The European Cyber Resilience Act (CRA)

What is the European Cyber Resilience Act (CRA)?

The European Cyber Resilience Act is a legal framework that describes the cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union. Manufactures are now obliged to take security seriously throughout a product’s life cycle.

Digital hardware and software products constitute one of the main avenues for successful cyberattacks. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes.

Before the European Cyber Resilience Act, the various acts and initiatives taken at Union and national levels only partially addressed the identified cybersecurity related problems and risks, creating a legislative patchwork within the internal market.

It increased legal uncertainty for both manufacturers and users of those products, and added an unnecessary burden on companies to comply with a number of requirements for similar types of products.

The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market.

Two major problems are addressed:

1. The low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.

2. The insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors.

As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems.

Examples of products with digital elements

End devices
- laptops
- smartphones
- sensors and cameras
- smart robots
- smart cards
- smart meters
- mobile devices
- smart speakers
- routers
- switches
- industrial control systems.

- firmware
- operating systems
- mobile apps
- desktop applications
- video games

Components (both hardware as well as software)
- computer processing units
- video cards
- software libraries

Examples of cyberattacks, exploiting the security of products with digital elements

- The Pegasus spyware, which exploited vulnerabilities in mobile phones.

- The WannaCry ransomware, which exploited a Windows vulnerability that affected computers across 150 countries.

- The Kaseya VSA supply chain attack, which used network administration software to attack over 1000 companies.

4 April 2024 - Paper: "Cyber Resilience Act (CRA) Requirements Standards Mapping" - from ENISA and the European Commission’s Joint Research Centre.

The Cyber Resilience Act (CRA) proposal covers all products with digital elements put on the market which can be connected to a device or a network, including their building blocks (i.e., hardware and software), and encompassing also solutions provided in a Software as a Service (SaaS) fashion if they qualify as remote data processing solutions, as defined by Article 3(2) of the CRA proposal.

The CRA proposal provides two sets of essential requirements:

— Product cybersecurity requirements in Annex I, Section 1 of the CRA proposal,

— Vulnerability handling process requirements in Annex I, Section 2 of the CRA proposal.

These requirements should be the subject of a standardisation process by the European Standardisation Organizations (ESOs) to express them in the form of specifications in harmonised standards.

This report details the available standardisation outputs on the cybersecurity of products (hardware and software products, including hardware and software components of more complex products) carried out mainly by ESOs and international Standards Development Organizations (SDOs). Specifically, the study aim at presenting a mapping of the existing cybersecurity standards against the essential requirements listed in Annex I of the CRA proposal, along with a gap analysis between the mapped standards and the requirements.

4 April 2024 - Paper: "Cyber Resilience Act (CRA) Requirements Standards Mapping" - from ENISA and the European Commission’s Joint Research Centre.

12 March 2024 - the European Parliament approved the Cyber Resilience Act.

The Cyber Resilience Act was approved with 517 votes in favour, 12 against and 78 abstentions.

Text adopted: "European Parliament legislative resolution of 12 March 2024 on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (COM(2022)0454 – C9-0308/2022 – 2022/0272(COD))".

Next step: It must be formally adopted by the Council.

1 December 2023 - Political agreement on the Cyber Resilience Act.

The European Commission welcomes the political agreement reached between the European Parliament and the Council on the Cyber Resilience Act, proposed by the Commission in September 2022.

The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.

Upon entry into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.

Update, July 2023 - Agreement reached in the European Council.

The Council’s common position maintains the general thrust of the Commission’s proposal, namely as regards:

- Rules to rebalance responsibility for compliance towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market, including obligations like cybersecurity risk assessment, declaration of conformity, and cooperation with competent authorities.

- Essential requirements for the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and obligations for economic operators, such as importers or distributors, in relation to these processes.

- Measures to improve transparency on security of hardware and software products for consumers and business users, and a market surveillance framework to enforce these rules.

What is next?

After the Council’s common position ('negotiating mandate'), we will have negotiations with the European Parliament ('trilogues') on the final version of the proposed legislation.

Update, September 2022 - Proposed Articles of the European Cyber Resilience Act (CRA)

The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.

Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.

Such products suffer from two major problems adding costs for users and the society:

- a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and

- an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

While existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cybersecurity. In particular, the current EU legal framework does not address the cybersecurity of non-embedded software, even if cybersecurity attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs.

Two main objectives were identified aiming to ensure the proper functioning of the internal market:

- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and

- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Four specific objectives were set out:

1. Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;

2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;

3. Enhance the transparency of security properties of products with digital elements, and

4. Enable businesses and consumers to use products with digital elements securely.

Understanding the European Cyber Resilience Act (CRA)

The European Cyber Resilience Act (CRA) aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

The relevant Union legislation that is currently in force comprises several sets of horizontal rules that address certain aspects linked to cybersecurity from different angles, including measures to improve the security of the digital supply chain. However, the existing Union legislation related to cybersecurity, does not directly cover mandatory requirements for the security of products with digital elements.

The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on companies to comply with a number of requirements for similar types of products.

The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market. This makes it necessary to regulate the field at Union level. The Union regulatory landscape should be harmonised by introducing cybersecurity requirements for products with digital elements. In addition, certainty for operators and users should be ensured across the Union, as well as a better harmonisation of the single market, creating more viable conditions for operators aiming at entering the Union market.

At Union level, various programmatic and political documents, such as the EU’s Cybersecurity Strategy for the Digital Decade, the Council Conclusions of 2 December 2020 and of 23 May 2022 or the Resolution of the European Parliament of 10 June 2021, have called for specific Union cybersecurity requirements for digital or connected products, with several countries around the world introducing measures to address this issue on their own initiative. In the final report of the Conference on the Future of Europe, 18 citizens called for “a stronger role for the EU in countering cybersecurity threats”.

To increase the overall level of cybersecurity of all products with digital elements placed on the internal market, it is necessary to introduce objective-oriented and technology-neutral essential cybersecurity requirements for these products that apply horizontally.

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Manufacturers should therefore ensure that all connectable products with digital elements are designed and developed in accordance with essential requirements laid down in this Regulation.

This includes both products that can be connected physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cybersecurity threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of those products that are only indirectly connected to other devices or networks.

By setting cybersecurity requirements for placing on the market products with digital elements, the cybersecurity of these products for consumers and for businesses alike will be enhanced. This also includes requirements for placing on the market consumer products with digital elements intended for vulnerable consumers, such as toys and baby monitors.

European Cyber Resilience Act (CRA) European Cyber Resilience Act (CRA)

Update, May 2022 - European Cyber Resilience Act

According to the European Commission work programme for 2022, a proposal on a European cybersecurity resilience act (legislative) will be published in Q3 2022. The aim is to establish common standards for cybersecurity products.

According to the European Commission:

"The pandemic has served as a catalyst for the accelerating digitalisation of Europe and the world. The Commission will follow up on its path to the digital decade to deliver on the EU’s digital transformation by 2030. We are determined to lead the way in the global race for trustworthy, secure and human-centric technology. And we will work to reach agreement on and implement our proposals for a safe and secure internet, a European digital identity and on trustworthy Artificial Intelligence.

The single market remains at the core of an innovative, prosperous and future-oriented European economy. Strong and effective competition policy and enforcement are needed to contribute to a resilient recovery and the twin transitions. Against this background, the Commission has launched a review of competition policy to ensure that the various instruments are fit for purpose. We will also come forward with a single market emergency instrument to help prevent future disruptions.

Despite many challenges and disruptions, Europe came through the crisis in large part due to its innovative skills, its strong industrial base and its diversified and competitive supply chains. However, in a few strategic sectors, it has been vulnerable due to high dependency on a very limited number of non-EU suppliers, especially in relation to raw materials. This is particularly apparent when it comes to semi-conductors.

Supplies of these chips which power Europe’s digital solutions have become a real concern for EU industry, with cases of production being slowed down. Against this background, we will adopt a European chips act to promote a state-of-the-art European chip ecosystem to boost our innovative capacity, security of supply and develop new markets for ground-breaking European tech.

With the economy and society relying more and more on digital solutions, we need to ensure that we can defend ourselves in a world increasingly prone to hacking of connected products and associated services. To this end, we will propose a European cyber resilience act to establish common cybersecurity standards for products. We will also begin building an EU space-based global secure communications system, offering EU-wide broadband connectivity where it currently does not exist and secure and independent communications to Member States.

As the energy sector will be the biggest contributor in meeting the EU’s climate target of reducing emissions by at least 55 percent by 2030, the Commission will propose an action plan for an accelerated digital transformation of the sector, which is needed to ensure the shift towards renewables, connected mobility, smart buildings, and a more integrated energy system with consumers at its core. The wide-scale energy disruptions in the US and the EU over the past year show the need for resilient and cyber-secure energy.

For European citizens to benefit to the full from digital technology, the provision of strong digital skills and education is key. This was highlighted as distance learning became the norm during the COVID-19 pandemic. And it is highlighted as a key target in the Digital Compass. To address the skills and knowledge gaps, we will propose measures to facilitate and promote digital skills in schools and higher education.

Research and innovation will play a key role in responding to the challenges facing us today. It will help deliver on Europe's recovery, based on economic growth that can drive the green and digital transitions. This will be essential for fair economic growth benefiting all regions and citizens, including rural areas. It is important to ensure that Europe remains at the frontier of science and at the forefront of new waves of innovation.

Digital solutions can also help support more integrated and sustainable mobility. We will propose an initiative on multimodal digital mobility services to address market gaps in the combined use of transport modes, including rail."

The European Commission invites citizens and organisations to share their views on the European Cyber Resilience Act

16 March 2022 - The European Commission has launched a public consultation to gather the views and experiences of all relevant parties on the forthcoming European Cyber Resilience Act.

First announced by President von der Leyen in her State of the Union Address in September 2021, the Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the market across the European Union. The results of the public consultation will feed into the Commission's proposal for legislation that is expected in the second half of this year.

Thierry Breton, Commissioner for Internal Market, said:

To face today's diverse and sophisticated cyber-attacks we need advanced technology, secure infrastructure, and increased operational cooperation, as well as a common approach on cybersecurity benchmarks for products and services. We are looking forward to receiving input from all interested citizens and organisations to help us shape the new Cyber Resilience Act that will become a key part of the European strategic, policy and legislative framework in cybersecurity.

The Cyber Resilience Act will complement the existing EU legislative framework, which includes the Directive on the security of Network and Information Systems (NIS Directive) and the Cybersecurity Act, as well as the future Directive on measures for high common level of cybersecurity across the Union (NIS 2) that the Commission proposed in December 2020.

The public consultation will be open for the coming 10 weeks, until 25 May 2022. In addition, the Commission has published a call for evidence to create an overview of the problems currently identified and possible ways to address them. The call for evidence will be open for comments in parallel with the public consultation, also for 10 weeks.

Problem the initiative aims to tackle:

In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain. This can lead to severe disruption of economic and social activities or even become life threatening. The lack of appropriate security in digital products and ancillary services is one of the main avenues for successful attacks.

When placing digital products or services on the market, vendors (e.g. hardware manufacturers, software developers, distributors and importers) often do not put in place adequate cybersecurity safeguards. The reasons for this can include:

(i) wanting to benefit from being the first to put a product or service on the market, due to network effects present in ICT markets;

(ii) lack of qualified security professionals; and

(iii) additional costs combined with lack of economic incentives.

Similarly, vendors’ response to vulnerabilities throughout their products’ lifecycle is too often inadequate. Moreover, vendors do not systematically provide information on product security (due to the lack of economic incentives), making it difficult for consumers to inform themselves and assess the security of the products and services they are using.

The current EU framework applicable to digital products comprises several pieces of legislation, including EU legislation on specific products covering safety-related aspects and general legislation on product liability.

However, the current legislation covers only certain aspects linked to the cybersecurity of tangible digital products and, where applicable, embedded software concerning these products.

The EU regulatory framework on products (e.g. the General Product Safety Directive and the Machinery Directive, both currently under review) does not prescribe specific cybersecurity requirements, e.g. covering the whole life cycle of a product.

‘Whole life cycle’ requirements are crucial in the case of digital products and ancillary services, as software needs to be updated on a regular basis.

In addition, the existing framework does not cover all types of digital products. In particular, the current framework fails to cover a variety of widely used hardware (e.g. hardware not falling under the Radio Equipment Directive or the Medical Devices Regulation).

Moreover, non-embedded software products are not addressed in the current framework, even though vulnerabilities in software products are increasingly serving as a channel for cybersecurity attacks, causing significant societal and economic costs.

Ursula von der Leyen, European Commission President, 2021 State of the Union address.

"If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. [...] This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act."

Ursula von der Leyen, European Commission President, 2021 State of the Union address.

European Cyber Resilience Act

2021 State of the Union Address by President von der Leyen

Mr President, Honourable Members,

Many are the people who feel their lives have been on pause while the world has been on fast forward.

The speed of events and the enormity of the challenges are sometimes difficult to grasp.

This has also been a time of soul-searching. From people reassessing their own lives to wider debates on sharing vaccines and on shared values.

But as I look back on this past year, if I look at the state of the Union today, I see a strong soul in everything that we do.

It was Robert Schuman who said: Europe needs a soul, an ideal, and the political will to serve this ideal.

Europe has brought those words to life in the last twelve months.

In the biggest global health crisis for a century, we chose to go it together so that every part of Europe got the same access to a life-saving vaccine.

In the deepest global economic crisis for decades, we chose to go it together with NextGenerationEU.

And in the gravest planetary crisis of all time, again we chose to go it together with the European Green Deal.

We did that together as Commission, as Parliament, as 27 Member States. As one Europe. And we can be proud of it.

But corona times are not over.

There is still much grief in our society as the pandemic lingers. There are hearts we can never mend, life stories we can never finish and time we can never give back to our young. We face new and enduring challenges in a world recovering – and fracturing – unevenly.

So there is no question: the next year will be yet another test of character.

But I believe that it is when you are tested that your spirit – your soul - truly shines through.

As I look across our Union, I know that Europe will pass that test.

And what gives me that confidence is the inspiration we can draw from Europe's young people.

Because our youth put meaning into empathy and solidarity.

They believe we have a responsibility towards the planet.

And while they are anxious about the future, they are determined to make it better.

Our Union will be stronger if it is more like our next generation: reflective, determined and caring.

Grounded in values and bold in action.

This spirit will be more important than ever over the next twelve months. This is the message in the Letter of Intent I sent this morning to President Sassoli and Prime Minister Janša to outline our priorities for the year ahead.


Honourable Members,

A year is a long time in a pandemic.

When I stood in front of you 12 months ago, I did not know when – or even if – we would have a safe and effective vaccine against COVID-19.

But today, and against all critics, Europe is among the world leaders.

More than 70 per cent of adults in the EU are fully vaccinated. We were the only ones to share half of our vaccine production with the rest of the world. We delivered more than 700 million doses to the European people, and we delivered more than another 700 million doses to the rest of the world, to more than 130 countries.

We are the only region in the world to achieve that.

A pandemic is a marathon, not a sprint.

We followed the science.

We delivered to Europe. We delivered to the world.

We did it the right way, because we did it the European way. And it worked!

But while we have every reason to be confident, we have no reason to be complacent.

Our first – and most urgent – priority is to speed up global vaccination.

With less than 1% of global doses administered in low-income countries, the scale of injustice and the level of urgency are obvious. This is one of the great geopolitical issues of our time.

Team Europe is investing one billion Euro to ramp up mRNA production capacity in Africa. We have already committed to share 250 million doses.

I can announce today that the Commission will add a new donation of another 200 million doses by the middle of next year.

This is an investment in solidarity – but also in global health.

The second priority is to continue our efforts here in Europe.

We see worrisome divergences in vaccination rates in our Union.

So we need to keep up the momentum.

And Europe is ready. We have 1.8 billion additional doses secured. This is enough for us and our neighbourhood when booster shots are needed. Let's do everything possible to ensure that this does not turn into a pandemic of the unvaccinated.

The final priority is to strengthen our pandemic preparedness.

Last year, I said it was time to build a European Health Union. Today we are delivering. With our proposal we get the HERA authority up and running.

This will be a huge asset to deal with future health threats earlier and better.

We have the innovation and scientific capacity, the private sector knowledge, we have competent national authorities. And now we need to bring all of that together, including massive funding.

So I am proposing a new health preparedness and resilience mission for the whole of the EU. And it should be backed up by Team Europe investment of EUR 50 billion by 2027.

To make sure that no virus will ever turn a local epidemic into a global pandemic. There is no better return on investment than that.

Honourable Members,

The work on the European Health Union is a big step forward. And I want to thank this House for your support.

We have shown that when we act together, we are able to act fast.

Take the EU digital certificate:

Today more than 400 million certificates have been generated across Europe. 42 countries in 4 continents are plugged in.

We proposed it in March.

You pushed it!

Three months later it was up and running.

Thanks to this joint effort, while the rest of the world talked about it, Europe just did it.

We did a lot of things right. We moved fast to create SURE. This supported over 31 million workers and 2.5 million companies across Europe.

We learned the lessons from the past when we were too divided and too delayed.

And the difference is stark: last time it took 8 years for the Eurozone GDP to get back to pre-crisis levels.

This time we expect 19 countries to be at pre-pandemic levels this year with the rest following next. Growth in the euro area outpaced both the US and China in the last quarter.

But this is only the beginning. And the lessons from the financial crisis should serve as a cautionary tale. At that time, Europe declared victory too soon and we paid the price for that. And we will not repeat the same mistake.

The good news is that with NextGenerationEU we will now invest in both short-term recovery and long-term prosperity.

We will address structural issues in our economy: from labour market reforms in Spain, to pension reforms in Slovenia or tax reform in Austria.

In an unprecedented manner, we will invest in 5G and fibre. But equally important is the investment in digital skills. This task needs leaders' attention and a structured dialogue at top-level.

Our response provides a clear direction to markets and investors alike.

But, as we look ahead, we also need to reflect on how the crisis has affected the shape of our economy – from increased debt, to uneven impact on different sectors, or new ways of working.

To do that, the Commission will relaunch the discussion on the Economic Governance Review in the coming weeks. The aim is to build a consensus on the way forward well in time for 2023.

Honourable Members,

We will soon celebrate 30 years of the Single Market. For 30 years it has been the great enabler of progress and prosperity in Europe.

At the outset of the pandemic, we defended it against the pressures of erosion and fragmentation. For our recovery, the Single Market is the driver of good jobs and competitiveness.

That is particularly important in the digital single market.

We have made ambitious proposals in the last year.

To contain the gatekeeper power of major platforms;

To underpin the democratic responsibility of those platforms;

To foster innovation;

To channel the power of artificial intelligence.

Digital is the make-or-break issue. And Member States share that view. Digital spending in NextGenerationEU will even overshoot the 20% target.

That reflects the importance of investing in our European tech sovereignty. We have to double down to shape our digital transformation according to our own rules and values.

Allow me to focus on semi-conductors, those tiny chips that make everything work: from smartphones and electric scooters to trains or entire smart factories.

There is no digital without chips. And while we speak, whole production lines are already working at reduced speed - despite growing demand - because of a shortage of semi-conductors.

But while global demand has exploded, Europe's share across the entire value chain, from design to manufacturing capacity has shrunk. We depend on state-of-the-art chips manufactured in Asia.

So this is not just a matter of our competitiveness. This is also a matter of tech sovereignty. So let's put all of our focus on it.

We will present a new European Chips Act. We need to link together our world-class research, design and testing capacities. We need to coordinate EU and national investment along the value chain.

The aim is to jointly create a state-of-the-art European chip ecosystem, including production. That ensures our security of supply and will develop new markets for ground-breaking European tech.

Yes, this is a daunting task. And I know that some claim it cannot be done.

But they said the same thing about Galileo 20 years ago.

And look what happened. We got our act together. Today European satellites provide the navigation system for more than 2 billion smartphones worldwide. We are world leaders. So let's be bold again, this time with semi-conductors.

Honourable Members,

The pandemic has left deep scars that have also left their mark on our social market economy.

For nights on end, we all stood at our windows and doors to applaud critical workers. We felt how much we relied on all those women and men who work for lower wages, fewer protections and less security.

The applause may have faded away but the strength of feeling cannot.

This is why the implementation of the European Pillar of Social Rights is so important – to ensure decent jobs, fairer working conditions, better healthcare and better balance in people's lives.

If the pandemic taught us one thing, it is that time is precious. And caring for someone you love is the most precious time of all.

We will come forward with a new European Care Strategy to support men and women in finding the best care and the best life balance for them.

But social fairness is not just a question of time. It is also a question of fair taxation.

In our social market economy, it is good for companies to make profits. And they make profits thanks to the quality of our infrastructure, social security and education systems. So the very least we can expect is that they pay their fair share.

This is why we will continue to crack down on tax avoidance and evasion.

We will put forward a new initiative to address those hiding profits behind shell entities.

And we will do everything in our power to seal the historic global deal on minimum taxation.

Asking big companies to pay the right amount of tax is not only a question of public finances, but above all a question of basic fairness.

Honourable Members,

We have all benefited from the principles of our European social market economy – and we must make sure that the next generation can do so to build their future.

This is our most educated, talented and motivated generation. And it has missed out on so much to keep others safe.

Being young is normally a time of discovery, of creating new experiences. A time to meet lifelong friends, to find your own path. And what did we ask this generation to do? To keep their social distance, to stay locked down and to do school from home. For more than a year.

This is why everything that we do – from the European Green Deal to NextGenerationEU – is about protecting their future.

That is also why NextGenerationEU must be funded by the new own resources that we are working on.

But we must also caution against creating new divides. Because Europe needs all of its youth.

We must step up our support to those who fall into the gaps – those not in any kind of employment, education or training.

For them, we will put in place a new programme, ALMA.

ALMA will help these young Europeans to find temporary work experience in another Member State.

Because they too deserve an experience like Erasmus. To gain skills, to create bonds and help forge their own European identity.

But if we are to shape our Union in their mould, young people must be able to shape Europe's future. Our Union needs a soul and a vision they can connect to.

Or as Jacques Delors asked: How can we ever build Europe if young people do not see it as a collective project and a vision of their own future?

This is why we will propose to make 2022 the Year of European Youth. A year dedicated to empowering those who have dedicated so much to others.

And it is why we will make sure that young people can help lead the debate in the Conference on the Future of Europe.

This is their future and this must be their Conference too.

And as we said when we took office, the Commission will be ready to follow up on what is agreed by the Conference.


Honourable Members,

This is a generation with a conscience. They are pushing us to go further and faster to tackle the climate crisis.

And events of the summer only served to explain why. We saw floods in Belgium and Germany. And wildfires burning from the Greek islands to the hills in France.

And if we don't believe our own eyes, we only have to follow the science.

The UN recently published the IPCC report, the Intergovernmental Panel on Climate Change. It is the authority on the science of climate change.

The report leaves no doubt. Climate change is man-made. But since it is man-made, we can do something about it.

As I heard it said recently: It's warming. It's us. We're sure. It's bad. But we can fix it.

And change is already happening.

More electric vehicles than diesel cars were registered in Germany in the first half of this year. Poland is now the EU's largest exporter of car batteries and electric buses. Or take the New European Bauhaus that led to an explosion of creativity of architects, designers, engineers across our Union.

So clearly something is on the move.

And this is what the European Green Deal is all about.

In my speech last year, I announced our target of at least 55% emission reduction by 2030.

Since then we have together turned our climate goals into legal obligations.

And we are the first major economy to present comprehensive legislation in order to get it done.

You have seen the complexity of the detail. But the goal is simple. We will put a price on pollution. We will clean the energy we use. We will have smarter cars and cleaner airplanes.

And we will make sure that higher climate ambition comes with more social ambition. This must be a fair green transition. This is why we proposed a new Social Climate Fund to tackle the energy poverty that already 34 million Europeans suffer from.

I count on both Parliament and Member States to keep the package and to keep the ambition together.

When it comes to climate change and the nature crisis, Europe can do a lot. And it will support others. I am proud to announce today that the EU will double its external funding for biodiversity, in particular for the most vulnerable countries.

But Europe cannot do it alone.

The COP26 in Glasgow will be a moment of truth for the global community.

Major economies – from the US to Japan – have set ambitions for climate neutrality in 2050 or shortly after. These need now to be backed up by concrete plans in time for Glasgow. Because current commitments for 2030 will not keep global warming to 1.5°C within reach.

Every country has a responsibility!

The goals that President Xi has set for China are encouraging. But we call for that same leadership on setting out how China will get there. The world would be relieved if they showed they could peak emissions by mid-decade - and move away from coal at home and abroad.

But while every country has a responsibility, major economies do have a special duty to the least developed and most vulnerable countries. Climate finance is essential for them - both for mitigation and adaptation.

In Mexico and in Paris, the world committed to provide 100 billion dollars a year until 2025.

We deliver on our commitment. Team Europe contributes 25 billion dollars per year. But others still leave a gaping hole towards reaching the global target.

Closing that gap will increase the chance of success at Glasgow.

My message today is that Europe is ready to do more. We will now propose an additional 4 billion euro for climate finance until 2027. But we expect the United States and our partners to step up too.

Closing the climate finance gap together – the US and the EU – would be a strong signal for global climate leadership. It is time to deliver.

Honourable Members,

This climate and economic leadership is central to Europe's global and security objectives.

It also reflects a wider shift in world affairs at a time of transition towards a new international order.

We are entering a new era of hyper-competitiveness.

An era in which some stop at nothing to gain influence: from vaccine promises and high-interest loans, to missiles and misinformation.

An era of regional rivalries and major powers refocusing their attention towards each other.

Recent events in Afghanistan are not the cause of this change – but they are a symptom of it.

And first and foremost, I want to be clear. We stand by the Afghan people. The women and children, prosecutors, journalists and human rights defenders.

I think in particular of women judges who are now in hiding from the men they jailed. They have been put at risk for their contribution to justice and the rule of law. We must support them and we will coordinate all efforts with Member States to bring them to safety.

And we must continue supporting all Afghans in the country and in neighbouring countries. We must do everything to avert the real risk of a major famine and humanitarian disaster. And we will do our part. We will increase again humanitarian aid for Afghanistan by 100 million euro.

This will be part of a new, wider Afghan Support Package that we will present in the next weeks to combine all of our efforts.

Honourable Members,

Witnessing events unfold in Afghanistan was profoundly painful for all the families of fallen servicemen and servicewomen.

We bow to the sacrifice of those soldiers, diplomats and aid workers who laid down their lives.

To make sure that their service will never be in vain, we have to reflect on how this mission could end so abruptly.

There are deeply troubling questions that allies will have to tackle within NATO.

But there is simply no security and defence issue where less cooperation is the answer. We need to invest in our joint partnership and to draw on each side's unique strength.

This is why we are working with Secretary-General Jens Stoltenberg on a new EU-NATO Joint Declaration to be presented before the end of the year.

But this is only one part of the equation.

Europe can – and clearly should – be able and willing to do more on its own. But if we are to do more, we first need to explain why. I see three broad categories.

First, we need to provide stability in our neighbourhood and across different regions.

We are connected to the world by narrow straits, stormy seas and vast land borders. Because of that geography, Europe knows better than anyone that if you don't deal in time with the crisis abroad, the crisis comes to you.

Secondly, the nature of the threats we face is evolving rapidly: from hybrid or cyber-attacks to the growing arms race in space.

Disruptive technology has been a great equaliser in the way power can be used today by rogue states or non-state groups.

You no longer need armies and missiles to cause mass damage. You can paralyse industrial plants, city administrations and hospitals – all you need is your laptop. You can disrupt entire elections with a smartphone and an internet connection.

The third reason is that the European Union is a unique security provider. There will be missions where NATO or the UN will not be present, but where the EU should be.

On the ground, our soldiers work side-by-side with police officers, lawyers and doctors, with humanitarian workers and human rights defenders, with teachers and engineers.

We can combine military and civilian, along with diplomacy and development – and we have a long history in building and protecting peace.

The good news is that over the past years, we have started to develop a European defence ecosystem.

But what we need is the European Defence Union.

In the last weeks, there have been many discussions on expeditionary forces. On what type and how many we need: battlegroups or EU entry forces.

This is no doubt part of the debate – and I believe it will be part of the solution.

But the more fundamental issue is why this has not worked in the past.

You can have the most advanced forces in the world – but if you are never prepared to use them - of what use are they?

What has held us back until now is not just a shortfall of capacity – it is the lack of political will.

And if we develop this political will, there is a lot that we can do at EU level.

Allow me to give you three concrete examples:

First, we need to build the foundation for collective decision-making – this is what I call situational awareness.

We fall short if Member States active in the same region, do not share their information on the European level. It is vital that we improve intelligence cooperation.

But this is not just about intelligence in the narrow sense.

It is about bringing together the knowledge from all services and all sources. From space to police trainers, from open source to development agencies. Their work gives us a unique scope and depth of knowledge.

It is out there!

But we can only use that, to make informed decisions if we have the full picture. And this is currently not the case. We have the knowledge, but it is disjoined. Information is fragmented.

This is why the EU could consider its own Joint Situational Awareness Centre to fuse all the different pieces of information.

And to be better prepared, to be fully informed and to be able to decide.

Secondly, we need to improve interoperability. This is why we are already investing in common European platforms, from fighter jets, to drones and cyber.

But we have to keep thinking of new ways to use all possible synergies. One example could be to consider waiving VAT when buying defence equipment developed and produced in Europe.

This would not only increase our interoperability, but also decrease our dependencies of today.

Third, we cannot talk about defence without talking about cyber. If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, but also strive to become a leader in cyber security.

It should be here in Europe where cyber defence tools are developed. This is why we need a European Cyber Defence Policy," including legislation on common standards under a new European Cyber Resilience Act.

European Cyber Resilience Act

European Cyber Resilience Act

So, we can do a lot at EU level. But Member States need to do more too.

This starts with a common assessment of the threats we face and a common approach to dealing with them. The upcoming Strategic Compass is a key process of this discussion.

And we need to decide how we can use all of the possibilities that are already in the Treaty.

This is why, under the French Presidency, President Macron and I will convene a Summit on European defence.

It is time for Europe to step up to the next level.

Honourable Members,

In a more contested world, protecting your interests is not only about defending yourself.

It is about forging strong and reliable partnerships. This is not a luxury – it is essential for our future stability, security and prosperity.

This work starts by deepening our partnership with our closest allies.

With the US we will develop our new agenda for global change – from the new Trade and Technology Council to health security and sustainability.

The EU and the US will always be stronger – together.

The same is true of our neighbours in the Western Balkans.

Before the end of the month, I will travel to the region to send a strong signal of our commitment to the accession process. We owe it to all those young people who believe in a European future.

This is why we are ramping up our support through our new investment and economic plan, worth around a third of the region's GDP. Because an investment in the future of the Western Balkans is an investment in the future of the EU.

And we will also continue investing in our partnerships across our neighbourhood – from stepping up our engagement in the Eastern Partnership to implementing the new Agenda for the Mediterranean and continuing to work on the different aspects of our relationship with Turkey.

Honourable Members,

If Europe is to become a more active global player, it also needs to focus on the next generation of partnerships.

In this spirit, today's new EU - Indo-Pacific strategy is a milestone. It reflects the growing importance of the region to our prosperity and security. But also the fact that autocratic regimes use it to try to expand their influence.

Europe needs to be more present and more active in the region.

So we will work together to deepen trade links, strengthen global supply chains and develop new investment projects on green and digital technologies.

This is a template for how Europe can redesign its model to connect the world.

We are good at financing roads. But it does not make sense for Europe to build a perfect road between a Chinese-owned copper mine and a Chinese-owned harbour.

We have to get smarter when it comes to these kinds of investments.

This is why we will soon present our new connectivity strategy called Global Gateway.

We will build Global Gateway partnerships with countries around the world. We want investments in quality infrastructure, connecting goods, people and services around the world.

We will take a values-based approach, offering transparency and good governance to our partners.

We want to create links and not dependencies!

And we know how this can work. Since the summer, a new underwater fibre optic cable has connected Brazil to Portugal.

We will invest with Africa to create a market for green hydrogen that connects the two shores of the Mediterranean.

We need a Team Europe approach to make Global Gateway happen. We will connect institutions and investment, banks and the business community. And we will make this a priority for regional summits – starting with the next EU-Africa Summit in February.

We want to turn Global Gateway into a trusted brand around the world.

And let me be very clear: doing business around the world, global trade – all that is good and necessary. But this can never be done at the expense of people's dignity and freedom.

There are 25 million people out there, who are threatened or coerced into forced labour. We can never accept that they are forced to make products – and that these products then end up for sale in shops here in Europe.

So we will propose a ban on products in our market that have been made by forced labour.

Human rights are not for sale – at any price.


And, Honourable Members, human beings are not bargaining chips.

Look at what happened at our borders with Belarus. The regime in Minsk has instrumentalised human beings. They have put people on planes and literally pushed them towards Europe's borders.

This can never be tolerated.

And the quick European reaction shows that. And rest assured, we will continue to stand together with Lithuania, Latvia and Poland.

And, let's call it what it is: this is a hybrid attack to destabilise Europe.

Honourable Members,

These are not isolated events. We saw similar incidents at other borders. And we can expect to see it again. This is why, as part of our work on Schengen, we will set out new ways to respond to such aggression and ensure unity in protecting our external borders.

But as long as we do not find common ground on how to manage migration, our opponents will continue to target that.

Meanwhile, human traffickers continue to exploit people through deadly routes across the Mediterranean.

These events show us that every country has a stake in building a European migration system.

The New Pact on Migration and Asylum gives us everything we need to manage the different types of situations we face.

All the elements are there. This is a balanced and humane system that works for all Member States - in all circumstances. We know that we can find common ground.

But in the year since the Commission presented the Pact, progress has been painfully slow.

I think, this is the moment now for a European migration management policy. So I urge you, in this House and in Member States, to speed up the process.

This ultimately comes down to a question of trust. Trust between Member States. Trust for Europeans that migration can be managed. Trust that Europe will always live up to its enduring duty to the most vulnerable and most in need.

There are many strongly held views on migration in Europe but I believe the common ground is not so far away.

Because if you ask most Europeans, they would agree that we should act to curb irregular migration but also act to provide a refuge for those forced to flee.

They would agree that we should return those who have no right to stay. But that we should welcome those who come here legally and make such a vital contribution to our society and economy.

And we should all agree that the topic of migration should never be used to divide.

I am convinced that there is a way that Europe can build trust amongst us when it comes to migration.

Honourable Members,

Societies that build on democracy and common values stand on stable ground.

They have trust in people.

This is how new ideas are formed, how change happens, how injustices are overcome.

Trust in these common values brought our founders together, after World War Two.

And it is these same values that united the freedom fighters who tore down the Iron Curtain over 30 years ago.

They wanted democracy.

They wanted the freedom to choose their government.

They wanted the rule of law and for everyone to be equal before the law.

They wanted freedom of speech and independent media. To no longer be spied on by their governments.

They wanted to combat corruption. And the freedom to be different from the majority.

Or, as former Czech President Václav Havel put it, they wanted all those "great European values". These values come from the cultural, religious and humanist heritage of Europe.

They are part of our soul, part of what defines us today.

These values are now enshrined in our European treaties. This is what we all signed up to when we became part of this Union as free and sovereign countries.

We are determined to defend these values. And we will never waver in that determination.

Our values are guaranteed by our legal order and safeguarded by the judgments of the European Court of Justice. These judgments are binding. We make sure that they are respected. And we do so in every Member State of our Union.

Because protecting the rule of law is not just a noble goal. Protecting the rule of law is also hard work and a constant struggle for improvement.

Our Rule of Law reports are part of this process, with for example justice reforms in Malta or corruption inquiries in Slovakia.

And from 2022, our Rule of Law reports will come with specific recommendations to Member States.

Nevertheless, there are worrying developments in certain Member States. Let me be clear: dialogue always comes first. But dialogue is not an end in itself, it should lead to results.

This is why we take a dual approach of dialogue and decisive action. This is what we did last week. And this is what we will continue to do.

Because people must be able to rely on the right to an independent judiciary. The right to be treated equally before the law. Everywhere in Europe. Whether you belong to a majority or a minority.

Honourable Members,

The European budget is the future of our Union cast in figures.

That is why it must be protected. We need to ensure that every euro and every cent is spent for its proper purpose and in line with rule of law principles.

Investments that enable our children to have a better future must not be allowed to seep away into dark channels.

Corruption is not just taxpayer money stolen. It is investors scared off, big favours bought by big money and democracy undermined by the powerful.

When it comes to protecting our budget, we will pursue every case, with everything in our power.

Honourable Members,

Defending our values is also defending freedom. Freedom to be who you are, freedom to say what's on your mind, freedom to love whoever you want.

But freedom also means freedom from fear. And during the pandemic, too many women were deprived of that freedom. It was an acutely terrifying time for those with nowhere to hide, nowhere to escape from their abusers. We need to shed light on this darkness, we need to show ways out of the pain. Their abusers must be brought to justice.

And those women must have their freedom and their self-determination back.

This is why by the end of year, we will propose a law to combat violence against women – from prevention to protection and effective prosecution, online and offline.

It is about defending the dignity of each individual. It is about justice. Because this is the soul of Europe. And we must make it even stronger.

Honourable members,

Allow me to finish with one of the freedoms that gives voice to all other freedoms – media freedom.

Journalists are being targeted simply for doing their job. Some have been threatened, some beaten and, tragically, some murdered. Right here, in our European Union.

Let me mention some of their names: Daphné Caruana Galizia. Ján Kuciak. Peter de Vries.

The details of their stories may be different but what they have in common is that they all fought and died for our right to be informed.

Information is a public good. We must protect those who create transparency – the journalists. That is why today we have put forward a recommendation to give journalists better protection.

And we need to stop those who threaten media freedom. Media companies cannot be treated as just another business. Their independence is essential. Europe needs a law that safeguards this independence – and the Commission will deliver a Media Freedom Act in the next year.

Defending media freedom means defending our democracy.


Honourable Members,

Strengthening Schuman's European ideal that I invoked earlier is a continuous work.

And we should not hide away from our inconsistencies and imperfections.

But imperfect as it might be, our Union is both beautifully unique and uniquely beautiful.

It is a Union where we strengthen our individual liberty through the strength of our community.

A Union shaped as much by our shared history and values as by our different cultures and perspectives.

A Union with a soul.

Trying to find the right words to capture the essence of this feeling is not easy. But it is easier when you borrow them from someone who inspires you. And this is why I have invited a guest of honour to be with us today.

Many of you might know her – a gold medallist from Italy who captured my heart this summer.

But what you might not know is that only in April, she was told her life was in peril. She went through surgery, she fought back, she recovered.

And only 119 days after she left the hospital, she won Paralympic gold. Honourable Members, please join me in welcoming Beatrice Vio. Bebe has overcome so much, so young.

Her story is one of rising against all odds. Of succeeding thanks to talent, tenacity and unrelenting positivity. She is in the image of her generation: a leader and an advocate for the causes she believes in.

And she has managed to achieve all of that by living up to her belief that - if it seems impossible – then it can be done. Se sembra impossibile, allora si può fare.

This was the spirit of Europe's founders and this is the spirit of Europe's next generation. So let's be inspired by Bebe and by all the young people who change our perception of the possible.

Who show us that you can be what you want to be. And that you can achieve whatever you believe.

Honourable Members:

This is the soul of Europe.

This is the future of Europe.

Let's make it stronger together.

Viva l'Europa.

Cyber Risk GmbH, some of our clients