The Declaration notes that an increasing number of States have already published their positions on international law in cyberspace.   Therefore, in order to support finding further common understanding in this sphere, the Annex to the Declaration sets out a non-exhaustive set of legal elements shared by the EU and its Member States.

State sovereignty and non-intervention

The Declaration confirms that sovereignty is a core principle of international law.  A violation of the obligation to respect sovereignty may occur when a cyber operation, attributable to a State, infringes upon another State’s territorial integrity or leads to interference with or usurpation of inherently governmental functions of that State.  Further, coercive interference with information and communication technology (ICT) systems, cloud-services and networks on another State’s territory or within its jurisdiction may constitute a prohibited intervention in breach of international law if such interference is attributable to a State.

Due diligence

The Declaration signals the importance of due diligence in the prevention of malicious behaviour in cyberspace.  Due diligence requires a State to make efforts that the ICT infrastructure, which is located within its territory or which it effectively controls, is not used by either State or non-State actors for acts contrary to the rights of other States, once the State knows or ought to have known of such activities.  Further, each State is required to take all appropriate and reasonably available and feasible measures to act against cyber operations that violate rights of another State under international law.  The Declaration notes, however, that due diligence does not require preventive monitoring of all cyber activities and ICT infrastructure in the territory of a State or within its effective control.

Compliance with international human rights law

The EU and its Member States make it clear that States must comply with their obligations under international human rights law in cyberspace in the same way as offline.  The Declaration notes that human rights that might be particularly at risk in the cyber context include the freedom of opinion and expression; the right to privacy; the freedom to seek, receive and impart information; the freedom of peaceful assembly and association; the prohibition of discrimination; and the rights of the child.

Responses to cyberoperations

The Declaration provides that a State may also react to cyber operations of another State by taking action that would depart from the State’s international obligations if the wrongfulness of such action is precluded under international law due to specific circumstances, such self-defence or necessity.

The EU and its Member States consider that a State targeted by a cyber operation constituting an armed attack may invoke its inherent right of individual or collective self-defence in accordance with Article 51 of the UN Charter.  In order for a cyber operation to constitute an armed attack, the scale and effects of the operation must be comparable to those of a conventional kinetic attack.  The relevant factors for assessing whether the scale and effects of the cyber operation are grave enough to characterise it as an armed attack include the extent of any damage or destruction of property, in particular the ICT infrastructure, or injury or death of persons, including as an indirect effect of a cyber operation.

A State may invoke necessity as a ground for precluding the wrongfulness of an act only if, first, the act is the only way for the State to safeguard its essential interest against a grave and imminent peril and, second, the act does not seriously impair an essential interest of either the State towards which an international obligation exists or of the international community as a whole.  The Declaration states that, in the cyber context, an interest may be considered essential on account of the type of infrastructure actually or potentially targeted by a cyber operation and when that infrastructure is relevant for the State as a whole.

Authored by Markus Burgstaller and Dmytro Galagan.