The European Commission has released ProtectEU, a comprehensive European Internal Security Strategy designed to assist Member States and enhance the EU’s capacity to ensure the safety of its citizens. The strategy outlines a vision and work plan for the future, featuring a more robust legal framework, enhanced information sharing, and strengthened cooperation. It also enhances resilience against hybrid threats by protecting critical infrastructure, reinforcing cybersecurity, and combatting online threats.
The Strategy aims to foster a change of culture on internal security, with a whole of society approach involving citizens, businesses, researchers, and civil society. Security aspects will be mainstreamed in developing new initiatives, and a new European internal security governance framework will support the implementation of the Strategy.
The ProtectEU Strategy complements the Preparedness Union Strategy and the European Defence White Paper. Together with the forthcoming European Democracy Shield, they form a comprehensive framework for a safe, secure, and resilient EU. The European Commission, in collaboration with Europol, has ensured that the actions outlined in the Internal Security Strategy are supported by evidence from the EU Serious and Organised Crime Threat Assessment (EU-SOCTA). Presented last month, the assessment identifies priority crime areas and key threats that the EU is expected to confront over the next four years.
The EU must enhance its resilience against hybrid threats by protecting critical infrastructure, reinforcing cybersecurity, and combatting online threats. Member States to fully implement the Critical Entities Resilience (CER) and NIS2 Directives. A new Cybersecurity Act, new measures to secure cloud and telecom services and developing technological sovereignty, and cover measures to reduce dependencies on single foreign suppliers and de-risk our supply chains from high-risk suppliers, including revision of procurement rules.
Furthermore, the focus must be on reinforcing the security of transport hubs, with an EU Ports Strategy and new reporting systems to strengthen aviation security, transport, and supply chains. Also, an Action Plan against chemical, biological, radiological, and nuclear (CBRN) threats.
“Safety is one of the key prerequisites for open, vibrant societies and a flourishing economy,” Ursula von der Leyen, president of the European Commission, said in a media statement. “That’s why we are launching today an important initiative to better tackle security threats like terrorism, organised crime, surging cybercrime, and attacks against our critical infrastructure. We will strengthen Europol and give law enforcement up-to-date tools to fight crime. But also researchers, businesses and even citizens can contribute to greater safety for all.”
The ProtectEU Strategy detailed that the lines between hybrid threats and open warfare are blurred. “Russia has been waging an online and offline hybrid campaign against the EU and its partners, to disrupt and undermine societal cohesion and democratic processes, and to test the EU’s solidarity with Ukraine. Hostile foreign states and state-sponsored actors seek to infiltrate and disrupt our critical infrastructure and supply chains, to steal sensitive data and position themselves for maximum disruption in the future. They use crime as a service and criminals as proxies. Moreover, our dependencies on third countries in terms of supply chains make us more vulnerable to hybrid campaigns by hostile states,” it added.
The Commission will propose an ambitious overhaul of Europol’s mandate to turn it into a truly operational police agency that better supports Member States. The aim is to bolster Europol’s technological expertise and capacity to support national law enforcement agencies to enhance coordination with other agencies and bodies and with Member States, to reinforce strategic partnerships with partner countries and the private sector, and to ensure a strengthened oversight of Europol.
The frequency and sophistication of hostile acts undermining the security of the EU have increased, with malicious actors expanding their arsenal significantly. Hybrid campaigns targeting the EU, its member states, and partners have intensified, featuring acts of sabotage targeting critical infrastructure, arson, cyberattacks, election interference, foreign interference and manipulation of information (FIMI), including disinformation, and weaponization of migration. Due to their political and operational role and the nature of the information they handle, Union institutions, bodies, offices, and agencies (Union entities) are not spared.
The EU must enhance its resilience, utilise current tools effectively, and develop new ways to confront these evolving threats stemming from state and non-state actors, both now and in the future.
The ProtectEU Strategy noted that threats to critical infrastructure, including hybrid threats like sabotage and malicious cyber activity, are a major concern, notably for the infrastructure that connects Member States – be it energy interconnectors or cross-border communication cables and transport. “Since Russia’s war of aggression against Ukraine, acts of sabotage targeting critical infrastructure have increased, particularly in 2024, affecting numerous Member States. Cooperation between law enforcement, security and cybersecurity services, military and civil protection, and private operators is essential to anticipate, detect, prevent, and respond to such acts effectively,” it added.
Reducing vulnerabilities and strengthening the resilience of critical entities is imperative to ensure the uninterrupted provision of essential services vital for the economy and society. Timely transposition and the correct implementation by all Member States of the CER directive and the Directive on measures for a high common level of cybersecurity across the Union (NIS2) are therefore crucial in that regard.
“To ensure swift progress, the Commission will support Member States in identifying critical entities and exchanging good practices on national strategies and risk assessments as regards essential services, in cooperation with the Critical Entities Resilience Group and NIS Cooperation Group,” according to the ProtectEU Strategy. “Should critical infrastructure disruptions occur with significant cross-border impact, the EU Critical Infrastructure Blueprint will coordinate EU-level responses. The Commission encourages the Council to quickly adopt the EU Cyber Blueprint, which will further bolster coordination in the crisis management context, facilitating closer collaboration between authorities on physical and digital resilience.”
It added that following successful energy sector stress tests in 2023, the Commission will promote voluntary stress tests in other key sectors for internal security. Additionally, the Commission will provide a Union-level overview of cross-border and cross-sectoral risks to essential services to support Member States’ risk assessments and inform a comprehensive EU-level risk assessment. Also, in line with the Preparedness Union Strategy, the European Commission will engage with member states to identify further sectors and services not covered by the current legislation for which there might be a need to act.
“The EU-NATO Task Force on the resilience of critical infrastructure has fostered excellent cooperation in sharing best practices and enhancing resilience in energy, transport, digital infrastructure, and space sectors,” the ProtectEU Strategy identified. “This work will continue within the EU-NATO Structured Dialogue on Resilience. The EU Hybrid Toolbox offers robust support to Member States and partners in preparing for and countering hybrid threats. Hybrid Rapid Response Teams provide tailored short-term assistance upon request to Member States, various EU missions, and partners. Furthermore, the Commission will take forward EU cooperation on combating sabotage through expert activities, including a dedicated joint work programme for the experts to streamline information exchange and map out countermeasures.”
Incidents affecting submarine cables in Europe highlight the need for stronger measures and clearer responses. As outlined in the EU Cable Security Action Plan, the Commission, alongside the High Representative, will collaborate with Member States, EU agencies, and partners like NATO to prevent, detect, respond to, and deter threats to submarine cables. To develop an integrated situational picture of threats, the Commission will work with Member States to develop and deploy, voluntarily, an integrated surveillance mechanism for submarine cable per sea basin, starting with a Nordic/Baltic regional hub.
The ProtectEU Strategy pointed out that the 5G Cybersecurity Toolbox provides the relevant framework to protect 5G networks but is currently insufficiently implemented by Member States. “Unacceptable security risks remain, specifically regarding the substitution of high-risk providers. A harmonized approach to the security of the ICT supply chain can address the current fragmentation of the internal market caused by different approaches at national level, avoid critical dependencies and de-risk our ICT supply chains from high-risk suppliers, in this way securing our critical infrastructure.”
In line with this approach, in the upcoming revision of the Cybersecurity Act, the Commission will look more broadly at the security and resilience of ICT supply chains and infrastructure. In addition, the Commission will propose to improve the European Cybersecurity Certification Framework to ensure that future certification schemes can be adopted promptly and respond to policy needs.
Building on existing or ongoing sectoral assessments, the Commission will develop, together with the Member States, a strategic plan for coordinated cybersecurity risk assessments.
Also, cloud and telecom services have become a staple in the supply chains of critical infrastructures, businesses, and public authorities. The Commission will take action to encourage critical entities to choose cloud and telecom services that offer an appropriate level of cybersecurity, taking into account not only technical risks but also strategic risks and dependencies.
The ProtectEU Strategy recognized a persistent major challenge in the EU and globally is ransomware, with one report estimating a global annual cost of more than EUR 250 billion by 2031. “Both the NIS2 Directive and the Cyber Resilience Act will significantly improve the security posture of entities, making it more costly for ransomware networks to carry out their attacks. In addition, the Commission will work closely with Member States to ensure that more ransomware attacks, in particular advanced persistent threats, and ransom payments are reported to law enforcement, facilitating investigations.
It added that to prevent and stop cyberattacks, the EU needs to strengthen the information exchange between law enforcement authorities, cybersecurity authorities and entities, as well as private parties, under the aegis of Europol and the EU Agency for Cybersecurity (ENISA).
It also noted that Europe must reduce its reliance on third-country technologies, which can lead to dependency and security risks. “The Commission aims to mitigate dependencies on single foreign suppliers, de-risk our supply chains from high-risk suppliers, and secure critical infrastructure and industrial capacity on EU soil, as specified in the Competitiveness Compass and the Clean Industrial Deal.”
“The Commission will promote an industrial policy for internal security by collaborating with EU industries in key sectors (e.g. transport hubs, critical infrastructures) to produce security solutions like detection equipment, biometric technologies, and drones, incorporating security by design features,” the ProtectEU Strategy said. “In revisiting EU procurement rules, the Commission will assess whether the security considerations in the 2009 Defence and Security Procurement Directive are sufficient to address law enforcement and critical entity resilience needs.”
In January this year, the Commission adopted the European action plan on the cybersecurity of hospitals and healthcare providers38 to improve threat detection, preparedness, and crisis response. “Its full implementation is key. At the same time, to address novel threats and developments, we need to step up our actions, in particular, in the areas of information exchange, supply chain security, ransomware and cyberattacks, as well as technological sovereignty,” the strategy document said.
Furthermore, implementation requires closing the current cybersecurity skills gap of 299,000 people. The Commission will work with the Member States under the Union of Skills to expand the cybersecurity workforce, in particular by using the new Cybersecurity Skills Academy. The STEM Education Strategic Plan contributes to improving the talent pipeline and Europe’s response to cybersecurity labour market needs.
In parallel to enhancing its resilience, the EU will continue to make full use of the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (The Cyber Diplomacy Toolbox) to prevent, deter, and respond to cyber threats stemming from state and non-state actors.
The ProtectEU strategy said that to follow up on the recommendations of the high-level group, the Commission will present in the first half of 2025 a roadmap setting out the legal and practical measures it proposes to take to ensure lawful and effective access to data. In the follow-up to this roadmap, the Commission will prioritize an assessment of the impact of data retention rules at the EU level and the preparation of a technology roadmap on encryption to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data lawfully, safeguarding cybersecurity and fundamental rights.
