When Josep Borrell, the High Representative of the Union for Foreign Affairs and Security Policy called on the EU to deal with international affairs in "its own way", it was not long before observers noticed an obvious allusion to Frank Sinatra's popular song "My Way" and renamed his approach the "Sinatra Doctrine". The second pillar of this doctrine is particularly interesting as it is based on "strengthening the EU's strategic sovereignty by protecting technological sectors of our economy, which are key to ensuring the necessary autonomy and to promoting international European values and interests". Beyond question, this pillar got its confirmation in last year's worrying events that stand as a prime example of the Union's need to not only strengthen, but also expand its sovereignty into the digital realm of our highly-wired world.
The year 2020 will be remembered as the year of unprecedented health, socio-economic and security challenges of our modern History. The new reality of the COVID-19 pandemic forced us to turn our bedrooms into offices, blurring the lines between our professional and private lives. Although digital technologies enabled many to carry out their professional activities from home, they also served to reinforce our technological dependency. Consequently, ubiquitous digitalisation accelerated by remote working during the pandemic expanded the attack surface for malicious cyber actors and is raising concerns about the security of networked technologies.
Among many unanswered questions, the million-dollar one is: will the "new normal" last indefinitely? If so, can it evolve into a "brave new world" that is more secure, more resilient and based on digital growth? It's hard to predict how things will develop but in our imminent digital future, two things are certain:
Cybersecurity will be one of the principles Europe needs to follow in order to lead the way in digital, as Commission President Ursula von der Leyen mentioned in her State of the Union speech, while presenting her vision for Europe's "Digital Decade"
Taking into account the fact that social, political and economic dependencies on technology are deepening, a new paradigm of sovereignty in the digital domain stands at the core of the future that awaits us.
Considering all the issues we are facing in the new Great Power Competition transposed into the digital realm, European Commissioner for the Internal Market, Thierry Breton confirmed both of the statements above when he emphasised that "Europe must now lay the foundations of its sovereignty for the next 20 years''. As he explained, "At the forefront of the major challenges is our digital sovereignty, which rests on three inseparable pillars: computing power, control over data and secure connectivity".
Both of the top EU officials put cybersecurity protections, inter alia, at the very centre of the visions they presented, obviously bearing in mind the growing importance of the digital domain in the geopolitical struggle for tech primacy. This makes sense, as there are many ill-intentioned state and non-state threat actors willing to exploit Europe's vulnerabilities using cyber capabilities. Furthermore, recent high profile cyberattacks such as SolarWinds, Microsoft Exchange, Colonial Pipeline, the shutdowns of Ireland's health service, and the paralysis of local administration in the Belgian city of Liège confirm the belief that cybersecurity breaches are a growing trend worldwide. Undoubtedly, the times they are a-changin', as Bob Dylan would say.
In order to safeguard its digital sovereignty in the making, strengthening cyber resilience of its network and information systems is of paramount importance for the Union. Figures published by the European Parliament on the economic benefits of the European Digital Single Market for citizens and businesses remind us of the urgent need to constantly upgrade the collective cyber protection of all crucial sectors and critical infrastructure (e.g., banking, energy, healthcare, transport, telecommunications, public administration, etc.). In doing so, Europe can reap the rewards of its digital recovery strategy.
Therefore, and in accordance with a provision from the Directive on the security of network and information systems (NIS Directive) on the periodic revision of its functioning, the European Commission proposed a revised version, the Directive on measures for high common level of cybersecurity across the Union. Published on December 16, 2020, the so-called NIS 2.0 came in due time – exactly a week after a cyberattack against the European Medicines Agency – to confront the challenges head-on and make another step forward in fostering Europe's cyber resilience and digital sovereignty in the ever-expanding cybersecurity threat landscape.
Adopted by the European Parliament in July 2016, the NIS Directive imposed cybersecurity requirements and incident reporting obligations on Operators of Essential Services (OESs) and Digital Service Providers (DSPs). Thus, it was recognised as the first and one of the most important pieces of legislation for cybersecurity in Europe. The NIS 2.0 proposal aims to "modernise" its predecessor and address "several weaknesses that prevented the NIS Directive from unlocking its full potential". When the curtains close, this aim can go hand in hand with the "Sinatra doctrine", but applied in – cyberspace. The revision, if approached from a strategic perspective, can be used to promote the EU's vision of cyber governance by rethinking security of its network and information systems in the context of the aforementioned sovereignty. Moving beyond our "traditional" positioning of the EU between other global forces should be a natural evolution based on the "EU Way" of thinking in the case of cyber and digital issues. After all, the time has come for the Union to "take its destiny into its own hands" led by a "Geopolitical Commission'' under President von der Leyen.
If it truly wants to unlock the full potential of the NIS 2.0 follow-up, the Union needs to take concrete actions towards its empowerment. That said, the EU's sovereignty or strategic autonomy is not only reflected in bolstering its production of advanced components for data processing or by reducing its dependence on external suppliers for raw materials (the extent of technology dependence is analysed in the EU Foresight Report) but also in strengthening and promoting the EU-wide level of cybersecurity capabilities with a clear mindset shift. The Union needs to be bold in making the necessary adjustments in the new legislation that can stand the test of time. Indeed, considering the slow-moving legislative processes and the fact that the NIS 2.0 follow-up will become reality on the ground only three years from now, anticipatory governance and policy-making with a futurist mindset are a must. Of course, this task is no cakewalk. Implementing and managing a changed paradigm, i.e., proactively seeking its own path in cyber and leading by example, will require the cooperation of all relevant stakeholders. Hence, a reformed NIS Directive aims at further strengthening the role of security operations centres (SOCs) with cross-border cooperation between private companies, public organisations and national authorities. Considering that the private sector is a principal actor in cyberspace and the first line of defence – the cybersecurity ecosystem is, largely, a private market – an enhanced partnership between private and public sectors is essential. This partnership can prove to be crucial in achieving greater resilience by early detecting an attack and applying the necessary countermeasures. Needless to say, the importance of public-private initiatives in securing critical infrastructure was also brought to the spotlight by the US President Joe Biden during the Cybersecurity Summit at the White House last summer.
Looking forward, "whole-of-Union" effort is required in order to increase the level of cyber resilience of critical infrastructure, both in public and private sectors. It is not a panacea but a need if the Union wants to make progress in becoming a standard setter. The recent creation of a new "AUKUS" alliance was a geopolitical eye-opener for Europe as it was blindsided by its allies. However, the train still hasn't left the station when it comes to cyberspace and a reformed NIS Directive will be one of many stops towards resilient and sovereign Europe.