(c) Shutterstock
The EU’s new watchwords: protect and prepare
Last week, the EU presented its new internal security strategy, one that is intended to help the bloc circumnavigate the choppy waters ahead over the next five years.
Going by the pseudonym ProtectEU, this strategy identifies numerous areas for action. These include boosting intelligence sharing, strengthening resilience to hybrid threats by “hostile foreign states and state-sponsored actors”, and fighting major organised crime, cybercrime, terrorism and violent extremism.
Fighting on all fronts
The internal security strategy complements the Preparedness Union Strategy, meant to boost Europe's capability to respond to emerging threats, and the European Defence White Paper.
In the words of European Commissioner Hadja Lahbib, speaking at the preparedness presentation at the end of March, Europe’s fights are no longer confined to physical battlefields. Instead, the continent is facing threats on other plains:
Hadja Lahbib, European Commissioner for Crisis Management (in English):
“The battlefields in our pockets, our phones, our computers, our power plants, our banks, our supply chains, our raw materials, and in the media, the social media we consume every day. These are all battlefields, and they are being weaponised to threaten our European way of life and our democracies.”
So, given this challenging geopolitical context, Austrian MEP Hannes Heide, a member of the European Parliament’s S&D group, was quick to welcome the new ProtectEU strategy. Agora shares his comments.
Hannes Heide, Member of the European Parliament – S&D, Austria (in German):
“The European Commission's presentation of a strategy for internal security was long overdue and was something we were calling for. It is therefore to be welcomed that joint action is now being taken to tackle the manifold and permanent challenges in the field of security.”
Meanwhile, AMS reports on how Magnus Brunner, the commissioner looking after internal affairs and migration, counters the complaint that the new internal security strategy impinges on national competences.
Magnus Brunner, European Commissioner for Internal Affairs (in German):
“Of course this affects the competences of the member states, but it is also the member states' desire for us to cooperate better at the European level. That is crucial. We see this in Europol, for example, where cooperation with the nation states works extremely well. And this strategy is actually the answer to these challenges, which are not confined to a single member state, but extend across borders. That is why this cooperation is important and why this strategy is important, because it will lead to us providing better support to member states, and there will be better cooperation between member states and the European Union.”
https://www.euranetplus.de/2025/04/02/eu-kommission-stellt-protecteu-vor/
Buy one get one free
As mentioned earlier, the European Internal Security Strategy ties in closely with another strategy released by the Brussels executive in the last few weeks: the EU Preparedness Union Strategy.
Commission EVP Roxana Mînzatu shares responsibility for the bloc’s preparedness portfolio with Commissioner Lahbib. Speaking on the launch of this associated strategy, she explains that, like most European citizens, she is currently completely unprepared for a whole range of possible scenarios – and this despite her personal experience of growing up in a region that suffered frequent blackouts and earthquakes.
Roxana Mînzatu, Executive Vice-President of the European Commission (in English):
“The dividend of peace and the dividend of calm, as was mentioned, takes us to this exact place of comfort where we feel that it's not going to happen to us, where we sometimes see the disaster that is caused by the wildfires in Greece. We see the tragedy in Spain with the floods, or I see what happened in my own country in Galats. But it doesn't happen to you. So you do not force yourself to understand what would be your first steps when you hear an alarm, a siren that is ringing.”
https://www.euranetplus.de/2025/03/27/eu-strategie-zur-vorbereitung-auf-den-ernstfall/
The preparedness strategy is a detailed action plan covering geopolitical tensions and conflicts, hybrid and cybersecurity threats, foreign information manipulation and interference, and climate change and natural disasters. Among other aims, the strategy is designed to strengthen our capacity to foresee risks before they hit, and to ensure the continuity of essential services if they do – including through stockpiling critical resources at EU and national level.
Measures include the creation of a new EU crisis coordination hub, which will be responsible for supporting member states in managing crises, in whatever form they come.
Another small but headline-grabbing element is the suggestion that Europe’s citizens prepare themselves ‘survival kits’ to ensure they can be self-sufficient for at least 72 hours… just in case.
Initiatives along these lines already exist, or are being implemented, in a number of EU countries. Luxembourg’s High Commission for National Protection, for example, has drawn up an online checklist to help citizens compile a personal survival kit, as director Guy Bley tells 100,7.
Guy Bley, Director of Luxembourg’s High Commission for National Protection (in Luxembourgish):
“The survival kit is basically a normal stock of the things you should keep at home. It’s about knowing where you keep your medicine, where you have a stock of water, some food provisions… You could just keep it in your normal home storage.”
https://www.100komma7.lu/news/HCPN-schafft-un-neiem-Urgece-Kit-fir-de-Fall-vun-enger-Kris?pd=search
But Portuguese diplomat and former foreign minister António Martins da Cruz thinks the idea of a survival kit is overkill. He is talking to Rádio Renascença.
António Martins da Cruz, Former Foreign Minister of Portugal (in Portuguese):
“It may cause alarm among less-informed people. I think it's an unreasonable recommendation and it seems to reveal a certain paranoia in some members, in some leaders, of the so-called ‘Brussels bubble’.”
Hybrid threats
Two key areas that are closely interwoven into the latest manifestation of the internal security strategy are those of cybersecurity and hybrid threats.
On 4 February, the EU Cyber Solidarity Act came into force. This aims to enhance the bloc’s capacity to detect, prepare for and respond to large-scale and significant cybersecurity threats and attacks.
One element of critical infrastructure that has seen an exponential rise in cyberattack-related disruption over the last few years is air traffic control, says Latvijas Radio.
Our Latvian member station asks Latvian MP Igors Rajevs, parliamentary secretary of the country’s internal affairs ministry, for his take on what motivates these attacks – which have not, to date, posed a major threat to flight safety.
Igors Rajevs, Member of the Latvian Parliament (in Latvian):
“They want to test how our systems work, they want to see the way we react to their actions. They want to keep pressure on us as a country all the time, so that these news reports appear regularly on our portals. This makes people feel uneasy – gives the sense that Russia is always trying to threaten us, that there are always hybrid challenges. It confuses us, creates unnecessary anxiety and gives us the impression that our country is struggling to cope with security challenges.”
Neighbouring Estonia has been facing a different kind of hybrid threat. It is the case of the Russian Orthodox Church, which turned out to be receiving direction from Moscow and issuing public statements that were seen to threaten Estonian internal security.
In response, the Estonian parliament passed a law this week stipulating that no church, monastery or congregation operating in Estonia may be connected to a governing body located in any foreign country that poses a threat to Estonian order or security.
Critics of the bill argue, however, that this infringes freedom of religion.
While the law has yet to be approved by the president, interior minister Igor Taro is hopeful this is just a matter of time. He tells Kuku Raadio why.
Igor Taro, Interior Minister of Estonia (in Estonian):
“If a hostile country has certain strongholds – even if they are not being put to this purpose right now – should the situation escalate, they may be used for something else. We must prevent this by ensuring that there is no direct subordination of this kind, so that no one can force them to change into something they do not want to be. I don't believe that any religious Estonian would want to be directly subordinate to some kind of extremist regime. And we are talking about a universal principle here, not just about Moscow.”
Online crime
Returning to cyberspace, Austrian S&D member Hannes Heide, who we heard from earlier, stresses to Agora that we really cannot afford to overlook the ‘virtual realm’ in our quest for a greater sense of security.
Hannes Heide, Member of the European Parliament – S&D, Austria (in German):
“We are seeing that crime is increasingly shifting to the virtual realm and that social networks are also encouraging criminal activity. We need to pay particular attention to this. The specialisation, strengthening and better equipping of our security authorities can play a significant role in this.”
In Belgium, a recent spate of violent knife crimes and shootings has sent shockwaves through the community. Nils Duquet, a specialist in arms trafficking and director of the Flemish Peace Institute, tells RTBF that the so-called ‘virtual realm’ has a lot to answer for in this regard too.
Nils Duquet, Director of the Flemish Peace Institute (in French):
“What we’re seeing is that young criminals have access to weapons through their use of apps like Telegram, for example, or Snapchat. There are messages offering weapons for sale. It’s clear that the criminals don't always know the sellers, and that's really different from how things used to be.”
In response to the growing threats posed by digitalisation and the surge in cyberattacks, the Commission launched its revised Network and Information Security Directive (NIS2) back in January 2023. Its aims included increasing security requirements, obliging more entities and sectors to take action, and introducing more stringent monitoring. Member states were given until October 2024 to transpose it into national law.
Better late than never, the Portuguese government approved its bill for a new cybersecurity regime in early February.
Minister of the presidency António Leitão Amaro described the bill as a profound reform. His comments are shared by Renascença.
António Leitão Amaro, Portugal’s Minister of the Presidency (in Portuguese):
“This legal regime, which has now been approved and will be sent to parliament, greatly strengthens the capacity and robustness of Portuguese companies’ and public entities’ digital systems and defences. It also strengthens the level of security, increases supervisory powers and extends the obligations and duties that companies and public entities have to protect their activities, their databases and their systems in the digital space.”
As Amaro points out, the document is yet to be formally enacted, though – a process that has been held up by a series of government crises.
Bulgaria is also lagging behind on this – again due to domestic political instability. And just when it looked like Sofia was making progress on its amended Cybersecurity Act, the latest draft has unleashed a wave of complaints from businesses and the IT industry.
Blagovest Kirilov from the NGO ‘Democratic Centre’, formerly Bulgaria’s deputy minister of e-government, has sounded the alarm about intentionally poorly translated texts.
Blagovest Kirilov, Bulgaria’s Former Deputy Minister of E-Government (in Bulgarian):
“Whether these are mistakes or ‘lost in translation’ linguistic errors is up for debate. But these mistakes make the bill much more closed, with a body such as the Ministry of e-Government, or the minister, effectively telling businesses exactly which software packages to use. This should not be the case. The directive from the European Commission indicates that the certified technologies should be cited, but does not suggest naming specific products. That makes a big difference.”
In the same BNR interview, Ivan Goychev, Sofia’s deputy mayor for digitisation, expresses his alarm over the pressure of implementing the new requirements.
Ivan Goychev, Sofia’s Deputy Mayor for Digitisation (in Bulgarian):
“There is really no capacity and it feels quite scary… lonely even. The directives are clear on who is to blame, but who is going to provide the budget to make these things we are talking about happen? And we need something more than the law to guide the rest of the administration. How do we implement this directive – for example, in terms of training […] raising salaries and bringing in people from outside who are already trained and know what they are doing so that they can make the things happen that need to happen?”
The cybersecurity picture in Bulgaria remains fairly bleak. Particularly given the fact that, although Bulgaria officially meets the EU’s previous minimum requirements for cybersecurity, adopted back in 2018, even those are not widely implemented. Meanwhile, Bulgarian businesses – like those in the rest of Europe – are facing increasingly frequent and destructive cyberattacks.