European Cyber Agora 2025

The rapid adoption of Artificial Intelligence (AI) and Generative AI applications raises important questions about the intersection of cybersecurity and AI/ML and its potential benefits and costs in both offensive and defensive capacities. These also have important governance implications. Each of these angles of the AI-cyber nexus will play a role in ensuring societal resilience, defined by the European Union as “the ability not only to withstand and cope with challenges but also to undergo transitions, in a sustainable, fair, and democratic manner.” Whilst cyber resilience is an established notion across EU and NATO stakeholders, the increasing role of AI calls for a broader approach to resilience to account for its cross-cutting role across threat areas, ranging from cyber to information environments and critical infrastructure.

• Short-term objective: Understanding the status quo: Taking stock of current knowledge and capacities on the interconnections of cyber and AI within the European ecosystem. What are existing resources, what are gaps? Have recent events shifted priorities (e.g. European elections)?
• Medium-term objective: Identifying synergies and build capacities: What gaps in both societal and cyber capacities need to be addressed to foster societal resilience? Identifying action areas for fostering holistic societal resilience in line with the objectives of the EU democracy shield and the EU’s cyber regulatory agenda.
• Long-term objective: Foster European cyber and AI resilience: Be a convening force across siloed AI and cyber stakeholder communities to develop common approaches for building capacities and resources and contribute to the objectives of the EU democracy shield and the EU’s cyber regulatory agenda. Encouraging policymakers to incorporate notions of resilience into governance frameworks on AI.

1. 1. What are the new cybersecurity challenges raised by AI?
   1. AI challenges for cybersecurity: As a dual-use technology, AI/ML has the potential to amplify the threat landscape through deployment by malicious actors or introduction of new security vulnerabilities and risks unique to AI/ML systems with their regularly changing configurations. This will require developing a new threat model to equip security teams to mitigate emerging risks.
   2. AI for scaling cyber and influence operations: By leveraging basic automation, attackers will create efficiencies and amplify their impact. For example, AI can be used to generate ultra-personalized phishing attacks, capable of duping even the most security-conscious users. AI is also fundamentally influencing the information environment, for example through large-scale disinformation campaigns, scaled and automated by AI-generated content. 2024 is the year of elections, with almost half of the global population heading to the polls, and generative artificial intelligence has democratized the ability to create realistic fake or altered images, videos, and audio recordings – including of political candidates. Risks include malicious or deceptive deepfakes, especially targeted at vulnerable communities or seeking to disrupt electoral processes. As these capabilities advance, so too will the threat actors’ creative use of these tools. Progress is being made on technical aspects of these questions, including on content authenticity technology.
2. 2. How can AI systems be applied to cybersecurity for defensive capabilities?
   AI can also be leveraged to enhance protection and thwart attacks, such as triaging alerts on potential attacks, detecting the ‘fingerprints’ of malware within a computer or on a network or guiding automated approaches to mitigation. Generative AI can act as an amplifier, enabling AI-enabled cyber threat monitoring, synthetic training and data generation or analytics and reporting. AI can be used to reduce the number of false-positives produced in a security environment, allowing cyber defenders to respond more rapidly and with higher confidence using AI-generated threat analysis. These solutions combine speed, efficiency, and scalability, automating and augmenting the defender’s ability to safeguard systems, networks, and data while ensuring confidentiality, integrity, and availability.
3. 3. How does the AI-cybersecurity nexus impact policymaking?
   The rise of AI poses new questions for policymakers, along with opportunities to shape real-world policy action to ensure societal readiness and resilience. While the EU has robust frameworks and legislation on cyber security (NIS2, Cyber Resilience Act etc.), new vulnerabilities and enablers linked to AI expand their scope and raise questions about broader societal resilience. The priorities of the new European Commission and the Democracy Shield introduced by President von der Leyen to counter foreign information manipulation and interference online also reference the need to build societal capacities adapted to the shifting AI landscape. The implementation of major digital legislative files in the EU (AI Act, CRA) requires closely exploring the compatibility, interconnections, and challenges of AI and cyber regulation. In complementing existing regulation under the Digital Services Act (DSA) and other relevant EU legislation, it will be important to consider how media provenance certification for abusive AI-generated content, pre-bunking or targeted AI and dis-misinformation literacy initiatives can help build broader societal awareness and resilience towards cyber- and AI-enabled attempts to undermine the European information environment. Increasing resilience will also include further understanding how to incorporate AI-cyber challenges into governance frameworks beyond the EU, including international treaties and multilateral mechanisms.
   

The goal of this workstream is to further shared understandings that promote responsible behaviour in cyberspace. Specifically, it seeks to further empower the European cyber communities to lead in upholding international norms. In the face of sustained state-sponsored cyberattacks on critical infrastructure and democratic institutions, the importance of establishing robust international frameworks that foster accountability and deterrence in cyberspace becomes ever more urgent.

This workstream aims at facilitating the norm building process fostering accountability and deterrence in cyberspace. The goal is to amplify the voice of the European cyber ecosystem in presenting a common approach to fostering responsible state behaviour in cyberspace at the international level.

• Strategic objectives: Change the attitudes of European decision-makers regarding when and how to make public attributions to allow imposing more firm costs to enhance deterrence effects.
• Medium-term objective: Creation of a forum for European coordination taking a broad multistakeholder approach involving industry and civil society, take stock of the approaches favoured across the European cyber ecosystem and identify strategies that can shift the attitudes of European decision-makers regarding attribution and deterrence practices.
• Long-term objective: Contribute to the establishment of a rights-based set of international norms and expectations fostering responsible state behaviour through accountability and deterrence, namely at the level of ongoing UN negotiations (OEWG, PoA etc.).

To foster accountability, upholding international law and international norms for responsible state behaviour is essential. This includes existing treaties and agreements, such as the UN Charter, and the 11 UN norms on responsible state behaviour in cyberspace, but also a plethora of relevant bilateral and multilateral agreements. Such accountability starts with effective attribution, requiring a more agile and rapid process for attribution determinations and consensus –building, particularly among aligned coalitions of states like those within the NATO alliance or the EU. To this date, perpetrators of malicious cyber operations rarely face significant responses, be it through public attribution or imposing costs such as sanctions.

The lack of effective enforcement of current norms and the insufficient impact of attributing cyber actions reveals the need for greater consistency in the application of existing norms and possibly stronger deterrence measures. These strategies should seek to reduce perceived benefits of cyberattacks and amplify potential costs. Discussions on cyber deterrence need to centre on establishing clear criteria for evaluating harm from cyber incidents in order to determine proportional countermeasures, for instance by defining when cumulative effects of cyberattacks can amount to an armed attack, etc. These criteria will aid in defining appropriate countermeasures. Additionally, like-minded nations may need to accept that deterrence will require meaningful steps and the willingness to act if red lines are crossed.

Accountability through common norms and attribution
Agreeing new initiatives to advance norms discussions at the international level is critical, so proposals such as the UN Programme of Action on cybersecurity are welcome. It is also crucial to think about how existing norms can promote accountability in smaller partnerships. Successful enforcement of norms depends on being able to attribute cyberattacks to states. Timely attribution of state-sponsored cyberattacks publicly and privately is crucial for effective deterrence in cyberspace. Yet, in the European context, there seem to be multiple components that complicate public attribution. First, decision-makers may be reluctant to make public attributions due to persisting concerns that these will result in pressure to impose consequences on perpetrators that could escalate conflicts and amplify geopolitical tensions. Moreover, a lack of capacity may be a further obstacle to effective attribution. However, there are positive examples of public attributions, demonstrating both willingness and capacity, namely the joint attribution made by the Czech Republic with Germany, the EU and NATO in May 2024, denouncing activities by a Russian state-controlled actor. Existing efforts such as the EU Cyber Diplomacy Toolbox provide a framework for using the EU’s Common Foreign and Security Policy measures to "prevent, deter and respond to malicious cyber activities" and to make joint attributions. One key challenge seems to be that Member States (MS) may be reluctant to utilize the toolbox sufficiently as it requires the sharing sensitive data across all EU MS and unanimous decision-making. These barriers ultimately result in preferences by MS to favour unilateral rather than collective attribution. Such attribution tends to be ad hoc and less effective in consolidating deterrence efforts. Hence, structural challenges European actors face in individual and collective attribution should be addressed to improve the impact of public attribution. Outside the EU, NATO could be another suitable forum for addressing alignment challenges with transatlantic partners in attributing attacks. The NATO Cyber Defence Pledge and the Comprehensive Cyber Defence Policy focus on improving information sharing, mutual assistance and coordination of collective responses to cyber-attacks. However, similar to the EU, attribution decisions are taken individually by NATO members, not by the Alliance itself. Solutions should focus on fostering a culture of confidence to make use of existing frameworks and processes which leverage cooperation at both EU and NATO level.

Deterrence through consequences
As current costs imposed on bad actors have proven insufficient to stop them from conducting further cyberattacks, more effective deterrence will need to include commitments to imposing more robust, dynamic and creative sets of countermeasures when adversaries wilfully violate clear international expectations. The goal is to reduce the perceived benefits and drive up the perceived costs of cyberattacks. To set uniform criteria, it’s crucial to agree on when cyberattacks constitute the 'use of force' or an 'armed attack' that could warrant proportionate reactions by affected states. Codifying common definitions and understanding at EU and NATO level, can shape the debates at UN level.

• 1. How to operationalise cumulative attribution, that is connecting the dots between repeated attributions to the same threat actor and the broader threat context they operate in
• 2. How to incentivise the wide use of existing processes for joint attribution that are corroborated and coordinated between allied states at NATO and EU-level
• 3. How to include authoritative intelligence and expertise by industry and civil society into the attribution process

Over the past few years, we have witnessed a convergence of the latest technologies to amplify existing geopolitical goals. Some of this has happened on the physical battlefield, in locations like Ukraine, but many impacts of these trends have been felt closer to home with increased cybersecurity incidents. This has all created an urgency within defence to innovate and adopt the latest digital technologies. This workstream explores not only the perspectives from leading stakeholders in NATO and national agencies, but also brings in voices from the private sector who have been leading this transition to map our challenges and opportunities.

This workstream aims to bring forward both public and private perspectives on ensuring European resilience; with a particular focus on amplifying positive stories about digital transformation in organizations like NATO and the lessons thereof.

• Strategic objective: Encourage European policymakers to reflect on a resilience in a cyber context and realize how the digital transformation can amplify this.
• Medium-term objective: Collect perspectives from a broad range of public and private stakeholders on effective approaches towards enhancing European security via digital transformation. Form these into an effective policy brief.
• Long-term objective: Positively influence national and NATO perspectives on digital transformation in the defence sector.

Ever since the Russian invasion of Ukraine, issues of security and defence have been top of mind in Europe and in NATO. This urgency has been made all the more politically salient in the past few months, with several key milestones: including Ursula von der Leyen pledging to appoint a defence commissioner, NATO undergoing ambitious digital transformations, and national elections throughout Europe pushing defence and security as a key campaign focus. However, modern security and defence is more than just procuring new equipment and increasing defence investment. As demonstrated by modern conflicts like Ukraine, effective defence and resilience needs to embrace the digital era we live in.

This shift to include the digital in defence takes several forms. First, defence needs to be aware of the increasing cybersecurity threat actors that seek to undermine their stability. Second, defence agencies need to embark on ambitious digital transformation journeys, seeking to utilize the latest technologies in AI and cloud computing to ensure their services are resilient, efficient, and optimized. Finally, defence agencies and bodies like NATO need to be on the cutting edge of technological developments, which would entail being proactive in fostering the European tech ecosystem.

While this may appear like a lofty list, there is clear appetite in Europe to get started. NATO especially has been proactive by embracing a digital transformation and fostering their tech ecosystems. The 2024 NATO Summit was a particular milestone, with NATO releasing a new AI strategy, widely recognizing issues like interoperability, and continuing to foster defence incubators like DIANA. Likewise, the European Commission has also embraced defence and security, especially as newly re-elected VP Ursula von der Leyen ran her re-election campaign on these themes. She built heavily on this vision within her July 2024 Political Guidelines, showcasing initiatives such as the European Democracy Shield, and action on her defence commitments. But as we are poised to get a European Defence Commissioner, it will be interesting to observe how their profile will overlap with cybersecurity and cyber resilience. Nevertheless, VDL’s recent words at the 2024 GLOBSEC forum were inspiring and reaffirms that security and defence will remain top of mind at the European Commission, stating that “the EU is intrinsically a security project”, and that “the focus must be on putting security at the heart of everything we do”.

As the ambitions of the EU, NATO, and National governments become more solidified in enabling the digital transformation of their defence and security, there is a greater role for close collaboration with leaders in the private sector on best practices. This workstream of the 2025 Cyber Agora will seek to gather relevant voices and perspectives to advance discussions on lessons, challenges, and opportunities as we work towards a digital and resilient Europe.

• 1. What are the threats facing European resilience?
• 2. How can Europe best ensure that its defence is ready and able to defend itself against new techno-geopolitical threats?
• 3. What are the roles for national governments, international bodies like NATO and the EU, and the private sector in fostering the digital transformation necessary to ensure this resilience?