EU cybersecurity exercise: foster cooperation, secure free and fair EU elections
November 2023 by Marc Jacob
The exercise is part of the measures being implemented by the European Union to ensure free and fair elections in June 2024. It took place in the European Parliament and was organised by the European Parliament’s services, the European Commission and the EU Agency for Cybersecurity (ENISA). The drill allowed participants to exchange experiences and best practices, and will help them enhance their capacity to respond to cybersecurity incidents as well as to contribute to the update of existing guidelines and good practices on the cybersecurity of technology used in the election process.
European Parliament Vice-President Dita Charanzová underlined that "European democracy and the European Elections in particular, are faced with serious hybrid threats ranging from cyberattacks and other cyber-enabled incidents to disinformation and information manipulation. Today’s exercise, in which the European Parliament played a key coordinating role, allowed us to test and strengthen our capacity to react to these hybrid threats. It also served to underline that Member States and EU institutions are already working on the basis of well-established structures, networks and collaborations that will serve to secure free and fair European Elections in June 2024."
European Commission Vice-President for Values and Transparency, Vera Jourová said: “Elections and campaigning are increasingly happening in the digital space. While this brings many opportunities it also creates risks, and we must be prepared to protect our infrastructure from cyber-attacks from within and outside the EU. The upcoming European elections will be an important test that we must not fail. Our best defence is to share knowledge and work together across the EU.”
The European Commissioner for Internal Market, Thierry Breton said: “Cyberattacks and disinformation are a threat to democracies. Ill-intentioned actors can be expected also to target elections to try to harm the credibility of our democratic institutions. It is vital that EU institutions and Member States safeguard trust in the integrity and legitimacy of the European elections, and this means working together to build up our cyber resilience in the run-up to the 2024 European elections.”
The European Commissioner for Justice, Didier Reynders said: “Digitalisation brings enormous benefits, and the promise of a better tomorrow. Yet it also brings certain threats. Among those are cyberattacks that can undermine free and fair elections. Elections must be based on correct information and facts. We must not be naïve and keep up our guard – especially in view of next year’s European elections.”
European Union Agency for Cybersecurity (ENISA), Executive Director, Juhan Lepassaar, said: “It is our responsibility to join forces to ensure the security and reliability of the digital tools used to process the information. ENISA is committed to support Member States election authorities and cybersecurity stakeholders to ensure preparation in case of any cyber incident. Engaging in EU cybersecurity exercises strengthens our ties and in doing so, enhances our whole cybersecurity resilience.”
Representatives from national electoral and cybersecurity authorities, together with observers from the European Parliament, the European Commission, CERT-EU and the EU Agency for Cybersecurity (ENISA), participated in the second edition of the exercise. While the main responsibility for protecting the integrity of the elections lies with EU Member States, this exercise helped fine-tune their common preparedness when facing potential cyber and other hybrid threats and their ability to swiftly develop and maintain situational awareness at national and EU level if a serious cybersecurity incident were to occur.
All is in place to ensure that European citizens can trust the EU electoral process. Risks to elections can take various forms from information manipulation and disinformation to cyber-attacks that compromise infrastructures.
Based on various scenarios featuring potential cyber-enabled threats and incidents, the exercise allowed participants to:
• Deepen their knowledge of the level of critical aspects of European elections, including an assessment of the level of awareness among other stakeholders (e.g. political parties, electoral campaign organisations and suppliers of relevant IT equipment);
• Enhance cooperation between relevant authorities at national level (including elections authorities and other relevant bodies and agencies, such as cybersecurity authorities, Computer Security Incident Response Teams (CSIRTs), Data Protection Authorities (DPAs), authorities dealing with disinformation issues, as well as at EU level, such as the Commission services in charge of enforcement of the Digital Services Act (DSA);
• Verify existing EU Member States’ capacity to adequately assess the risks related to the cybersecurity of European elections, promptly develop situational awareness and co-ordinate communication to the public;
• Test existing crisis management plans as well as relevant procedures to prevent, detect, manage and respond to cybersecurity attacks and hybrid threats, including disinformation campaigns;
• Identify all other potential gaps as well as adequate risk mitigation measures which should be implemented ahead of the European Parliament elections.