Hybrid conflicts, private companies, and European cybersecurity obligations

‘Hybrid conflicts’ are often defined, in part, by the use of non-military forces to obtain strategic objectives. And just as hybrid aggressors may be private actors, their targets are also often in the private sector. While hybrid conflicts are primarily a threat to national security, and defending against them is thus primarily the responsibility of governments, hybrid tactics – ranging from cyberattacks and sabotage to disinformation and political undermining – all impact private companies. European Union laws and regulations, ranging from general cybersecurity obligations to policy moves toward digital sovereignty, add another layer to this relationship. 

The strategic importance of the private sector

Many essential services, including communications, healthcare, banking, sewage, and electricity, are provided by private companies. A disruption of these services, for example through a cyberattack, can seriously disrupt society. For example, distributed denial-of-service (DDoS) attacks regularly target financial institutions, disrupting electronic payments and, consequently, both public and private commerce. Cyberattacks can also be used to disrupt electronic communication. In 2016, a DDoS attack on a DNS provider disrupted access to major internet platforms including Twitter, Spotify, and the New York Times. On a slightly smaller scale, a satellite can be hacked to disseminate propaganda instead of, for example, BabyTV. 

Similarly, if the ‘real’ target in a hybrid conflict is hard to attack directly, private-sector suppliers may be the weak underbelly. For example, Russian cyberattacks have targeted logistics firms and tech providers involved with the delivery of military aid to Ukraine. There are also more subtle risks relating to private suppliers from outside one’s own country, which may be directly or indirectly under the control of foreign governments. For example, the United States and China may use or pressure technology companies based in those countries but operating internationally to cut services or spy on users.

Finally, private companies may have access to strategically important information about the essential services mentioned above or military or ‘dual use’ technology that can be used to develop weapons. For example, ASML, a Dutch manufacturer of photolithography machines used to make the world’s most advanced microchips, has repeatedly been the target of cyberattacks. Personal data, meanwhile, can be used to blackmail key figures or even bulk data to tune AI. More and more, data should be seen as strategically important and securing it is a matter of national security.

EU law

Within the European Union, national security is primarily the responsibility of member states, whereas private sector cybersecurity obligations are mainly imposed by the EU. These obligations are not principally intended to defend against hybrid threats but rather to strengthen the internal market and protect fundamental rights. Protecting against hybrid threats is, however, an important ancillary effect. 

For example, while securing personal data strengthens the individual’s right to data protection as enshrined in The EU Charter for Fundamental Rights, it also prevents foreign actors from obtaining strategically important personal data. Similarly, European cybersecurity obligations, intended to avoid costly disruptions to internal markets can bolster defences against hybrid conflicts even though not specifically tailored to them. 

In the same vein, the exact intent of a cyberattack or the purpose of a cybersecurity obligation is only of limited importance to these companies. In the end, they simply have to protect themselves. The cybersecurity measures that protect against data breaches or ransomware attacks from ‘ordinary’ criminals are not fundamentally different from the measures taken to stop state-sponsored hackers.

This does not mean, however, that considerations of hybrid conflict are irrelevant or redundant. In my research, I have identified four ways in which hybrid conflicts affect European cybersecurity obligations for private companies.

Hybrid conflicts influence obligations under general cybersecurity instruments

The most important European cybersecurity obligations are risk based. The General Data Protection Regulation (GDPR) and Network and Information Systems Directive 2 (NIS2) require private companies to take ‘appropriate’ technical, operational, and organisational cybersecurity measures to secure processed personal data and the network and information systems used for essential services. Examples of such measures include pseudonymisation, back-ups, tests and evaluations, policy implementation, incident handling, and staff training. Ultimately, deciding which measures should be considered appropriate depends on the risks. 

Hybrid conflicts are a source of risks and can thus lead to stricter cybersecurity requirements under these general obligations. For example, if a company knows that it may be targeted by DDoS attacks from foreign countries, it must take measures to minimise the effect of such attacks.

Hybrid conflicts force companies to reduce dependency on third country suppliers, contributing to digital sovereignty

In addition to these general obligations, the EU imposes several more specific obligations that are especially important in the context of hybrid conflicts. Under the GDPR and NIS2, private companies should make sure that their cybersecurity is not undermined through dependencies on or collaborations with other entities. In the context of hybrid conflicts, avoiding dependencies on suppliers from countries outside of the EU (‘third countries’) is especially important. 

For example, the Digital Operational Resilience Act (DORA) obligates financial entities to assess and address dependencies on information and communication technology suppliers in general, with specific attention paid to suppliers from third countries. Moreover, the GDPR and Data Act limit the transfer of data to entities outside of the EU. In this, the potential access of foreign governments is a particularly important consideration. This push to reduce dependencies on third country suppliers also contributes to digital sovereignty – ‘Europe’s ability to act independently in the digital world’ – an important EU policy goal.

Governments are increasingly involved in the cybersecurity of companies

The various cybersecurity obligations of private companies do not release governments from their responsibilities. In fact, the EU has allocated various new responsibilities and powers to public authorities, which should be increasingly involved in the cybersecurity of private entities. They should formulate strategy, analyse risks in certain sectors, provide incident response support, share threat information, and formulate norms and standards. 

Some of these responsibilities and powers are especially relevant in the context of hybrid conflicts. For example, NIS2 and the Cyber Solidarity Act empower governments to provide support in the case of large-scale incidents. Such incidents may be the result of hybrid conflicts – the Cyber Solidarity Act specifically refers to the war between Russia and Ukraine as a potential source of such incidents.

Furthermore, discussion about a EU-approved cybersecurity certification scheme for cloud services has been intensely focused on the potential inclusion of sovereignty requirements. Although these requirements may not make it into the final version, this discussion shows how geopolitical considerations can influence the development of cybersecurity obligations.

The increased prevalence of hybrid conflicts leads to new cybersecurity obligations

All of this brings us to the final way in which hybrid conflicts affect European legal cybersecurity obligations for private companies: cybersecurity obligations are on the rise. While this has been true for all aspects of digitalisation and law in the European Union, rising geopolitical tensions means this will continue in relation to cybersecurity despite the current trend of regulation simplification aimed at bolstering competitiveness. More specifically, the existing legislative framework leaves room for various kinds of delegated rulemaking in the form of standards, codes of conduct, recommendations, and certification schemes. The current focus is on strengthening the implementation of these existing rules.

Private companies are deeply involved in hybrid conflicts, whether they want to be there or not. They should anticipate the further expansion of cybersecurity requirements and adjust accordingly. Proactively reducing dependencies and investing in cybersecurity would be a good place to start.