EU defence ministers adopted on Tuesday (23. May) conclusions on cyber defence, pointing out the need to avoid duplications in the institutional architecture, and stating their priorities on skills development and voluntary coordination in the defence sector.

The 18-page document undersigned by the EU27 defence ministers came in reaction to the Joint Communication of the European Commission and the High Representative on the EU Policy on Cyber Defence last November.

The document vouches “to further invest in our modern and interoperable armed forces, cutting-edge technologies, state-of-the-art cyber defence capabilities and enhance partnerships to address common challenges.”

As the primary threat to the security of EU networks, the member states mostly mentioned Russia, while also touching on China.

At the same time, the EU countries remained vague regarding the need to “deter against cyberattacks” and the offensive cyber measures EU member states could put in place for defensive purposes.

Intra-EU coordination

The Foreign Affairs Council’s document stresses that the collaboration with other EU institutions, bodies and agencies, such as ENISA and CERT-EU, should avoid “any unnecessary duplication of efforts.”

ENISA, the EU’s agency for cybersecurity, has recently introduced a Cybersecurity Skills Framework that is a hands-on tool to identify tasks, competencies, skills and knowledge related to the roles of EU cybersecurity professionals.

CERT-EU is the EU’s Computer Security Incident Response Team, which oversees the ICT security of Union institutions and organisations. Currently, the EU plans to expand the capacity and funding of the CERT-EU, tasking it with a coordinating role in vulnerability disclosure and with proposing benchmarks for the institutions’ cybersecurity frameworks.

Cyber skills gap keeps widening, report warns

A new report on the Global Approaches to Cyber Policy, Legislation and Regulation gets to the bottom of the cyber skill talent gap, which increased in the EMEA region by almost 60%.

Skills development

On the topic of cyber education, training and exercises, the Council emphasised various projects but omitted the Commission’s Cyber Skills Academy, which is only mentioned near the bottom of of the document and in the context of the cybersecurity skills gap.

The Cybersecurity Skills Academy was launched by the Commission in mid-April to close the cybersecurity sector’s ongoing skills shortage and develop the EU’s cyber resilience.

Instead, the Council highlighted the Permanent Structured Cooperation projects, launched five years ago and reviewed this week by the EU defence ministers, to evaluate the bloc’s capabilities. Concerns were raised as a number of projects out of the total of 68 are moving slowly.

EU lawmakers kick off cybersecurity law negotiations for connected devices

Manufacturers’ obligations, reporting, compliance and enforcement are the main areas of the first compromise on the new cybersecurity law EU lawmakers will discuss next week.

Coordinated approach to defence

In the EU defence ecosystem context, the Council invited the national governments to develop “non-legally binding voluntary recommendations inspired by NIS2 to increase cybersecurity in the defence community.”

The revised Networks and Information Directive (NIS2) introduces specific obligations for entities that are considered essential or important for the functioning of society.

NIS2 is also a benchmark for the EU’s new cybersecurity law, the Cyber Resilience Act. One month ago, the Swedish EU Council presidency proposed reworking the Cyber Resilience Act to allow national governments to impose additional security requirements for ICT products used by entities that qualify as essential or important under NIS2.

Skills gap puts EU cybersecurity rule compliance to the test

A new regulatory framework to increase cybersecurity resilience is falling into place at the EU level, but it risks exposing the growing shortage of cyber-talent in regulators and companies.

A number of new regulatory requirements are set to enter into force …

Support to the industry

The Council also highlighted the need to “scale up a European cybersecurity industry with the support of the ECCC as an essential pillar for this mechanism to be operational”.

The European Cybersecurity Competence Centre (ECCC) was set up one year ago, but its office only opened its doors two weeks ago in Bucharest and is still significantly short-staffed.

Furthermore, the appointment of the Centre’s executive director, a long-standing point of contention between the European Commission and Romania, is still to be finalised.

Commission delays giving new cybersecurity centre full autonomy

The European Commission has been postponing the appointment of a permanent executive director of its new cybersecurity body in order to retain partial control over the organisation, several EU diplomatic sources told EURACTIV.

Read more with EURACTIV

EU Council advances on removal orders, reporting on anti-child abuse law