EU’s role in shaping cyber legislation – Part Two of Three

The European Union´s role as a global cyber power mainly relies on its ability to shape cyber-related legislation and standards of state behavior. This might prove challenging due to its institutional structure and civilian power characteristics. Still, the cyber diplomacy directive adopted by the European Council in December 2015 marks the EU’s more proactive role in international cyberspace policy development.

By Rusudan Zabakhidze

While the European Union (EU) has established itself as a regional cyber security player, it is far from being a global cyber power. With the EU’s defense and security policy still under construction, the EU remains a civilian power that lacks hard power capabilities – both in the “analog” and the “digital” realm.

The EU’s aspiration to become a cyber power has been the result of two developments. The first is the increasing development of EU competences and the second is the blurred distinction between domestic and international agendas. In order to demonstrate unity, the European Council has called for the development and implementation of a common and comprehensive approach to global cyber diplomacy. The Council of the EU [1] also encourages the Union and its Member States ‘to prepare cyber dialogues, avoiding duplication of efforts and taking into account the broader EU political and economic interests, collectively promoted by all EU actors’.

The EU’s role as a global cyber power mainly relies on its ability to shape cyber-related legislation as well as norms and standards of state behavior. This might prove challenging due to its institutional structure and civilian power characteristics. Still, the cyber diplomacy directive adopted by the European Council in December 2015 marks the EU’s more proactive role in international cyberspace policy development [2].

Even though the type of cyber security threats and their sources are more diversified than ever, liberal democracies are failing to respond to them with active measures. Regulating cyberspace is obviously a challenging task, as it requires to bring together diverse actors with various interests. This is where the window of opportunity opens up for the EU. The EU has been relatively successful in bringing together civilian and military stakeholders, as well as centers of excellence, industry, and academia [3]. (More on this in Part 1 of the series: EU Cyber Security Capabilities).

One of the main goals of the EU’s cyber diplomacy is to find international consensus on how to apply existing international law to cyberspace and to develop norms for responsible state behavior. The United Nations Charter does not refer to cybersecurity as by the time it was created, the Internet simply did not exist. The EU supports the idea that the UN Charter should apply to the cyber realm as well. The September 2017 Joint Communication on ‘Resilience, Deterrence and Defense: Building strong cybersecurity for the EU’ endorses the non-binding norms, rules, and principles of responsible state behavior in the field of Information and Telecommunications that have been articulated by the UN Group of Governmental Experts [4].

One of the notable examples that can be analysed to further understand the EU’s ability to influence international norm setting is the General Data Protection Regulation, which gives European citizens more control over the use of their private data. In a United States Senate hearing, Facebook CEO Mark Zuckerberg noted that the European legislation seems fair and suitable to prevent unwelcome interferences and misuse of customer data in the future [5]. Even though the regulation has not become an international standard yet, international discourse commends the EU’s progressive vision regarding data protection. Decreasing the vulnerability of European citizens and companies, in addition to building secured information and communication systems, creates a strong foundation for cyber security deterrence.

The real challenge to develop an effective legislation lies in overcoming the EU bureaucracy against a fast-developing and ever-changing cyber environment. Even though the European Union is yet to become a powerful cyber security actor, its diplomatic efforts to support the application of the international law to cybercrimes have the potential to set international norms and principles of responsible state behavior. Amongst others, the EU has started to influence the global discourse through cooperation with third countries and other regional organisations. The scale, achievements and challenges of this type of cooperation will further be discussed in the final part of the series on the EU Cyber Security Capabilities.

Sources:

[1] Reform of the Cyber Security in Europe. 2017. Council of the European Union. Retrieved on July 27, 2018 from: http://www.consilium.europa.eu/en/policies/cyber-security/ [2] European Commission. (2017. Digital Single Market. Cybersecurity. Retrieved on July 27, 2018 from: https://ec.europa.eu/digital-single-market/en/cyber-security [3] European Commission and High Representative of the EU for Foreign Affairs and Security Policy. (2013). Cyber Security Strategy of the EU: An Open, Safe and Secure Cyberspace. Retrieved on July 27, 2018 from: https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf [4] Jaku Bund, Pawlak Patryk. (2017) Minilateralism and norms in . cyberspace. EU Institute for Security Studies. Retrived on Sep 15, 2018 from https://www.iss.europa.eu/sites/default/files/EUISSFiles/Alert%2025%20Cyber%20norms_0.pdf [5] The Washington Post. (2018). Mark Zuckerberg testifies on Capitol Hill (full Senate hearing). Retrieved on July 27, 2018 from: https://www.youtube.com/watch?v=6ValJMOpt7s