• The EU would like to thank you Chair for driving the OEWG discussion on the implementation of the norms of responsible state behaviour and for enabling us to deepen our common understanding on the norms of responsible state behaviour.
• While we made significant progress as reflected in the APR, we still have work to do on implementing the existing norms and incorporate its implications and practices into our national policies and legislation.
• Against this background, we strongly welcome the reference to the Checklist of Practical Actions for the implementation of voluntary, non-binding norms of responsible State behaviour in the use of ICTs.
• Also the 2021 GGE report provides a good basis for further efforts to implement and therefree needs to be flagged in the report. Our urgent task is to absorb what we have agreed until now. Implementation of the existing norms will also determine if and whether a reflection on developing new norms is actually needed. In order to make sure we set our priorities, the report should present these distinctions in the right order. We therefore suggest to redraft paragraph 30 (A), (I) and 33.
• Regarding existing norms that we could further examine, we underscore the need to focus on Norms 13 c, f, g and h) calling for the protection of all critical infrastructure supporting essential services to the public, in particular medical and healthcare facilities as well as cooperation between States for this purpose.
• Malicious cyber activities require a whole-of-government response, as they have the potential to affect a nation’s economy, society and national security, as well as individuals. We therefore welcome the recommendation in the Checklist to put in place cooperation between national cybersecurity authorities and the diplomatic community under norm b[1].
• As regards norms implementation, regional organisations have already done a lot of valuable work from which all States can benefit. For example, the work of the ARF and OSCE on the protection of critical infrastructure, the work of ASEAN on the norms roadmap as well as the work of the OAS in continuously enhancing the resilience of their memberships. A continued, in-depth exchange between the OEWG and regional organisations as well as between regional organisations is therefore essential. We would like to see the second sentence of former paragraph 30 to be reinstated:
• “In this regard, the OEWG Chair could invite relevant experts from regional and sub-regional organizations, businesses, non-governmental organizations and academia, with due consideration given to equitable geographical representation, to give briefings at these discussions”.
• We also welcome the recognition of the crucial role that the private sector plays in strengthening cyber resilience, as the vast majority of ICTs and related services are provided, maintained and used by private actors and civil society. One of the key elements to protecting and identifying critical infrastructure from ICT threats is therefore establishing a trusted exchange between critical infrastructure operators and relevant government authorities, which ultimately must be involved in the effort to successfully implement norms.
• The regular institutional dialogue should therefore give high priority to the cooperation with and involvement of the multi-stakeholder community.Mr. Chair, these are just mere examples where we see the possibility to further strengthen our cooperation, building on your Norms Checklist. Discussions on the implementation of norms will not only make our exchanges more effective but will also enable us to increase our concrete efforts to enhance cyber security.

===

• Dear Chair,
• We underline, as we and many others have done before, that activities in cyberspace are subject to law, and that international law applies online as it does offline. Denying the existing constraints on states’ activities in cyberspace undermines the work of the UN to date, and risks international security and stability. Our task ahead is to implement and consider how the existing obligations apply, rather than rush into developing more obligations. Needless to say, not undertaking malicious cyber activities that run counter to these obligations is our first task.
• In this light Mr. Chair, let me turn to some specific textual proposals:

• International humanitarian law occupied a significant place in discussions on international law in our last year's work.  Of particular note in this regard is the cross-regional working paper submitted by 13 UN Member States in March 2024, which underlined that IHL applies to cyber operations executed in the context of, and in relation to an international or non-international armed conflict.
• We also welcome the cross-regional working paper submitted by [Australia, Colombia, El Salvador, Estonia, Uruguay] five states which very well captures the key elements of what has been discussed at the OEWG, including those relating to international humanitarian law, international human rights law and the law of state responsibility[2]:
• To further reflect our discussions and make progress on this important issue, reflecting the discussions held over the past year, we  propose the addition of paragraph under Paragraph 36 of the REV1 Daft APR 2024 between letters e) and f): (The Report of the 2021 GGE, A/76/135, para 71(f), consensus GA resolution 76/19 serves as a basis for this text).
• “Reaffirmed that international humanitarian law, including the established international legal principles of humanity, necessity, proportionality and distinction, applies to cyber operations executed in the context of and in relation to an armed conflict. Consistent with international humanitarian law, parties to an armed conflict must not conduct cyberattacks against civilian objects or civilians. Acknowledging that international humanitarian law applies to the use of ICTs in armed conflict does not in any way encourage or legitimise armed conflict .”
• And, to add in an additional paragraph that the OEWG “Reaffirmed uses of ICTs by States that breach their international legal obligations amount to internationally wrongful acts, for which those States bear international legal responsibility. Responsible States are under an obligation to make full reparation for the injury caused by the internationally wrongful acts.”

• We would also like to include language in the section on concrete, action-oriented proposals (Paragraph 37 REV 1 Draft APR 2024):
• “States made proposals on how to continue discussions on the application of international humanitarian law to cyber operations in situations of armed conflict. These proposals are crucial to ensure that States find common understandings  of how IHL applies to cyber operations occurring in the context of an armed conflict”.
• Further regarding paragraph 36, in subparagraph (a), we would like to end the paragraph with the sentence “The exercise of such jurisdiction is subject to States’ obligations under international law, including international human rights law.”
• In addition to international humanitarian law, the OEWG devoted significant attention to the principle of due diligence in its deliberations. We call on the Chair to also reflect these deliberations in the 2024 APR.
• We support paragraph 38, which calls for a full intersessional meeting with the participation of legal advisors to have further discussions and build on the current momentum. We are of the view that a dedicated intersessional meeting over several days on this issue later this year would help carry it forward. The detailed and focused discussions held in this room over the past years, together with the volume of national statements detailing national views on the applicability of international law to cyberspace, and the consensus views in the 2021 OEWG Report on its applicability, show the need and willingness to continue exchanging detailed views on how international law applies.
• We would also like to add our voice to the many others who have called for scenario based discussions on how international law applies as a practical way to continue to build common understandings. It is a valuable exercise to exchange views and ascertain common understandings regarding their international legal obligations.
• Mr. Chair, the EU look forward to our continued discussions on this important matter and thank you again for your efforts on this.

[1] Norm b: In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences.

[2] 240530_-_Cyber_OEWG_-_Working_paper_on_the_application_of_international_law_in_the_use_of_ICTs_-_submitted_by_a_group_of_States.pdf (unoda.org)