EU Statement – UN General Assembly 1st Committee: Disarmament Measures and International Security

Madam Chair,

I have the honour to speak on behalf of the European Union.

The Candidate Countries North Macedonia^*,Montenegro^*, Serbia^*,Albania^*, Ukraine, the Republic of Moldova, Bosnia and Herzegovina^*and Georgia, and the EFTA country Norway, member of the European Economic Area, as well as Monaco and San Marino align themselves with this statement.

Over the past decade, the international community has made clear that the international rules-based order applies to States' behaviour in cyberspace. All members of the United Nations General Assembly have repeatedly affirmed the evolving framework of responsible State behaviour in cyberspace, built upon the recognition that international law applies in cyberspace, adherence to voluntary non-binding norms of State behaviour, commitment to capacity building and the enhancement of practical confidence-building measures to reduce the risk of conflict. Broad international consensus around these four elements is the foremost accomplishment of cyber diplomacy in the last decade.

International law's pivotal role in maintaining peace and stability in cyberspace can only be fully realised when States implement and adhere to their international legal obligations. Russia's illegal, unprovoked and unjustified war of aggression against Ukraine has seriously violated the principles of the UN Charter and International Law, including in the cyber domain. The malicious cyber campaign shows Russia's continuous pattern of irresponsible behaviour in cyberspace, by targeting democratic institutions, government entities and critical infrastructure providers. This type of behaviour is contrary to the UN norms of responsible State behaviour in cyberspace, such as impairing the use and operation of critical infrastructure.Moreover, destructive cyber-attacks against Ukraine, often in conjunction with missile and drone attacks, are unprecedented, with a spill over effect to other countries as well.

ICTs are a driver of sustainable development worldwide, but as our reliance on these technologies grow, this also increases the threat of disruptive, coercive and destabilizing cyber activities by state and non-state actors. The changed threat environment in Europe, induced by Russia's war of aggression against Ukraine as well as other growing and evolving threats from States and non-State actors have affected the way we as the EU respond to malicious cyber operations. The EU will not tolerate suchactivities, particularly those that aim to degrade our critical infrastructure, weaken societal cohesion and influence democratic processes. We have strengthened our commitment to further revise and constantly improve cyber resilience within the EU and in other regions and develop further strategies how best to address cyber threats coming from all malicious actors.

To this end, we are working across the whole range of our instruments to prevent, discourage, deter and respond to malicious cyber activities. This includes the EU Cyber Diplomacy Toolbox and the EU's Policy on Cyber Defence enabling prevention, deterrence and defence across all domains - political, military and technical. We also invest our capacity building efforts in EU and other regions, and cooperate with Statesand stakeholders to make sure all States' governance and capabilities are able to correspond to the threat landscape and become futureproof.

The importance of cybersecurity can hardly be underestimated. In the last years, cyber security threats have significantly increased in level, complexity, sophistication and scale. While Artificial Intelligence can serve as a powerful tool for strengthening cybersecurity, it also has the ability to exaggerate this trend and make malicious cyber activities even more complex, sophisticated and far-reaching. Moreover, AI is driving fundamental changes within the military domain. Although AI presents opportunities for development and peaceful applications, its rapid integration in the military domain introduces new risks and exacerbates existing ones. This development demands collaborative, multilateral responses. For the EU it is crucial to seize potential opportunities andaddresschallenges AI provides for international peace and security.

While recognising that States bear the primary responsibility to ensure international peace and security, other stakeholders have an essential role to play. The contribution of the multi-stakeholder community is essential to our collective aim of maintaining international peace and security in cyberspace. Our ability to liaise with technical experts and other non-governmental stakeholders would only strengthen the implementation of the framework for responsible State behaviour. Just as the mode and structure of UN cyber discussions has evolved over the years, so too has our recognition of the contributions of, and modalities for engagement with, non-state stakeholders. Cyber threats are only continuing to rise and we need to remain vigilant in delivering tangible outcomes so that all States have the capability and capacity to build resilience to cyber threats. The High-Level Global Capacity Building roundtable organised by the Chair of the OEWG in May was useful in this regard. We also welcome the recognition of the considerable work both within and also outside the UN to identify cyber capacity building needs, and deliver technical assistance to meet some of these needs. Welook forward to continuing this discussion on cyber capacity building to maintain international peace and security in cyberspace.

We also welcome the consensus reached in July 2024 on the Annual Progress Report (APR) of the Open-Ended Working Group on the security of and in the use of information and communication technologies 2021-2025 (OEWG), and stress the need for the international community to continue discussions until the conclusion of the Group's mandate to further strengthen security and stability in cyberspace. While the APR lacks ambition on several aspects such as international humanitarian law, it does outline multiple ways forward to strengthen the UN framework for responsible State behaviour. We welcome the APR's reference to the threat of ransomware and the concern regarding malicious ICT activity targeting international organisations, as well as regarding the growing market for commercially-available ICT intrusion capabilities. In view of the adoption of the final report of the OEWG, we need to further elaborate on the additional areas of convergence among States, in particular as to how international law applies in cyberspace.

The European Union has been a long-standing advocate for the establishment of a permanent UN mechanism that is inclusive, action-oriented, results-based, transparent and consensus-driven. This objective is widely shared by the UN Member States, as demonstrated last year by the overwhelming support of 161 positive votesfor the Programme of Action to Advance Responsible State Behaviour in Cyberspace (PoA) resolution. Institutional stability will allow us to take our discussions forward, and to preserve all the hard-fought consensus gains we have made in previous UN GGEs and OEWG, and in the current OEWG. This updated UN cyber architecture would build on previous outcomes and be in line with the cumulative and evolving framework for responsible State behaviour, as set out in resolutions 77/37 and 78/16.

The PoA proposal aims to provide States with flexibility to address issues through a virtuous cycle that links political discussions, information exchange and practical implementation. It will be State-driven, and it will also benefit from multi-stakeholder engagement, including with the private sector, academia, civil society, and the technical community to consider and provide their unique perspectives.

The establishment of a permanent platform would allow the international community to focus its discussions on substance, best practices and enhancement of cooperation and trust among States, leading to strengthened cyber resilience.The EU and its Member States fully support the recommendations contained in the 3^rd Annual Progress report of the 2021-2025 OEWG on ICT security to that end. We will strive in the remaining sessions of the current 2021-2025 OEWG to reach agreement on a single-track,permanent mechanism to be established after the conclusion of the current OEWG, and we call on all Member States to take part in these discussions on scope, structure and content, in a constructive manner.

Given the escalating nature of international cybersecurity threats, it is more important than ever to deepen our cyber collaboration with international partners and promote a shared understanding on how international law applies and how to further implement the United Nations framework of responsible State behaviour. For several years now, the cross-regional PoA proposal has nurtured discussions in an incremental and inclusive approach.The core of the EU's ambition is to continue to do so, in order to move forward on how to improve cooperation to tackle malicious cyber behaviour, ensure cyberspace's stability in the long run by bridging the digital divide, and break silos to improve cyber resilience to the benefit of all countries, especially the most vulnerable.

I thank you, Madam Chair.

*North Macedonia, Montenegro, Serbia, Albania and Bosnia and Herzegovina continue to be part of the Stabilisation and Association Process.