Good morning to the Chairman and the distinguished members of the joint committee. It is a real pleasure to speak to them today about the EU's cybersecurity strategy, which was released last December as a joint communication of the Commission and the high representative. I am joined by Mr. Wolfgang Roehrig, who is our head of unit for information security at the European Defence Agency, EDA, and who will be very glad to take questions from members after my introduction.
Given my position as deputy chief executive of the EDA, and in line with the agency’s mandate, I will address today’s topic from a defence capability development perspective. It is from that perspective that EDA was involved in preparing the strategy, given the responsibility of Mr. Josep Borrell as head of the agency. We worked closely with the European External Action Service on the defence-related parts of the strategy.
My message today is clear: achieving greater EU digital sovereignty will require a joint endeavour across the EU, bringing together civilian and defence efforts and leveraging synergies where relevant. I will address three dimensions where this will be necessary: policy; capabilities and technologies; and resilience.
On the policy perspective, building on the EU global strategy and the Council’s strategic agenda on the one hand, and on the security union cybersecurity strategies on the other, there would be clear benefits to defining a common approach to digital sovereignty at EU level. I have no doubt the strategic compass, which is currently being prepared, will contribute to this wider objective. At the same time, it will be a long-term endeavour, given, notably, the specificities of the defence community.
After the introduction of the strategic compass, the revision of the 2018 cyber defence policy framework, CDPF, is an opportunity for the defence community to contribute to shaping the ambition on digital sovereignty so an EU approach encompasses the perspective of the military and responds to specific defence needs.
Turning to the second dimension - capabilities and technologies - there is a clear need for more investment in cyber capabilities in the EU in view of the fast-evolving nature of the cyber-threat landscape. With the multi-annual financial framework and Next Generation Europe, the EU will be investing heavily in the digital field. This is very much welcome. In view of the increasing investments by the military on digitalisation of forces, we should leverage all possible synergies in this area. Let me welcome the Commission action plan on synergies between the civil, defence and space industries as an important step in this direction. To foster civil and military synergies, the EDA is working closely with the European Union Agency for Cybersecurity, ENISA, the Computer Emergency Response Team for the EU institutions, bodies and agencies, CERT-EU, and the European Cybercrime Centre, EC3.
When it comes to cyber defence capability development, we are surely not starting from scratch because, in the EDA framework, we have established EU-level priorities to guide the development of cyber defence capabilities and to focus our effort on cyber defence technological priorities.
Given the sensitivities associated with cyber defence, as well as the different levels of expertise and approaches among member states, a co-ordinated approach will, of course, take time. The EU defence initiatives offer a comprehensive framework to foster more collaborative capability development between member states.
The co-ordinated annual review on defence, CARD, for instance, offered a comprehensive defence review. The 2020 report, which was issued last autumn, identified more than 100 collaborative opportunities to develop next-generation systems. Ensuring the cyber resilience of the systems to be developed is a key requirement.
Permanent structured co-operation, PESCO, provides a dedicated framework to develop these collaborative opportunities. Already we can see that a great number of projects in the cyber and C4ISR area, with highly visible projects such as European Secure Software-defined Radio, ESSOR, the cyber rapid-response teams or the Cyber and Information Domain Coordination Centre, are paving the way. Member states have proposed, in the fourth wave of projects of PESCO, a cyber-ranges project that should build on the existing EDA Cyber Ranges Federation operation. The European Defence Fund, EDF, building on the European Defence Industrial Development Programme, EDIDP, will provide a powerful financial incentive to develop these capabilities, bringing together large industries, SMEs and mid-caps.
To avoid losing our technological edge, it is critical to invest in the right technologies. There is a clear convergence of civilian and military needs to master disruptive technologies, from artificial intelligence to quantum technologies. As cyber technologies are by and large dual-use in nature, we see clear added value in the defence community continuing to contribute to the research effort financed by Horizon Europe.
The last dimension I would like to address is resilience. The EDA has taken an important initiative, the EU MilCERT Interoperability Conference, MIC, to foster operational co-operation among EU military computer emergency response teams, CERTs. In fact, today co-operation among military CERTs still remains very limited, unlike in the civilian domain. This is also due to different national approaches - for example, on deterrence or attribution. This is why we have developed the MIC, combining an innovative type of live-fire exercise and strategic discussions. The first edition was successful, with participation from 17 EU member states in addition to Switzerland. We are now preparing the second edition, which is to take place in 2022.
To finish, let me mention two additional areas where, in parallel with the Commission’s agenda on the civilian side, the agency is actively supporting EU defence ministries in increasing our collective resilience, namely supply chain security and the further development of secure networks, which is required from an agency perspective as member states are sharing more sensitive data, including in relation to capability development projects. This is a natural outcome or requirement of deepening European co-operation on defence capabilities.
To keep to the timeline, I will conclude my presentation here, but, together with Mr. Mr. Wolfgang Roehrig, I am ready to go into more detail during the question and answers.