Taming national interests within the CFSP
The CDT should serve as an EU instrument to help address these cyber threats. After all, it was intended to provide the EU with capabilities that would allow for appropriate joint diplomatic responses to cyberattacks, corresponding to the scope, extent, duration, intensity, and impact of the respective attacks. Its goal was to establish a basis for proportional, appropriate responses to cyberattacks. Low-threshold attacks typically result in the EU issuing a protest note or summoning an ambassador. In contrast, severe attacks prompt the implementation of targeted restrictive measures, such as freezing accounts or imposing travel restrictions. However, unanimity in the Council makes proportional, appropriate political and legal responses to serious cyberattacks almost, if not entirely, impossible. This was evident in the EU’s response to the KA-SAT incident, where unanimity prevented the imposition of additional sanctions against Russia, despite the attack’s disruption to Europe’s energy supplies.
Qualified majority voting (QMV) would help overcome obstacles to common action, as set out in the CDT implementing guidelines from 2023. The Council states that joint EU attributions taken by QMV facilitate exposing “the specific malicious cyber activit[ies] or specific actor, enable mitigating initiatives, promote the UN framework for responsible state behaviour, demonstrate capacity to identity its origin, discourage future malicious cyber activities, as well as to enable other response options to be used sequentially”.
However, to date, a not insignificant proportion (29%) of cyberattacks against EU member states since 2009 remain unattributed (Figure 2). The KA-SAT attack in February 2022 stands out as the only incident that has been officially attributed to a state by the governments of the US, UK, Canada, Australia, as well as by a statement of the High Representative (HR) of the EU. At the same time, very few cyberattacks were met with political or legal responses by EU member states since the launch of the CDT (14% and 14.4%, respectively). Rather, EU member states have primarily responded to cyberattacks with stabilizing (e.g. statements by ministers, deputies, or heads of government) or preventative measures (i.e. political declarations intended to point out growing cyber risks). In addition, there is a significant disparity in the rate of political responses to cyberattacks among member states, further highlighting the inconsistencies in current responses to cyber threats within the EU. For example, Estonia responded with political reactions to 44% of all cyberattacks it faced, while the Netherlands only responded to 4%. This may indicate that the EU member states’ countermeasures to cyber incidents are primarily political in nature and not necessarily proportional to the intensity of the cyberattacks.
Consequently, many perpetrators of these serious cyberattacks remain unaccountable and the lack of a uniform strategy or coordinated attribution process among the member states, let alone at the EU level, merely serves to exacerbate the issue. The unanimous decision-making required in the CFSP significantly hinders the EU’s ability to respond swiftly and effectively to cyber threats, particularly against critical infrastructure. On the other hand, QMV would allow the HR to take stabilizing measures, for example statements condemning states to stop its cyberattacks against the EU. Additionally, varying forensic capabilities and differing perceptions of threats among the member states further complicate the consensus needed for collective action. The diversity in threat perception and response mechanisms across the 27 member states highlights the need for a Europeanized or harmonized approach to cyber foreign and security policy. This is crucial not only for ensuring external protection but also for the smooth functioning of the (digital) internal market and its associated value chains.
Cyber foreign and security policy is a relatively new aspect of EU policy which, owing to its technological nature, has experienced limited politicization to date. Cyberattacks not only have a transnational impact but also pose a threat to the security of the entire Union, its member states and citizens. Therefore, fulfilling the protective role within the framework of the CFSP is absolutely necessary.
Increasingly faced with cyber threats, it is imperative for the EU to focus more of its efforts towards safeguarding critical infrastructure. Enhancing resilience and improving crisis management, while upholding international law, are crucial steps for the EU and its member states to adapt to such challenges. Qualified majority decisions in the Council of the EU in European foreign and security policy should proceed cautiously, variably, and according to a clear roadmap. EU foreign and security policies should be decided by QMV, as they necessitate an immediate and effective crisis response. This would help to broaden the fundamental understanding of the pressing challenges and to extend the limits of the current technical or legal understanding of the CFSP/CSDP to tasks formulated in the Strategic Compass, such as combating hybrid threats or defending against cyberattacks. Ultimately, the roadmap should initially focus on technical and less controversial issues before addressing the politically contentious ones. The decision on whether the HR should make a declaration on behalf of the EU is to be determined by QMV. To this end, European foreign and security policy must fundamentally distinguish between technical resilience-related and politically sensitive sanctions: as a starting point, the application of instruments such as preventive cooperation or stabilizing measures with third countries should be initiated. Most of the preventive measures are so far directed towards friendly neighbouring countries of the EU. However, cooperative measures such as dialogues could be enlarged to authoritarian states. For example, QMV would allow the EU to engage in capacity-building efforts with other regional organisations such as the African Union (AU). After successful collaboration in the first phase, member states could then move to the second phase and expand their ambitions to the application of restrictive measures. In the third and final phase, coercive measures according to international humanitarian law could be added to complete the spectrum of powers. The timetable for transitioning from one phase to the next should be determined by the member states in cooperation with the national parliaments and the EP.
Sovereignty safety nets
Integration steps in the field of European foreign and security policy, and particularly the introduction of QMV, often fail due to the national reservations of some member states, which see their vital national interests threatened. Therefore, current discussions on reforming the CFSP largely focus on expanding the sovereignty safety net. The safety net solution is intended as a political arrangement agreed by all member states, akin to the “Luxembourg Compromise” initiated by the French government back in 1966 when QMV was first introduced in certain areas by the Treaty of Rome. This compromise gives member states an informal veto right in decisions made by the Council of Ministers where QMV is stipulated by the Treaties of Rome, when they believe their national interests are at stake. The Group of Friends on QMV is currently discussing such options to facilitate the introduction of more QMV specifically within the CFSP.
The Treaties already provide for the use of QMV within the CFSP in specific cases referred to in Article 31 (2) TEU and through the “passerelle clause” of Article 31 (3) TEU. However, this does not apply to CFSP decisions with military or defence implications. In addition, an “emergency brake” is foreseen by Article 31(2), whereby any member state can object to a decision being taken by QMV for “vital and stated reasons of national policy”. Based on the “passerelle clause”, the Juncker Commission proposed back in 2018, the gradual extension to three areas of EU foreign policy: EU positions on human rights in multilateral fora; the adoption and amendment of EU sanctions regimes; and the civilian CSDP. In order to strengthen the resilience and security of the EU as such, the application of QMV could also be considered within the framework of cyber foreign and security policy.
Expanding the sovereignty safety net may facilitate building political consensus for incorporating more QMV into the CFSP. However, it should be complemented with special accountability obligations when member states exercise their veto. Ensuring vital interests in the context of improving the CFSP can be discussed along with the need for a more effective EU cyber foreign and security policy. To claim national interest reservations, factual, political as well as concrete threat situations for the Union and its member states should also be taken into account. Therefore, QMV in cyber foreign and security policy should be supplemented with special accountability obligations regarding the threat situation of the Union and its member states.
Moreover, while the treaty provides various options for member states to safeguard their interests and even delay or halt EU action (including actions based on the principle of sincere cooperation (Article 4 (3) TEU) and loyalty and mutual solidarity (Article 24 (3) TEU)), constructive abstention under Article 31(1) subparagraph 2 of the TEU uniquely allows for the protection of national interests without obstructing Union action. Any member of the Council that abstains from voting can justify their abstention with a formal declaration. In this case, the Council member is not obliged to apply the decision but agrees that the decision is binding for the Union. Hungary has already made use of constructive abstention in providing military equipment to the Ukrainian armed forces through the EPF. However, if member states who abstain represent at least a third of the member states, constituting at least a third of the population of the Union, the decision will not be adopted. Further emphasizing the use of constructive abstention could prove to be another simple means of safeguarding national interests while enabling Union action within the CFSP without necessitating amendments to the treaty.
Passerelle clause and Article 31(3)
Given the cumulative effects of cyberattacks under the threshold of an armed conflict, especially against critical infrastructure, recourse to the “passerelle clause” would be advisable. If the special “passerelle clause” in Article 31(3) TEU for introducing QMV into cyber foreign and security policy were activated, the discussions could be followed by a political declaration. In this declaration, it should be considered that recourse to a national interest should not impair the Union’s ability to act in preventing concrete danger.
A “passerelle” decision according to Article 31(3) TEU, containing a new safety net, could serve as a starting point for discussions to bring all 27 member states on board, but it should also avoid the negative external effects of individual state behaviour. A safety net for Article 31(2) TEU (in addition to the existing possibilities) should take into account the validity of the national interests presented in each case according to the cyber threat situation. This could then be reviewed by the European Union Agency for Cybersecurity (ENISA), and through tools such as a European Repository on Cyber Incidents.
The costs incurred by recourse to the national interests of the member states, which subsequently impede Union action in danger prevention, should be included in the justification. The costs of non-action or cyber (in)security for the EU and affected member states should be considered in a political declaration on recourse to national interests.
Political declarations required
The previous proposals for sovereignty safety nets have been purely legal and technical and less political in nature. In view of the EU’s current geopolitical situation, there is a compelling case for mandating that member states provide political justifications when invoking national interests. These justifications should address the broader impacts on other member states, particularly concerning the protection of critical infrastructure. When employing sovereignty safety nets, detailed explanations should be required and included in political declarations. Three arrangements need special attention: the emergency brake, the blocking minority, and the Ioannina mechanism.
Member states have the emergency brake instrument at their disposal, as provided for in Article 31(2) subparagraph 2 of the TEU. It allows a member state to oppose a decision by a qualified majority for important reasons related to national policy. In such instances, a vote is not conducted, and the High Representative seeks to negotiate an acceptable solution with the concerned member state. If the High Representative does not succeed, the Council can request to decide by qualified majority by referring the matter to the European Council for a unanimous decision. The definition of national interest in this context needs to be well-justified, ensuring it aligns with situations where protecting the national interest of one member state outweighs addressing the cyber insecurity of other affected member states, or the functioning of the internal market.
When the Council decides by qualified majority, a blocking minority requires at least four member states representing more than 35% of the EU’s population. If a blocking minority is formed, no decisions can be made. Regarding cyber foreign and security policy, invoking a blocking minority would be considered inadmissible if member states whose cybersecurity is less compromised than those directly affected by cyberattacks were to do so.
If the Council decides by qualified majority, the Ioannina mechanism (Council Decision 2009/857/EC) is also applicable. The mechanism obliges the Council to persist in discussions and seek solutions within a reasonable period if member states representing at least 55% of the EU population or at least 55% of the member states forming a blocking minority oppose the adoption of a legislative act by qualified majority. However, there is always the possibility of requesting a vote according to the Council’s Rules of Procedure. Resorting to the Ioannina mechanism would hardly be justifiable if it were to limit the cyber defence of individual members or the EU as a whole.
European sovereignty and strengthening the resilience of critical infrastructure can be more efficiently and effectively achieved by introducing QMV into the CFSP. Specifically, doing so could increase European operational capability in cyber foreign and security policy. Recourse to national interests that restrict situational awareness or European cyber defence should not come at the expense of European solidarity. A sovereignty safety net, which could facilitate member states’ willingness to take CFSP decisions by QMV and will be introduced by a political declaration, should always place common European interests above national ones.
About the author:
Dr. habil. Annegret Bendiek is Senior Fellow in the EU / Europe Division at SWP.
Max Becker is Research Assistant in the EU / Europe Division.
Camille Borrett and Paul Bochtler are Data Analysts in the Information Services Department at SWP.
EIN Presswire does not exercise editorial control over third-party content provided, uploaded, published, or distributed by users of EIN Presswire. We are a distributor, not a publisher, of 3rd party content. Such content may contain the views, opinions, statements, offers, and other material of the respective users, suppliers, participants, or authors.
