The Council of the European Union on Monday approved a declaration aimed at fostering a common understanding of how international law applies to cyberspace. This declaration reflects the EU’s commitment to advancing the rule of law in a domain marked by increasing complexity and threats.
The declaration builds upon principles of sovereignty and state responsibility, underscoring that existing international law, including the UN Charter and customary international law, applies fully to cyberspace. The fundamental position is to prohibit cyber activities that violate another state’s sovereignty or constitute the use of force, according to the Tallinn Manual on Cyber Operations.
The EU’s approach leans toward a rules-based international order emphasizing shared norms and collective security, setting itself apart from the stricter cyber sovereignty approach adopted by Russia and China. This transnational focus highlights the tension between unilateral actions and the need for global frameworks.
One notable aspect of the EU’s declaration is its emphasis on the protection of critical infrastructure, such as healthcare systems and energy grids. Drawing from lessons learned during major cyber incidents, such as ransomware attacks on hospitals and financial systems, the document calls for greater legal protections during peacetime and conflict. This aligns with ongoing United Nations Group of Governmental Experts (GGE) efforts to promote responsible state behavior in cyberspace, including banning the targeting of critical infrastructure.
The declaration also addresses state obligations regarding due diligence and the prevention of cyber operations launched from their territory. This principle, enshrined in customary international law, was reaffirmed in the declaration, which calls for accountability mechanisms to deter harmful activities. The issue of attribution, often cited as a major challenge in cyber operations, is acknowledged as a critical area requiring further international cooperation.
The declaration also resonates with human rights protections in cyberspace, including freedom of expression and the right to privacy, as outlined in Articles 19 and 17 of the International Covenant on Civil and Politcal Rights. The acknowledgment of the digital divide—unequal access to internet technologies—further underscores the need to ensure that cyber norms advance equity and inclusivity.
Relatedly, the EU Council adopted the European Cyber Resilience Act in October. The act provides a legal framework clarifying the cybersecurity requirements for products with digital elements. The full implementation of the act will come 36 months after its entry into force.
In 2021, the UN General Assembly similarly convened an open-ended working group on cybersecurity to develop the international law in cyberspace. The EU’s declaration also echoes the Open-Ended Working Group (OEWG) discussions, which stress the need for cooperative mechanisms to address the transnational nature of cyber threats.
Companies like Meta and other global tech firms have recently faced growing scrutiny for their role in questions of data protection and privacy. The regulatory emphasis on cybersecurity, particularly in Asia and the EU, reflects a global shift toward holding private actors accountable under international and domestic legal frameworks. The EU’s focus on a unified legal approach sets a precedent for addressing cyber threats while safeguarding individual rights and maintaining the rule of law.