Excellencies,

I have the honour to speak on behalf of the European Union and its 27 Member States.

The candidate countries North Macedonia*,  Montenegro*, Serbia, Ukraine, Albania*, the Republic of Moldova and Bosnia and Herzegovina*, the potential candidate country Georgia, and the EFTA countries Iceland and Norway, members of the European Economic Area, align themselves with this statement.

Under the current circumstances building mutual trust between countries remains more important than ever. As one key element of the framework for responsible State behavior in cyberspace, confidence-building measures are an essential tool in mitigating the risks of misperception, miscalculation and unintended escalation.

Recent years have seen significant steps by several regional organizations in developing and implementing confidence-building measures. They have acted as an incubator for national implementation of UN GGE and OEWG confidence building measures and additionally, have developed their own initiatives. The EU is working closely with three regional organizations with cyber CBMs programs: the Organization for Security and Cooperation in Europe (OSCE), the ASEAN Regional Forum (ARF) and the Organization of American States (OAS). Each organization is unique, but some elements of success cut across the regions.

Last month, with the aim of learning from regional experiences and looking for cross-regional synergies, we organized, together with UNODA and UNIDIR an event at the OSCE that brought together all above mentioned international organizations.

All regional organizations agreed that CBMs are recognized as pivotal diplomatic tools, serving not only as goals but also as guidance in diplomatic initiatives. The mutual benefit of CBs and CBMs underscores their strategic significance in fostering international cooperation and addressing cybersecurity challenges. But CBMs also take months if not years to become operational and they need a permanent structure around it. For example, the OSCE developed an “adopt a CBM” initiative, where individual states or a group of states are in charge for putting a CBM into action. Through such initiatives regional organizations can play a crucial role in facilitating mutual understanding between countries, acting as a platform to form consensus around interpretation and implementation.

After the adoption of the CBMs, the OSCE has been focusing more than ever on operationalization of CBMs through increased targeted support and capacity-building for OSCE participating States. This takes place in the formats of scenario-based discussions, where government officials are exposed to the practical application of CBMs and norms of responsible State behaviour and  sub-regional training for policymakers, technical experts and private sector representatives. The OSCE has also developed virtual capacity-building tools, such as e-learnings and good practice reports, which aims to further implement CBMs in the OSCE area, as well as raise awareness of OSCE cybersecurity efforts globally.

A good example of such an implementation, is the EU run annual tabletop exercise for cyber attaches and capital experts of EU Member States within the framework of the Horizontal Working Party on Cyber Issues. The exercise focuses on how to respond to malicious cyber activities with diplomatic measures, and to support the crisis management decision-making process. This activity corresponds with OSCE CBM 5: Use of OSCE as platform for dialogue, exchange of best practices, awareness raising, and info on capacity building.

During the event, participants also emphasized the merits of holistic approaches to CBM implementation. In particular, they highlighted the importance of prioritization, sustainable development, and regional collaboration. Strategies such as mapping projects to identify relevant organizations and initiatives, cross-regional dialogue, and the creation of Points of Contact (PoCs) demonstrate a comprehensive effort towards this direction. In addition, States may consider establishing or identifying appropriate points of contacts within the private sector.

Challenges in CBM development and implementation are the lack of immediate metrics of success, reluctance to share information, and the complexity of fitting CBMs to diverse national contexts taking into account local idiosyncrasies. Although such information sharing can be valuable, there are also limits to that value – replicating what works in one region will not ensure success in another region. Thus there is a need of regional adaptation and ownership. Simultaneously, the potential for regional collaboration and the importance of understanding national perspectives on assistance highlight opportunities for effective cooperation on CBM development and implementation. In this context, CCBs are crucial enabling measures for implementation of CBMs and provide a concrete support to overcome the aforementioned challenges.

The EU continues to believe that cyber confidence building measures are best implemented by regional organizations with the capacity and regional expertise to take on such programs and adapt them to their regional context. But we need to keep in mind that although nearly half the world has pursued a regional cyber CBMs framework still, not all UN member states are members of multilateral or regional organizations with cyber CBMs programs. Therefore, the initial list of voluntary CBMs at the global level is a useful step.

We believe that the United Nations’ primary role on cyber CBMs should be to develop global recommendations, share best practices, and encourage cross-regional dialogue and exchanges, while taking into account and complement existing activities in regional organizations.