Today, in Helsinki, Finland, Executive Vice-President Henna Virkkunen presented the Joint Communication of the Commission and the HRVP to strengthen the security and resilience of submarine cables. Announced by President von der Leyen on 9 February in Vilnius during the Baltic Energy Independence Day, the Joint Communication introduces a range of measures to bolster the resilience of this critical infrastructure, addressing prevention, detection, response, recovery, and deterrence.
Communication cables connect several Member States to one another, link islands to the EU mainland, and connect the EU to the rest of the world, carrying 99% of inter-continental internet traffic. Subsea electricity cables facilitate the integration of Member States' electricity markets, strengthen their security of supply, and deliver offshore renewable energy to the mainland. However, in recent weeks and months, submarine cables incidents have risked causing severe disruptions in essential functions and services in the EU, impacting the daily lives of EU citizens. This initiative responds directly to these threats.
The Joint Communication is designed to support all Member States, including those in the Baltic Sea Region, which have seen a significant increase in cable incidents. Key measures include:
- Prevention: Stepping up security requirements and risk assessments on submarine cables, while prioritising funding for the deployment of new and smart cables, allowing for increased redundancies and consequently enhancing resilience.
- Detection: Enhancing threat-monitoring capabilities per sea basin, such as the Mediterranean or the Baltic Seas, to build a comprehensive situational picture. This will enable earlier alerts and more effective responses.
- Response and Recovery: Improving the efficiency of the EU-level crisis framework for swift action on incidents impacting submarine cables and to increase repair capacity to ensure swift repair of damaged cables.
- Deterrence: Enforcing sanctions and diplomatic measures against hostile actors and the 'shadow fleet', making full use of the Hybrid Toolbox to address hybrid campaigns. This also includes fostering 'cable diplomacy' with global partners.
These strategic actions complement ongoing work by the Submarine Cable Infrastructure Expert Group, composed of Member States and the EU Agency for Cybersecurity (ENISA). The actions are complementary to NATO's existing activities and support national and regional endeavours, reaffirming Europe's commitment to protecting critical submarine infrastructure, which is essential to global communications and energy security.
Next Steps
The Commission and the High Representative will roll out specific actions progressively in 2025 and 2026 together with the Member States and the EU agency for Cybersecurity, ENISA. By the end of 2025, the Commission and the High Representative are expected to present, amongst other actions, the mapping of existing and planned submarine cable infrastructures, a Coordinated Risk Assessment on submarine cables, a Cable Security Toolbox of mitigating measures and a priority list of Cable Projects of European Interest.
The security of the EU's critical infrastructure will also be an important element of the upcoming Internal Security Strategy. Further work will also build on the Niinistö Report on how to enhance Europe's civilian and defence preparedness and readiness.
Background
Security and resilience of submarine cable infrastructure were addressed in a 2024 Recommendation on the security and resilience of submarine cable infrastructures , as well as in a White Paper on 'How to master Europe's digital infrastructure needs' . To deliver on the Recommendation, the Commission established an Expert Group, composed of Member State authorities and ENISA.
The EU is actively working on various fronts to promote cyber resilience and protect its citizens and businesses from cyber threats in an increasingly digital and connected Europe. An action plan on the cybersecurity of hospitals and healthcare providers was launched in January to address the unique threats facing the sector.
The Commission also continues the work on implementing the upgraded legal framework for the resilience of critical infrastructure, both physical and cyber, with, the Critical Entities Resilience (CER) Directive , and the Network and Information Systems (NIS2) Directive . The CER Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage.
The NIS2 cybersecurity framework establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU and calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement. These measures work hand in hand with Cyber Resilience Act , the first-ever EU legislation placing mandatory cybersecurity requirements for products that include digital elements, which entered into force on 10 December 2024. The Commission has also put in place a Cyber Emergency Mechanism under the Cyber Solidarity Act , reinforcing the EU's solidarity and coordinated actions to detect, prepare for and effectively respond to growing cybersecurity threats and incidents.
