With its most recent update in March 2023, the EU’s Maritime Security Strategy has undergone a significant revision, and now places a more pronounced emphasis on addressing the emerging threat of hybrid warfare and safeguarding critical infrastructure. This analysis highlights the key changes in the strategy, including the new connotations and implications for both EU member states and relevant stakeholders in the realm of maritime security. It examines how the revised strategy seeks to enhance maritime security through a comprehensive and coordinated approach, including the use of new technologies and partnerships. Thus, this analysis pays particular attention to the issue of hybrid threats, which combine conventional and unconventional tactics, and the protection of critical infrastructure, which is vital for the functioning of the EU’s economy and society.
Ein Beitrag von Lukas Seelig
In the context of military policy issues and topics that cross political, economic, and diplomatic lines all at the same time, there is hardly a topic that is characterized by a comparable mix of complexity and lack of presence in public discourse as maritime security. Most stakeholders in the maritime industry normally conduct their business outside the public gaze, and the accompanying military activities of various stakeholders rarely find their way into broad discussions and public attention.
However, the February 2022 invasion of Ukraine served as a wake-up call, making maritime security an increasingly important concern for the European Union (EU). Thus, it was both military events, such as the destruction of Russia’s Black Sea flagship, the missile cruiser Moskva, or the year-round, ever-present bottlenecks in the food supply chain, which, given that Ukraine is one of the world’s largest grain and oilseed producers, highlighted the importance for the EU to place greater emphasis on protecting its waters from potential threats. Since then, the EU’s interest in maritime security has skyrocketed, with an increased focus on ensuring the safety of its ships, ports, and coasts, confirming once again that “insecurity at sea is often a manifestation of broader historical, governance, and security issues taking place on land”.
Therefore, both in line with the Commission’s work programme as well with its overall intention to improve the bloc’s maritime security capabilities, this article takes a closer look at the most recent update of the EU Maritime Security Strategy and the issues that have found their way into the revised text. In this context, the article considers not only the text of the joint communication published on March 10 as well as the amendments and relevant legislative proposals published since 2014. Rather, given the critical importance of physical infrastructure as the backbone of today’s globalized economy, and the fact that some $94 trillion will be spent on infrastructure worldwide between now and 2040, a particular focus is being placed on the incorporation of maritime critical infrastructure protection into the 2023 EU Maritime Security Strategy. In doing so, it becomes evident that the EU, with its updated strategy and relevant legal frameworks now in place, needs to improve interoperability and cooperation with partners such as NATO, implement robust cyber-security measures, and enhance the readiness and responsiveness of emergency response teams to deal with the new reality of maritime security.
(Why) Was there a need for reform?
While the 2023 update of the EU Maritime Security Strategy (EUMSS2023) does not present a fundamentally new strategy – the 2014 EU Maritime Security Strategy and its revised Action Plan (2018) remain in force – there has been a consensus in the research, military, technological and governance communities on the need for more concerted action. As such, stakeholders such as the European Defence Agency and the EU Naval Force, as well as Member States such as France, have strongly advocated for the EU to develop its maritime security capabilities. In doing so, they have called for increased cooperation and coordination among EU Member States to address maritime security challenges.
However, in order to understand exactly how the revised EUMSS2023 addresses the points brought forward by the relevant stakeholders and where exactly a strategic broadening was required, it is worth revisiting the EU Maritime Security Strategy 2014 (EUMSS2014). This rather comprehensive document sets out the EU’s approach to tackling various maritime security challenges, including piracy, terrorism, illegal migration and human trafficking, and is based on the principle of „prevent, protect and respond“. It focuses on the four key areas of (i) „maritime situational awareness“, (ii) „protection of critical maritime infrastructure“, (iii) „fight against illegal activities,“ and (iv) „crisis management“ and also emphasizes the importance of an integrated approach to maritime security, balancing security with other policy objectives such as economic growth, environmental protection and the rule of law. On the basis of this prioritization and conceptualization of the maritime space, various EU stakeholders, notably the Council, have attempted to revise or complement the EUMSS2014 on several occasions: The „Global Maritime Security“ (June 2017) and the „Conclusions on the Revision of the Action Plan of the European Union Maritime Security Strategy“ (2018) complemented the general cornerstones of the EUMSS2014, while in 2019 and 2021, specific aspects such as Arctic governance, the maritime economy or enhanced cooperation with the Indo-Pacific were introduced into the EU’s understanding of maritime security.
The EUMSS2014 – a guiding framework for the EU’s efforts to ensure maritime security – is also mentioned in the framework of the „Strategic Compass„, which outlines the EUs broader long-term strategic goals for defense and security. By doing so, it mentions the importance of protecting the EU’s maritime borders and interests and states that the EU will work to strengthen its maritime situational awareness and enhance its ability to conduct maritime surveillance, including through the use of unmanned systems. It also highlights the importance of protecting critical maritime infrastructure, such as ports and energy installations, and ensuring the freedom of navigation in the Mediterranean and the Black Sea.
In addition, and with regard to the military dimension of European governance, the Council – through concepts such as the Coordinated Maritime Presence (CMP) – has demonstrated that the EU intends to enhance its capacity as a reliable partner and provider of maritime security in both the short and long term, offering greater European engagement and ensuring a continuous maritime presence and outreach in identified maritime areas of interest. As recently as February last year, the Council adopted two sets of conclusions, the first one referring to the continuation of the strategic engagement in the Gulf of Guinea and the second one launching the implementation of the CMP in the North-West Indian Ocean.
However, apart from these earlier changes and revisions, what made the revision of the EUMSS2014 particularly important is the changed and challenged structure of the international system and its security-related dimensions. Focusing in particular on the dimension of hybrid threats, it can be argued that the combination of traditional military, criminal and non-military means has gained prominence in the toolkit of the EU’s potential adversaries. Although difficult to quantify due to the involvement of multiple actors and the use of a range of tactics, such as cyberattacks and unconventional military operations, the EU Parliament, for example, saw hybrid threats as a central point in last year’s budget negotiations. The Council – together with the European Commission and the European External Action Service – also emphasized the need for a stronger EU focus on hybrid campaigns in the „EU Integrated Resolve 2022„. Thus, the EUMSS2023 saw itself confronted with the necessity to pick up the ball and – complementary to the efforts undertaken since 2022 – integrate the prevention of hybrid attacks more strongly in the maritime domain.
A Particular Focus on Critical Infrastructure Protection
This growing importance of hybrid threats and the awareness of the vulnerability of critical infrastructure – especially in light of attacks such as those on the Nord Stream gas pipelines – is consequently also reflected in the 2023 version of the EU Maritime Security Strategy. Understanding critical maritime infrastructure as including “undersea cables and pipelines, logistical hubs (i.e. ports), offshore renewable energy installations, offshore oil and gas oil platforms”, the strategy refers first of all to the „recurring hybrid and cyber attacks” on this kind of infrastructure and acknowledges that malicious actors are increasingly likely to use hybrid and cyber means to target maritime infrastructure, including undersea cables and pipelines, as well as ports and ships”. Based on this key strategic threat perception, which has been honed compared to the EUMSS2014 and the Strategic Compass, the EUMSS2023 specifies the intention of “ensuring the resilience and protection of critical maritime infrastructure (onshore and offshore), including by addressing the risks and threats related to climate change”.
To see why the protection of critical (maritime) infrastructure has arguably been given a prominent place in the EUMSS2023, one need only look at the impact of the leaks in the Nord Stream 1 and Nord Stream 2 pipelines discovered at the end of September 2022. The leaks, which occurred in the Exclusive Economic Zones of Sweden and Denmark, with seismometers registering explosions of up to 2.3 on the Richter scale, affected underwater pipelines built to transport natural gas from Russia to Europe and – although they stopped delivering gas after Russia’s invasion of Ukraine – caused a spike in European prices. Following this act, Commission President von der Leyen stated that „the acts of sabotage against the Nord Stream pipelines have shown how vulnerable our energy infrastructure is“, echoing the threat assessment of both NATO and stakeholders such as Admiral Sir Ben Key, First Sea Lord and Chief of the British Naval Staff, who stressed that „anything on the seabed is vulnerable, be it gas pipelines or data cables“.
Against the backdrop of attacks such as these, the EU has seen itself confronted with the need to be better equipped to prevent and respond quickly and effectively to crises in its maritime domain, and has provided an appropriate framework for response with the EUMSS2023. While the EUMSS2014 e.g. implicitly referred to missions such as the EU NAVFOR Atalanta operation as a means of ensuring the availability of EU military assets for crisis management operations, the 2023 broadened this focus and, with regard to the protection of critical infrastructure, particularly sees cooperation with critical stakeholders such as NATO as a means to extend cooperation with NATO to coordinate the protection of underwater infrastructure. Among other things, the strategy references the „Task Force on Resilience of Critical Infrastructure“ launched on 16 March, which is embedded in the „EU-NATO Structured Dialogue on Resilience“ and for the time being will cover the four sectors of energy, digital infrastructure, transport and space. Especially with regard to the areas of critical energy and transport infrastructure, this kind of cooperation can be said to be essential, given the need for both organizations to protect their respective interests, as disruptions to these sectors can have severe economic consequences. As incidents such as the 2019 attack on four oil tankers in the Gulf of Oman have shown, disruptions in this critical domain can lead to supply chain disruptions, decreased productivity, and increased costs. By working together, the EU and NATO can therefore enhance the resilience and protection of critical energy and transport infrastructure, ensuring the continued flow of goods and services and safeguarding the economic stability of the region.
This expansion also makes it possible to broaden the Strategic Compass’s rather cautious perception of threats to the specific area of cyber threats. For example, while the Strategic Compass recognizes that the changing geopolitical situation in the EU’s neighborhood affects “the security of our citizens, our critical infrastructure and the integrity of our borders” and sets the goal of “being able to respond rapidly and forcefully to cyber-attacks”‘, it fails to make any concrete reference to the specific vulnerability of maritime infrastructure. This omission, however, was subsequently addressed by the EUMSS2023, and in particular by drawing on legislation such as the Council Recommendation on the Protection of Critical Infrastructure published by the Commission last October, in order to prepare for, deter and defend against the coercive use of energy and other hybrid tactics by state and non-state actors.
Particularly in the light of the latter Council Recommendation, as well as the Critical Entities Resilience Directive (CER), which entered into force on 16 January 2023, the EUMSS2023 has seized the opportunity to strengthen the EU’s protective capabilities at points that until recently were considered unprotected and vulnerable. Whereas e.g. the CER in its framework only refers to terrestrial and not to maritime infrastructure, where internet cables and gas pipelines run underwater and outside national territories, the EUMSS2023 included these critical aspects in the recent update. This, in turn, not only provides a maritime safety framework for the financing of projects such as an internet cable connecting Finland to Japan via the Arctic. It is also an opportunity to address concerns such as those of Ireland, which has highlighted the challenges of monitoring its underwater infrastructure due to the size of its territorial waters. Given that cables such as the one connecting Germany and Denmark are largely privately owned, and that maritime infrastructure such as Ireland’s acts as a geographical bridge between the EU and key allies such as the U.S., the EUMSS2023 now also promotes enhanced and issue-specific public-private cooperation.
In the overall context of an increased awareness of hybrid maritime threats, the revised EUMSS also places a more pronounced focus on the specific issue of cyber security. In doing so, the strategy takes not only into account that the maritime security environment considered by the EUMSS2014 and the Strategic Compass underwent a strong digital transformation as a result of the introduction of ICT but also reflects on the convergence of information technology systems and operational technology systems. Two of the relevant developments that the EUMSS2023 hereby takes into account are the above-mentioned Directive 2022/2557 on the resilience of critical facilities, as well as the recently revised Directive 2022/2555 – or NIS 2 Directive for short. The latter directive, e.g., identifies a large number of maritime operators as „Operators of Essential Services“ (OES) and takes into account that not only port authorities and terminal operators, but also shipping companies, classification societies and shipbuilding companies have to be considered with their individual cyber security vulnerabilities. In this context, and drawing on an increase in cases such as the 2020 „Mespinoza/Pysa“ ransomware attack on the port of Marseille, the EUMSS2023 now must succeed in improving both the physical and non-physical cyber resilience of entities operating critical infrastructures and provide more planning certainty to relevant actors in this field.This can be done especially through an exchange of best practices between maritime actors on cyber threats, reflecting on institutional strengths and also suggested by the strategy, as well as the (further) development of specific reskilling and upskilling programmes, for example at the level of the „EU Agency for Cybersecurity”.
Keeping Europe’s waters safe: Setting sail with a revised maritime security strategy
To sum up, the EU’s revised Maritime Security Strategy must now rise to the challenge of external and potentially hostile stakeholders’ growing interests across maritime Europe, the rapidly changing threat landscape as well as the evolving EU legislation and work in this area. In this regard, the contribution underscores the imperative of now implementing the critical infrastructure protection of e.g. example ports, shipping lanes, and offshore energy platforms into the maritime domain with the utmost urgency, as hybrid threats pose a significant risk to critical infrastructure.
By focusing on these vital issues, the MSS2023 can bolster maritime surveillance capabilities, and foster increased information-sharing and intelligence gathering among EU member states and with partners, enabling the EU to enhance the resilience of its critical infrastructure and maintain its ability to navigate the maritime domain with confidence. It is now up to the EU to embrace these crucial insights and priorities of the revised strategy, for only then can it continue to proactively ensure the security and stability of its maritime domain in the face of new and emerging threats
Polis Blog ist eine Plattform, die den Mitgliedern von Polis180 & OpenTTN zur Verfügung steht. Die veröffentlichten Beiträge stellen persönliche Stellungnahmen der AutorInnen dar. Sie geben nicht die Meinung der Blogredaktion oder von Polis180 e.V. wieder.
Bildquelle via unsplash.com
Lukas Seelig is a student of the double master „Public Policy“ and „Public Administration“ at Sciences Po and the LSE, where he specializes in Management, Public Affairs and Finance. He joined „Polis180“ in 2020 and has been serving as Co-Head of the program area „European Economic Policy“ since mid-2022. While his academic focus is primarily in the field of economics, he also has a keen interest in the area of „Security & Defense“ and is actively involved in the respective program here at „Polis180“.