Should Europe have its own CIA? Is thinking about it already adopting it, or rather eliminating it? Indirectly, the compilation of reports by the three “wise men”--Enrico Letta (on the single market), Mario Draghi () and Sauli Niinistö (EU civil and military preparedness and readiness)--for the president of the European Commission, Ursula von der Leyen, raises this question. On Tuesday, the first day of the Luxembourg Internet Days, Luca Tagliaretti, executive director of the European Cybersecurity Competence Centre (ECCC), put it this way.

How can--or should--the European Union go further in integrating its security, cybersecurity and protection? And are member states prepared to relinquish what they know about others--inside and outside Europe--to prevent the worst-case scenarios from one day becoming the worst-case realities on our continent? It’s not easy at a time when the far right is the talk of the town, from Belgium to Germany, Hungary and France. It’s not easy at a time when Brussels is described as a nest of spies disguised as diplomatic staff or lobbyists who are not always accredited to serve companies that are not always identified. And it’s rather complicated when undersea telecommunications cables linking Sweden, Finland, Germany and Lithuania have been damaged; an act of sabotage in a hybrid war, say the German authorities. This comes two years after another act of sabotage, according to German, Swedish and Danish investigations: that of the Nord Stream 1 and 2 gas pipelines in the Baltic Sea, which linked Russia to Germany and were essential for Europe’s gas supply.

Five Eyes as a model

“From an intelligence perspective, Niinistö’s plan is likely to be inspired by models already used by Western allies, such as the ‘Five Eyes’ network between the US, UK, Canada, Australia and New Zealand, which share intelligence extensively to coordinate their protection,” the French Centre for Intelligence Research (CF2R). "However, there is scepticism about the possibility of establishing a genuine European intelligence agency, as some member states view intelligence sharing as a matter of national sovereignty. Von der Leyen has already acknowledged that intelligence gathering is traditionally a prerogative of national states, and many countries might resent a supranational entity dealing with such sensitive issues."

The CF2R points out both the advantages and the limitations of this idea of a European-style CIA. “A centralised intelligence agency would allow the European Union to respond in a more coordinated and rapid manner to common threats, such as terrorism, sabotage and espionage operations. A unified structure could reduce the fragmentation of information between different national services, ensuring a faster and more reliable flow of strategic and operational data. This would allow member states to make informed and well-founded decisions based on comprehensive and shared intelligence. A single agency could also strengthen the security of the European institutions, particularly in Brussels. Moreover, such an initiative would represent a step forward towards the EU's strategic autonomy, partly reducing the dependence on information from external allies, notably the United States.”

This positive and almost utopian dimension is also the main cause for concern. “A centralised intelligence structure could facilitate external conditioning, as the US may seek to establish privileged relationships with the European agency to maintain control over sensitive information and guide European political and security choices,” adds the CF2R analysis, which does not mention Russian or Chinese intelligence.

Twenty years on

The idea of a European-style CIA was mooted more than twenty years ago: After terrorist attacks in Europe (Madrid in 2004, London in 2005, Paris in 2015), then president of the European Commission, Jean-Claude Juncker, in his 2015 State of the Union address, emphasised the need for better cooperation between European intelligence services to meet the growing security challenges, as did former Belgian prime minister and MEP Guy Verhofstadt, former German chancellor Angela Merkel--even though she refused to allow Germany to be fully involved--or French president Emmanuel Macron.

We consolidated the findings of these three reports around security and cybersecurity as the executive director of the European Cybersecurity Competence Centre, Luca Tagliaretti, did the same during Luxembourg Internet Days at the Chamber of Commerce. All this comes at a time when member states are having trouble getting themselves up to speed with European directives on the cybersecurity of critical infrastructure or resilience.

A twist on encryption

Here is a summary of the key security proposals:

—Risk assessment and anticipation: the “ put together by Sauli Niinistö on the EU’s civil and military preparedness and readiness stresses the need for a comprehensive ‘all-hazards, all-threats’ risk assessment covering all EU business sectors. This assessment should draw on national risk assessments, sectoral risk assessments at EU level and information shared by member states. The aim is to identify the main cross-sectoral threats and hazards, as well as the concrete risks faced by the EU as a whole.

—Preparedness Union strategy: the report recommends the development of a Preparedness Union strategy, potentially supported by an EU Preparedness Act, to establish common preparedness standards, measurable objectives and streamlined decision-making and coordination processes. This strategy aims to provide the EU with a comprehensive framework for dealing with major crises.

—Resilience of critical infrastructures: Niinistö’s “Safer Together” report and Letta’s “” report stress the need to improve the resilience of critical infrastructures. “Safer Together” recommends extending the critical infrastructure resilience framework established under the CER and Nis2 directives to other sectors relevant in the event of a crisis, including the European defence technological and industrial base. “Much more than a market” draws attention to the need for a harmonised approach to cybersecurity and unified support for strategic submarine cable projects of European interest.

—Strategic stockpiling: “Safer Together” calls for a comprehensive European stockpiling strategy to encourage coordinated public and private stockpiling of essential inputs, and to ensure their availability in all circumstances. This strategy would include mapping current efforts, identifying a comprehensive set of essential input categories, setting targets to ensure minimum levels of preparedness, and exploring innovative financing options to incentivise long-term stockpiling and maintenance.

—Combating hybrid threats: The “Safer Together” report proposes strengthening EU intelligence structures with a view to creating a fully-fledged European intelligence cooperation service. The report also calls for measures to strengthen the EU’s deterrence capability, both through denial (by making it more difficult for hostile intelligence services to operate within the EU and encouraging the sharing of information on vulnerabilities) and punishment (by improving political attribution and creating a robust framework for lawful access to encrypted data).

—Strengthening defence capabilities: “Safer Together” also recommends the development of an EU defence capabilities package for the next decade, including an ambitious long-term vision, the implementation of the European Defence Industrial Strategy and the identification of major defence projects of common interest. The report highlights the need to address the urgent defence needs of member states, to revise the EU’s politico-military headline goal and to strengthen funding at EU level to encourage cooperation, readiness and preparedness in the defence sector.

—International cooperation: “Safer Together” emphasises the principle of “mutual resilience” as the basis for global partnerships in preparedness. This includes integrating this principle into future EU policy initiatives, using scenario-based risk assessments, and strengthening the role of EU Common Security and Defence Policy (CSDP) missions and operations in building mutual resilience.

This article was originally published in .