At the same time, it will be a long-term endeavour, given, notably, the specificities of the defence community.

After the introduction of the strategic compass, the revision of the 2018 cyber defence policy framework, CDPF, is an opportunity for the defence community to contribute to shaping the ambition on digital sovereignty so an EU approach encompasses the perspective of the military and responds to specific defence needs.

Turning to the second dimension - capabilities and technologies - there is a clear need for more investment in cyber capabilities in the EU in view of the fast-evolving nature of the cyber-threat landscape. With the multi-annual financial framework and Next Generation Europe, the EU will be investing heavily in the digital field. This is very much welcome. In view of the increasing investments by the military on digitalisation of forces, we should leverage all possible synergies in this area. Let me welcome the Commission action plan on synergies between the civil, defence and space industries as an important step in this direction. To foster civil and military synergies, the EDA is working closely with the European Union Agency for Cybersecurity, ENISA, the Computer Emergency Response Team for the EU institutions, bodies and agencies, CERT-EU, and the European Cybercrime Centre, EC3.

When it comes to cyber defence capability development, we are surely not starting from scratch because, in the EDA framework, we have established EU-level priorities to guide the development of cyber defence capabilities and to focus our effort on cyber defence technological priorities.

Given the sensitivities associated with cyber defence, as well as the different levels of expertise and approaches among member states, a co-ordinated approach will, of course, take time. The EU defence initiatives offer a comprehensive framework to foster more collaborative capability development between member states.

The co-ordinated annual review on defence, CARD, for instance, offered a comprehensive defence review. The 2020 report, which was issued last autumn, identified more than 100 collaborative opportunities to develop next-generation systems. Ensuring the cyber resilience of the systems to be developed is a key requirement.

Permanent structured co-operation, PESCO, provides a dedicated framework to develop these collaborative opportunities. Already we can see that a great number of projects in the cyber and C4ISR area, with highly visible projects such as European Secure Software-defined Radio, ESSOR, the cyber rapid-response teams or the Cyber and Information Domain Coordination Centre, are paving the way. Member states have proposed, in the fourth wave of projects of PESCO, a cyber-ranges project that should build on the existing EDA Cyber Ranges Federation operation. The European Defence Fund, EDF, building on the European Defence Industrial Development Programme, EDIDP, will provide a powerful financial incentive to develop these capabilities, bringing together large industries, SMEs and mid-caps.

To avoid losing our technological edge, it is critical to invest in the right technologies. There is a clear convergence of civilian and military needs to master disruptive technologies, from artificial intelligence to quantum technologies. As cyber technologies are by and large dual-use in nature, we see clear added value in the defence community continuing to contribute to the research effort financed by Horizon Europe.

The last dimension I would like to address is resilience. The EDA has taken an important initiative, the EU MilCERT Interoperability Conference, MIC, to foster operational co-operation among EU military computer emergency response teams, CERTs. In fact, today co-operation among military CERTs still remains very limited, unlike in the civilian domain. This is also due to different national approaches - for example, on deterrence or attribution. This is why we have developed the MIC, combining an innovative type of live-fire exercise and strategic discussions. The first edition was successful, with participation from 17 EU member states in addition to Switzerland. We are now preparing the second edition, which is to take place in 2022.

To finish, let me mention two additional areas where, in parallel with the Commission’s agenda on the civilian side, the agency is actively supporting EU defence ministries in increasing our collective resilience, namely supply chain security and the further development of secure networks, which is required from an agency perspective as member states are sharing more sensitive data, including in relation to capability development projects. This is a natural outcome or requirement of deepening European co-operation on defence capabilities.

To keep to the timeline, I will conclude my presentation here, but, together with Mr. Mr. Wolfgang Roehrig, I am ready to go into more detail during the question and answers.

I thank Mr. Ruutu for his presentation. It was very European in its language but I realise it is a very technical area.

Is the MIC a specific conference on a specific date or will it be over a period? Does Mr. Ruutu have a date?

This is an initiative about networking military emergency teams of member states. We had our first edition of the conference last autumn. The idea is to continue on a yearly basis. It is an example of collaboration and co-operation between responsible cyber defence authorities in member states and of increasing co-operation in the area of cyber defence and bringing people together in that regard. I wanted to highlight it because, by comparison with civilian cyber operations, there is progress to be made on active cyber defence co-operation. This is an example of a concrete step forward in that area.

I thank our guests. The Chairman has said that Mr. Ruutu has quite properly made a very high-level presentation to us. We want to drill down more into the nitty-gritty and specifics. Our opening view is that, as a committee, we very strongly agree with President von der Leyen's statement that cybersecurity is one of the pressing issues because external actors have the capacity to paralyse industrial plants, city administrations and, as we know very clearly in Ireland, health systems. The cyberattack on our health system in the middle of a pandemic was an extraordinarily impactive and damaging assault on our public administration that actually caused deaths.

In particular terms, I would be interested to hear, from the European Union perspective and in a collegiate way, what we can do in responding to attacks like that. Is there a focus on the nations which we know host such cyberattackers or is it entirely a diplomatic effort that is left to the external action focus of the European Union? How do we better prepare ourselves for the future? Preparing resilience within our systems is one thing but how do we actively ensure that those who attack us are discouraged from doing so?

Will the witnesses explain the differences between cybersecurity and cyberdefence? What are the features of each of them?

As active parliamentarians, most of us are particularly concerned about cyber interference in our democracy. We see this in other jurisdictions. We have certainly seen it in the United States in recent elections and I have no doubt there are active participants across Europe also. Does this form part of the European Defence Agency's focus? What does Mr. Ruutu have to say on that?

With regard to preparedness, our focus is on building a collaborative approach and collaborative opportunities for cyberdefence capabilities. I gave the committee a few examples of different projects. We try to structure and find common interests for cyberdefence capabilities. As we move to the next generation of defence capabilities and our co-operation on them, we need to pay systematic attention to make sure that cyberdefence-related aspects are considered.

From our perspective, we are in intergovernmental agency within the European Union. We help the member states to build their capabilities and come together, for example, through the Cyber Ranges Federation project where we are able to test together how our readiness, detection and responses to cyber threats are developing in the defence domain. We also have the co-operation of the military CERTs to test this and simulate what types of options and means of responding we would have at a national level and in consultation.

The committee will also be aware of the joint cyber unit, the establishment of which was a Commission recommendation. It is also referred to in the European Union cybersecurity strategy. Here, the aim is to increase the usability to cope with large cyber incidents by promoting co-operation across the different cyber communities. The recommendation includes the defence community as one of the four communities. There are also the civilian, law enforcement and diplomacy areas, although I note also the specificity. We are now working on how to engage the defence community to receive feedback on how it wants to be engaged in this wider effort.

While the European Defence Agency is not directly involved in cyber incident management, we are ready to be associated with the efforts designed at increasing overall preparedness, including the development of specific tools and capabilities which will benefit the cyberdefence community. That is a process on the joint cyber unit that has led to the discussion by the Commission, together with the member states and other actors in the area. Our way to support preparedness is to have collaborative approaches for the development of national capabilities, and then to network those.

On cybersecurity and cyberdefence, I have outlined what we do mainly on cyberdefence. We have a prioritisation framework, which means that we want to look at what European defence requires over the long term, what capabilities are key for our ability to act and prepare European Union member states' interests over the longer term, and how to invest in cyberdefence capabilities in order that our still limited resources - even collectively - would be used in the best and most effective possible way. We offer a platform for collaboration on cyberdefence capabilities, which is where we are active. Technologically, the line between pure cybersecurity and cyberdefence is often not that clear, but we want to make sure that the co-operation within the agencies framework by defence sectors is raising our industrial technological level and that there is an active engagement and networking with cybersecurity actors who would do that more from the civilian perspective. In any event, our approach is based on cyberdefence capability development in that sense.

On the issue of interference, we are not working actively on that or on incident management as such. We are preparing the capabilities for member states to be able to do so first and foremost in the defence field. The Deputy asked whether it was one of our areas of focus and he cited election interference as one example, among others. We are part of the European Union effort to be more capable technologically, now and in the long term, to withstand pressure that is being seen in this area. Our mandate is to work on defence capabilities and cyber capabilities to that extent. Perhaps Mr. Roehrig will add to that.

We are delivering civil-military co-operation in the area of cybersecurity and defence. For example, since May 2018 we have in place a formalised memorandum of understanding between the European Network and Information Security Agency, the European Cybercrime Centre in Europol, as well as the CERT for the EU institutions, CERT EU, with the European Defence Agency, to especially explore these elements of the dual-use nature of cyberspace as such and the interlinks between cybersecurity on the civil side and cyberdefence on the military side.

In addition to the preparedness part of the question, since 2014 we have been running a series of exercises, the so-called cyber strategic decision-making exercises. We have run these exercises so far with seven member states in order to train a government, with some artificiality within the set-up, on how to deal with an escalating cyber crisis. This is one of the areas where we see a lot of potential to have these kinds of exercises institutionalised for achieving a better preparedness towards the decision-making within a government in such an escalating crisis.

I thank Mr. Ruutu and the other witnesses for appearing. Reference was made to increased spending in the multi-annual financial framework. While I appreciate the witnesses may not be able to differentiate the various areas, by how much specifically will spending on cybersecurity and cyberdefence increase?

I would not be able to give the Deputy a figure from the multi-annual financial framework that is altogether dedicated to this. The importance in the long-term multi-annual perspective is that, in different work programmes, for example in the European defence fund, we will see emphasis on cyber defence-related capabilities. It is very important, and what the agency wants to convey is, that we need to invest in cyber defence capabilities over the long term, throughout the entire multi-annual financial framework and then beyond. In a way, at the European level, we need to support co-operation and have an objective so that in the 2030s and 2040s, over the long term, we are able to field capabilities in cyber defence that are sustainable and that are also interoperable in the digital environment we are moving towards. It is a long-term exercise and, in this review we have done, we will be able to see the exact financial figures, although, unfortunately, I am not able to give them to the committee that today. The importance in all of that is, with regard to European resources overall, there are limits to how much we can spend on cyber defence given the other interests. Our approach is very much to try to structure the discussion to make sure that we have priorities where co-operative spending on that would be most effective. It is about the collaborative approach and the investment that will be necessary.

I appreciate that and Deputy Howlin has drawn attention to that fact. We all accept the difficulties we are facing and if we did not, the ransomware attack on the HSE proved the danger of the new world in which we live. I am always somewhat wary of defence issues, particularly in regard to army and military co-operation being melded into the conversation around cybersecurity meets cyber defence. I will just put that out there and I do not expect the witnesses to answer specifically in that regard.

The witnesses went into detail in regard to what the EDA deals with. Will the witnesses give some detail on its overall remit? We have a general notion of that but how exactly does the EDA define cyber defence capacity? How are things operating in regard to the relationships at this point in time in dealing with individual states, whether that is dealing with individual militaries, individual police services or the likes of the National Cyber Security Centre here? How do the witnesses perceive that will change? Obviously, there will be updated protocols on how we operate into the future. Regarding the exercises, reference was made to the seven member states that have engaged in these. Can we have some detail on what exactly we are talking about, which states they are and what these exercises were?

I will go direct to the question. I will outline a bit more on the way of working and Mr. Roerig will add more detail on the co-operative approach from his perspective. Our approach is very much to support concrete collaborative projects. We are working as a secretariat to the Permanent Structured Cooperation, PESCO, which I referred to earlier. Among the 46 projects that are now running within the Permanent Structured Cooperation, we have added 14 to these in November and there are four that are directly focused on improving cyber defence. We are working on cyber rapid response teams, CRRTs, and mutual assistance in cybersecurity. There is a cyber threats incident response information sharing platform. We have the Cyber and Information Domain Coordination Centre, CIDCC, and the EU Cyber Academia and Innovation Hub, EU CAIH. Some other concrete examples that I have referred to are the Cyber Ranges Federation, which has been going on since 2020 with eight participating member states, and we have a project on advanced persistent threats detection. We then have research and technology projects on cyber forensics, dynamic malware and cyber situational awareness.

As we move along in the Permanent Structured Cooperation, what we are doing is providing member states with supports for projects in the PESCO framework. One of them, which also received European Union funding, is on cyber situational awareness and is called CySAP. We have a demonstrator developed within the EDA and we are, as an agency, designated as a project manager. It is a clear example of how, from national requirements, we go to collaborative approaches and then we use the tools at our disposal to manage these projects.

In education and training, we have a cyber co-operation planning exercise called Cyber Phalanx, which has been conducted since 2018. As Mr. Roerig said, there was also a strategic decision-making exercise. We are also piloting our policies, for example, on cyber awareness "train the trainer" and the implications for Common Security and Defence Policy, CSDP, operations and missions planning, and also a cyber hybrid pilot course. In addition to providing the priorities, we offer collaborative opportunities and then link that with the EU funding opportunities and, very importantly, encourage the member states responsible to co-operate more together.

These are examples of the concrete activities we have ongoing. I ask Mr. Roerig to come in on some of the other aspects.

On the strategic decision-making exercises which we are running since 2014, the member states with which we have executed this type of exercise so far are Portugal, the Czech Republic, Austria, Greece, Cyprus, Latvia and Slovenia. We were designing this type of exercise from the beginning on the principle that in the cyber world, what is technically possible will most probably happen. Therefore, we were designing the scenarios from the beginning in 2014 along the aspect of “think the unthinkable” and make it into a scenario. The Deputy mentioned the very recent ransomware attacks on the Irish national health system. This scenario was already part of our initial way of doing the exercises or scenarios from 2014. This scenario also has the opportunity and option to be expanded into a hybrid environment, so it was also the baseline which was part of the hybrid exercise which was run with the Defence Ministers in 2017 under the Estonian Council Presidency.

The other aspect concerns the point on connecting capacities. This is exactly what we are aiming for with the MilCERT Interoperability Conference, MIC. Here, we are clearly striving for a network of operational capacity within member states to increase their information exchange and their co-operation because we clearly see a gap in the defence community. What is already standard on the civil side with, for example, the Computer Emergency Response Team, CERT-EU, network, which is fostered by ENISA, is not happening yet in the military community and we are now trying to foster this in line with the cyber security strategy from 2020, where it is explicitly addressed. We will also be an interlocutor for the civil network of CERTs.

In regard to the exercises, I imagine it was an opt-in to be part of those projects.

Our guests spoke about the joint cyber unit. Does the EDA see itself as the lead in respect of cyberdefence? I am not sure where cybersecurity and cyberdefence stop and start. Long term, we have to deal with defence capacity, international law issues, digital hygiene, and a capacity to disrupt attacks and even a counterstrike capacity. Obviously, our big fear is cyber-to-physical attacks. What is the roadmap into the future and who will be the lead at EU level?

Cyberdefence is the military part of cybersecurity. I do not know whether that is clear but it is the clearest way to interpret the link. The EDA is not an operational actor and, therefore, on any aspect of operational activities relating to cyberdefence, it is not the EDA in the driving seat, although it has a supporting role. As Mr. Ruutu mentioned, this work on the joint cyber unit in the defence and diplomacy community is led at this stage by the external action service, EAS, with the EDA in support. The link with the military community, following the establishment of the joint cyber unit, is one of the key items we have at the moment in the defence community. As Mr. Ruutu mentioned, a roadmap on how to engage with the defence community is being developed. Together with the diplomacy community, these communities in the EU context are still taking an intergovernmental approach compared with the other dimensions of baseline cybersecurity under the network and information security, NIS, directive, or combating cybercrime with the support of the European Cybercrime Centre.

I thank our guests for their presentation and for giving of their time on this important topic. I welcome greater co-operation throughout the European Union on issues such as defence and cybersecurity. It makes sense, particularly for a small country and member state such as Ireland, to pool resources and to work with like-minded member states to deal with these threats that have, as the President of the Commission said, advanced in such a way that one person with a laptop can now cause significant damage to a country, as we have seen in Ireland.

Many of the questions about the strategy and how this might work have been asked, so I will ask some more specific questions. What is the future of the European Defence Agency? What are its plans for the next five or ten years? What are its budgets for 2021 and 2022 and do our guests foresee an increased budget for the EDA in the next five or ten years? Is it recruiting additional staff and personnel with certain expertise to expand its operations to support member states?

There is a growing realisation in the security environment we are in that more collaborate approaches are needed at European level to support member states' capabilities and to harness the tools we have available at European Union level. The agency was established in 2004 and we have supported member states since then. Our budget for this year was €37.5 million. Last week, we adopted the budget for 2022, at €38 million, which is accounted for by an indexation correction to keep us at that level. Of course, this is in the physical environment in which we have operated and, in light of Covid and the financial constraints our member states have faced, this is a conservative budget. Especially in the areas of innovation and supporting projects and programmes in defence capability co-operation, we see a need for a moderate increase in the years to come. The investment we are making in the collaborative part of defence capability development remains very modest.

In 2017, the agency was given three specific tasks and its role was defined further in the context of these three tasks. The first was prioritisation, which relates to examining, as I mentioned earlier, what Europe will need in the years to come, based, importantly, on member states' requirements in regard to the full spectrum of defence tasks that member states will need to complete, and also to meet the EU level of ambition. The question is what kind of capabilities we need to be a credible security provider in the years to come. It is important that we agree, based on member states' priorities and in co-operation with member states, what we need to focus our efforts on in order that they will have the broadest benefit.

These priorities are based on a capability development plan, an overarching strategic research agenda and industrial capacities and skills that are required. We need to have a long-term approach of co-operation and to build on these priorities. These priorities, which member states agreed to in the EDA framework, are also referred to in, for example, the regulation of the European Defence Fund. They will cover all EU defence-related activities as a guiding priority for the future. We are still on the prioritisation path. We are still developing and reinforcing our work on foresight in respect of both capability requirements and technology in order that Europe will be well prepared to analyse what is needed for the years and even decades to come.

The second task that was given in 2017 by defence ministers was to be the central forum for supporting defence projects, that is, projects undertaken together that can support member states' capability and development. We have run more than €1 billion worth of research and technology programmes in the agency's time. Currently, we are running between 100 and 120 ad hoc capabilities and activities. In many cases, these activities we are running, such as in research and technology, are activities where a number of member states, perhaps four, five or ten, make a moderate initial sum of investment but the most important thing is to examine what requirements we have and where we can find commonality. In that way, by harmonising our requirements, we can also create the basis for future operability, feasibility studies and many things that will go down stream and become capability development activities. We support projects also in the fiscal framework and try to rationalise and reinforce the effective use of funds.

The third area of co-operation and mandate we received relates to interfacing with wider EU policies. We are discussing cyber today, which is a good example of that, but it means that when we develop our defence capabilities and EU policies, we take into account what the defence and security policy requirements are in regard to making that policy. It is quite important now that we are able to have some EU funding through this multi-annual financial framework for defence-related research and capability development, but there are a number of issues relating to space or the environment where, in defence, we share responsibilities relating to sustainability and where we need collaborative approaches to ensure we are capable and credible and, at the same time, we fully carry the responsibility on environmental issues.

These are the three elements on which we are working. For example, in maritime security and many other areas of EU activity, how can defence support the joint efforts and how can policy development take into account defence requirements?

As to where the EDA has been focusing in recent years, we hope to see moderate growth in the collaborative approach, the more effective use of EU funds and the sum of EU member states' activities changing from individual ad hoc ones into something that in ten, 15 or 20 years' time and beyond support a credible and constructive approach to capability development.

On the question of where we see the EDA going, we have in recent years created an architecture of EU defence initiatives. Through the co-ordinated annual review on defence, we have commitments for more co-operation with the Permanent Structured Cooperation, PESCO. We have a European defence fund that, in co-operation with the Commission, awards through competitions concrete funding to SMEs and large and small industries and incentivises co-operative approaches. In that sense, we are on a good path. The important element is to ensure that we focus on priorities that are sustainable in the long term and we actively review and pursue the most cost-effective use of funds.

If Mr. Ruutu is hoping to see greater co-operation among member states, which would be welcome, I take it that he also hopes to see a growth in the EDA in terms of recruiting additional staff and increasing its budget, which is modest considering the EDA's work programme and the various areas on which it is focusing. I wish him well in that work.

Has Mr. Ruutu had engagements with other EU parliaments similar to today's? What has been the reaction of other member states to Dr. von der Leyen's speech and the announcement of the EU defence union?

I should have thanked the committee for inviting us and giving us the opportunity to share how we, as an agency of the member states, see this developing. We have had some hearings in member states' parliaments. We welcome such opportunities because we have seen an increasing interest in co-ordinating and planning activities more jointly than previously. The political direction and guidance will be given by the member states and their parliaments but the earlier we are able to create an understanding of planning in national defence reviews and other documents, the more it will help us to find more opportunities for co-operation. As such, we welcome the opportunity of this meeting and would like to have more invitations like this one. We are grateful for the Irish Parliament's active and engaging approach. We are seeing signs of others doing the same and have been listened to in more and more instances.

I will again refer to the co-ordinated annual review on defence. It is an example that I hope can be used by various parliaments and decision makers throughout the member states. In November 2020, we presented findings on how we viewed the European defence landscape in terms of co-operation. The EU has state-of-the-art and world-leading capabilities in many respects but, in terms of planning jointly and investing together, we are still fragmented. We are not far enough along in making informed decisions on how Europe can do more together.

Through the review, we are starting a process with our colleagues in Ireland's Department of Defence of hearing member states' views on what is important in terms of national as well as regional requirements, including capability requirements, and what member states' technological perspectives are. With this review of and outlook on how European defence is developing, we hope to engage in discussions on and solutions for how to take the situation forward. This landscaping function and the co-ordinated review on defence will be key to making informed decisions. We hope to keep delivering in this regard so as to inform parliaments better.

I referred to our privatisation framework. We have a strand of work, called "key strategic activities", which identifies the industrial skills and know-how required in the European defence technological and industrial base to sustain capability development and research areas in accordance with our priorities. We monitor the supply chain and industrial landscape in areas such as materials and components in terms of how Europe can have a viable supply chain and we identify risks and opportunities in that regard. We are developing a risk management framework that is specifically dedicated to managing cybersecurity issues and military capability supply chains. A strong supply chain is a prerequisite for digital sovereignty. We are trying to develop this kind of assessment for military commanders. We are in the early stages of the risk management framework but we and other EU actors are looking at identifying what the requirements are for defence-trusted supply chains. In terms of the application of emerging disruptive technologies like artificial intelligence, we want to see what the requirements would be for certification of defence-trusted technologies.

We are conducting this work with member states and are at the beginning of discussions on what exact elements would help to manage risk in the supply chain. We are only one of the actors and I am sure that this is a matter of concern for others. Besides the risks and disruptions caused by Covid to the supply chain, there are also issues of security of supply owing to access to certain components and raw materials. This work forms part of our prioritisation of industrial competency, skills and efforts to ensure that we are prepared in terms of supply chain security.

I will follow up on my earlier questions. Do the joint exercises involve a straightforward opt-in?

Is that a straightforward opt-in? What are the criteria? Did a number of states decide to collaborate on it?

Member states requested the EDA to begin such an exercise. It is all voluntary, so we cannot and will not force any member state or government to run with this. We see a positive effect from all of this in that, in most of the member states that I mentioned, the exercise was a trigger to establish a national series of similar exercises to continuously train public and civil servants up to the highest level in how to react on this. As we said, we asked member states to apply natural rules, regulations and procedures. It would allow consideration of those procedures where there is a sequence involved as well. For sure, at any time, Ireland, for example, could ask the EDA to run such an exercise.

I have a general question about the European Defence Agency. Mr. Roehrig might have gathered from my earlier comments that even the name frightens the life out of me and other people in the context of where it will end up. There is a fear of a wider European army and so on. How do the protocols go with regard to the EDA determining what member states want and need, what the requirements are, the research that is done and where the EDA foresees it going in the future? I guess that Mr. Roehrig will not be able to give me a definitive answer. I will misquote whoever spoke earlier about the European Union as a security player, for want of a better term. What does the EDA foresee that being? I have a fear about where that will go, while also accepting that we have to deal with the situation, whether we are dealing with the consequences of the failed military operation in Afghanistan, which fell apart brutally, or with issues on the Polish border with Belarus, where Lukashenko is engaging in war by another means. I would be delighted if the witnesses could give detail on that.

I would reaffirm what I was saying earlier. The EDA's role is really to support capability development co-operation. We are about collaborative opportunities. It is based on the logic that all member states can join those areas of co-operation that they wish to, whether it is cyberdefence or any other requirement, such as strategic lift, based on work that we initiated ten years ago relating strategic lift or air-to-air refuelling. These capabilities were also used in the evacuations from Afghanistan. We are trying to support development of new capabilities and to support operational issues, including crisis management or any other requirements that individual member states have. Our approach is based on member states voluntarily engaging in any activities they have sought co-operation for. This is our mandate. It is a mandate in the treaties and it was further reinforced recently in light of the changes in the security environment. We are there for collaborative approaches based on each member state's requirements. That answers the question about our role.

The Deputy referred to priorities. They are based on a methodology where all member states bring matters that are important for them to the table. In this collaborative discussion, we came up with 11 priorities, which were established in 2018, relating to capability development. They cover all domains. Cybersecurity is one. We have to make sure that the European Union's capabilities in the long term are prepared and resilient. This is the approach and the work that the agency advocates.

In most cases, it would be a member state or a number of member states coming to the EDA, seeking action and to collaborate with each other. What roadmap does the EDA see? I accept what the witnesses have said about it being collaborative action that people opt into. How do they see the European Union operating when the matter of security meets foreign policy, especially when we are talking about those bigger issues?

I think the Deputy is aware that the strategic compass at EU level is being discussed at present. We are one of the actors that has contributed to that discussion. Defence and foreign ministers discuss what to do. The work is ongoing so I will not prejudge any outcome. The aim from our perspective is to be capable but also more cost-effective through co-operation. As I said in the co-ordinated annual review, we have seen that we have a lot of capability to support our requirements in the future, but we need to be more effective together. This is the spirit in which we are working. Regarding the projection of that capability and supporting member states' requirements, I think this strategic compass will give a lot of direction to EU work. In our work, the European defence initiatives already prioritise capabilities through providing funding and the work programme, which is more on a technological basis. The Commission is working on the different synergies between civilian and military aspects. We would be able to have more cost-effective and sustainable investment in the requirements that member states have over time.

I thank Mr. Ruutu and Mr. Roehrig for their engagement. I apologise for my mispronunciation. Is it possible for the committee to maintain an element of engagement and see when things change? There is information about multi-annual funding for cybersecurity and the sphere that the EDA deals with, which I think it would be beneficial to examine.

I thank Deputies and Senators for attending. I also thank Mr. Ruutu and Mr. Roehrig for attending. We appreciate it. This is our second meeting on this issue. There will be other meetings, which will culminate in a report. We are grateful for the witnesses' attendance to look at an important, technical matter which affects people's lives daily, as Deputy Howlin pointed out with regard to recent issues with our health service.