Bridging the Divide: Legal, Strategic, and Organizational Initiatives in EU Cyber Defence and Their Integration with Civilian Security Policies

This paper proposal examines the European Union's (EU) evolving legal, strategic, and organizational initiatives to counter cybercrime and hybrid threats, which have grown significantly over the past decade. These efforts, driven by the increasing complexity of cyber risks, have led EU Member States and Institutions to implement a range of instruments across various Treaty chapters, each involving distinct decision-making processes and EU powers. A notable development has been the establishment of twelve cyber defence and C4ISTAR projects under the Permanent Structured Cooperation (PeSCo) framework, marking the first time in the EU’s history that such initiatives have been jointly developed and funded. This initiative is a direct outcome of the EU’s efforts to strengthen its defence policy during the last five years. At the core of these efforts lies the concept of European digital sovereignty, which refers to Europe’s ability to act independently in the digital realm. This idea is closely linked to the EU’s broader strategic autonomy and has become a key theme in the political, institutional, and doctrinal debates within the Union. It is also central to the EU’s goal of creating “a stronger Europe,” as outlined in the EU Global Strategy. Despite these advancements, much work remains to be done, particularly in the area of cyber defence. Since the adoption of the EU’s 2013 Cybersecurity Strategy and the Network and Information Security (NIS) Directive, significant strides have been made in bolstering the Union’s resilience and preparedness in cybersecurity. However, cyber defence has not received the same level of attention as its civilian counterpart, even though the former explicitly aims to enhance the EU's cyber defence capabilities within the framework of the Common Security and Defence Policy (CSDP). Recent developments have highlighted the urgency of strengthening cyber defence not only to protect critical infrastructures within the EU but also to ensure the Union’s ability to respond effectively to cyberattacks targeting the EU or its Member States. The EU’s legal obligations, such as the solidarity clause (Article 222 TFEU) and mutual assistance clause (Article 42.7 TEU), reinforce this need. Moreover, the ability to protect against cyber threats is increasingly seen as crucial for the EU’s role in international affairs, as laid out in the Treaties (Article 21 TEU) and emphasized by EU Institutions and scholars. The disparity between civilian and military cybersecurity efforts is partially due to the differentiated areas of EU integration. However, the varying competences and decision-making procedures between these areas cannot solely explain the gap in the development of the “fifth domain of military activity.” This paper aims to critically assess the key legal, policy, strategic, and organizational initiatives taken so far in the area of cyber defence, analysing their connections to the civilian mechanisms established within the Area of Freedom, Security, and Justice and other internal and external EU policies. Through this analysis, the paper will highlight the challenges and opportunities for further integration of cyber defence within the EU’s broader security framework.