• The Candidate Countries North Macedonia*, Montenegro^*, Serbia^*, Albania^*, Ukraine, the Republic of Moldova, Bosnia and Herzegovina^* and Georgia, and the EFTA country Norway, member of the European Economic Area, as well as Andorra and San Marino, align themselves with this statement.
• The European Union and its Member States strongly support the concrete implementation of the UN framework for responsible State behaviour in cyberspace that among other key components also includes eleven voluntary norms of State behaviour in cyberspace. The OEWG must continue to elaborate on, strengthen and enhance the implementation of these eleven norms, and to exchange on best practices as well as expectations in this context. 
• As every country has its own starting point for implementing the UN’s recommendations, we see the Norms Checklist as proposed by the Chair as a valuable tool to enable both the clarification of the content, scope and expectations that the norms set, and to contribute to the common understanding on how to implement them. The checklist can build upon the work already done on norms implementation guidances, such as the guidance provided in the 2021 UNGGE report as well as the OEWG consensus reports, and on the efforts by other stakeholders such as ASEAN, the Australian Strategic Policy Institute (ASPI) and UNIDIR.
• Throughout previous sessions, UN MS as well as regional organizations have suggested different tools, manuals and practices, which could be helpful to implement the norms.
• UN MS and regional organisations, including the EU, also shared domestic and regional practices, positions on international law, ratification of treaties, vulnerability disclosure frameworks, and mechanisms for crisis and incident management that could be considered relevant in this regard. For the EU, it is important that the checklist would also help to identify barriers to implementation and from there, translate those needs into targeted capacity building programmes.
• During previous session, the EU and its Member States have been highlighting some of the norms which we believe could be developed further, in particular, norm 13 (c) and the three critical infrastructure-related norms, 13 (f), (g), (h).
• The norm 13(c), that affirms that “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs”, raises the expectations that States (1) should take reasonable measures to keep their territory from being used to commit malicious ICT activity to the detriment of third States, as in the case of developing relevant institutional capacities to be able to swiftly respond to malicious uses emanating from ones territory. We would note that taking of preventive measures should not be understood as entailing the responsibility of a state to monitor ICT infrastructure located on its territory at all times; (2) Response to requests for cooperation: When notified by another State that such an activity is taking place or that it is highly probable that such an activity shall imminently take place, States should take appropriate measures to address it, and an (3) “expectation of means”: the expectation that States should take appropriate measures in accordance with their capacities.
• To advance the implementation of norms, the European Union has also been a strong advocate of a more consistent cooperation with other stakeholders. Notably the critical infrastructure operators can support advancing the protection of critical infrastructure, one of the positive obligations under the UN framework. In addition, the private sector could continue to contribute to building capacities, using their knowledge and experience on the protection of critical infrastructures, as well as the responses to incidents. Further activities could include to enhance threat monitoring and assessment, reporting and other incident management mechanisms and capabilities.
• Public-private partnership including by involving the private sector to national CIP planning and implementation, including by establishing obligatory and voluntary venues, mechanisms and procedures of contribution, as well as by strengthening response systems and cross-sectoral exercises, is fundamental to protect national interests, and at the same time to adhere to the UN framework for responsible state behaviour.
• In light of that, we appreciate the meeting by the Chair last week inviting all interested stakeholders to an informal dialogue to discuss on how stakeholders can further contribute to States’ efforts to develop measures or best practices to protect CI and CII from ICT threats and how to better support States in this process.
• The OEWG could potentially look into issuing a set of cybersecurity best practices, and encourage all public and private sector organisations to apply these practices to improve their cyber resilience. In this, the OEWG could, for example, draw inspiration from and adopt or further develop some of the good practices from the “Geneva Manual” that was developed by non-state actors and that clarifies the roles and responsibilities of non-state actors and suggests how they can contribute to the implementation of the voluntary norms.
• During previous sessions, the EU and its Member States have also called upon States to further develop their understanding on the content, scope and expectations of the norms. The EU has institutionalised a careful review of cyber incidents against the normative framework to ensure any diplomatic responses are measured and proportionate. In the context of the OEWG, discussions about norms implementation as well as the application of international law to cyber operations that target CI, in peacetime and in conflict, are vital to improve accountability. 
• We look forward to further engage on the Norms Checklist, and thank the Chair for putting it forward, as it has the potential to make the OEWG more effective and enable concrete exchange on how countries interpret and track these norms nationally.

* North Macedonia, Montenegro, Serbia, Albania and Bosnia and Herzegovina continue to be part of the Stabilisation and Association Process.