At the Telecoms Council on 21 May, European telecoms, digital affairs and cybersecurity ministers adopted Council conclusions on the future of cybersecurity, 

These conclusions were prepared and negotiated by the Belgian Presidency of the Council of the European Union, piloted by the CCB. They are the result of a 'stock-taking' conducted since January with member states, the European Commission and the private market on the evolution of cybersecurity policy during the past and the next European legislature. This stock-taking concerned one of the cybersecurity priorities of the Belgian Presidency programme.

Through these Council conclusions, the 27 member states provide direction for the development of future cybersecurity policies within the European Union and establish principles to help build a more secure and resilient European Union.

A word of context
 

In recent years, cyber threats have significantly increased in level, complexity and scale. This development goes hand in hand with increasing global geopolitical tensions, especially since the start of the war of aggression against Ukraine. The importance of cybersecurity can therefore hardly be overstated, especially in the context of increasing digitalisation. This is even more so since the Covid Pandemic and the advent of Artificial Intelligence. Although most digital infrastructure and services are owned by private organisations, cybersecurity is a shared responsibility.

In response to this threat, numerous European cybersecurity legislation has been passed in the past 5 years. We went from just the NIS1 Directive in 2016 to the Cybersecurity Act (CSA) in 2019, the Cybersecurity Competence Centre & Network (ECCC) in 2021, the NIS-2 Directive & the EU IBA Regulation in 2023, and the Cyber Resilience Act (CRA), Cyber Solidarity Act & CSA amalgamation in 2024. So, an increase of over 600% in EU cybersecurity laws. There were also many other initiatives such as the 5G Toolbox, the creation of the EU CyCLONe Network for crisis management, the Cyber Posture & Cyber Defence Conclusions, the Cybersecurity Electricity Code and, of course, related legislation from the digital corner (Digital Markets Act, eIDAS-2, the AI Act and many more).

Conclusions
 

In the 37 paragraphs of these adopted Conclusions, EU Member States stress, among other things, that the focus should now be fully on implementation of all this legislation, which will be a strenuous work, for national agencies as well as industry. For this, harmonisation of standards, certification, supply chain security and cooperation with the private sector are essential. There should also be a specific focus on supporting small and medium-sized enterprises (SMEs) and ensuring sufficient funding and skilled experts for cybersecurity initiatives, from both public and private sources.

The conclusions also call for a coordinated approach to cybersecurity, which should avoid fragmentation by sectoral legislation and clearly identify the distinct roles and responsibilities at European level. Strengthening cooperation in the fight against cybercrime and revising the crisis management framework for cyber incidents are crucial. Furthermore, the importance of a multi-stakeholder approach, in which cooperation with the private sector and academic institutions is central, is stressed.

At the same time, it also calls for more Active Cyber Protection and harnessing the opportunities of digital identity to increase cyber security, two core concepts for the CCB.

Cybersecurity is also at the intersection of internal European policies and external relations with the rest of the world. Member states therefore call for enhanced cooperation with third countries, especially in the transatlantic context, to contribute to a robust global cybersecurity ecosystem.

Finally, it looks ahead to the opportunities and threats to cybersecurity from emerging technology such as AI, quantum, 6G. More action is also called for around Free and Open-Source Software.

The Council also calls on the European Commission and the High Representative to present a renewed cybersecurity strategy that responds to the changing and growing threats, incorporating these conclusions.

The Council conclusions were therefore appropriately titled: Implement and Protect together.