The digital battlefield: EU-China cybersecurity diplomacy in the 21st century – Part II

The global cybersecurity landscape presents a paradox for EU-China relations: mutual vulnerabilities to cybercrime, hybrid threats and supply chain risks demand collaboration, yet divergent governance models pose significant obstacles. This two-part article examines the potential for strategic cooperation, drawing on the European Union’s ‘White Paper for European Defence – Readiness 2030’ and broader diplomatic initiatives. Through an analysis of shared interests, existing multilateral efforts and policy recommendations, it argues that pragmatic collaboration can transform cybersecurity into a stabilising force in EU-China relations, with broader implications for global digital governance. Read the first part here.

The world’s digital infrastructure is under constant threat. Hybrid attacks are blurring the lines between war and peace, and supply chains are buckling under invisible pressures. For the European Union and China, this chaos presents both a shared challenge and a rare opportunity for collaboration. Unlike the United States, which forged a landmark cyber pact with China in 2015, the EU has no such formal agreement, leaving their digital partnership fragile and fraught with mistrust.[1]

The 2015 US-China cybersecurity agreement set a precedent by committing both nations to timely responses on malicious cyber activities, abstaining from cyber-enabled intellectual property theft, promoting global norms for state behaviour in cyberspace and establishing a high-level dialogue to combat cybercrime. The EU, however, has taken a softer approach with China, relying on dialogue rather than binding commitments. Since 2012, the EU-China Cyber Task Force has aimed to bridge gaps, reduce misperceptions and explore cooperation on issues like international law, confidence-building measures and responsible cyber behaviour.[2] Its seventh meeting in Beijing in January 2020 tackled topics such as the cyberspace landscape, international rule-making, 5G and the digital economy.[3] The 2013 EU-China 2020 Strategic Agenda for Cooperation[4] also expressed a shared vision for a peaceful, secure and open cyberspace, leaning on platforms like the Cyber Task Force to build trust. Additionally, the Sino-European Cyber Dialogue seeks to enhance transparency and identify collaborative opportunities.[5]

Yet, this partnership stumbles over a fundamental rift in cyberspace governance. China champions sovereignty and non-interference, asserting that nations should not meddle in each other’s cyber policies or threaten national security – a view that clashes with the EU’s commitment to an open, free and secure internet grounded in international law, privacy and human rights. The EU’s 2013 Cybersecurity Strategy prioritised a free and open internet while China frames cybersecurity as a matter of technological safety and political stability, contrasting with the EU’s focus on resilience and data protection.[6]

Tensions flare further over alleged Chinese cyber misconduct. In 2021, the EU condemned attacks like the Microsoft Exchange Server compromise, which it linked to Chinese territory, accusing perpetrators of targeting EU institutions, member states and industries for intellectual property theft and espionage.[7] Unlike the US and UK, which directly blamed Chinese state-backed groups, the EU took a more diplomatic stance, urging China to curb such activities and adhere to international norms without pointing fingers at Beijing.[8] This cautious approach underscores the EU’s preference for dialogue over confrontation, but it also highlights the limits of trust.

Strategic mistrust, clashing values and the challenge of uniting 27 EU member states on a cohesive strategy have stalled progress towards a EU-China cyber pact. Compared to the EU’s robust transatlantic cyber cooperation with the US, its efforts with China remain underdeveloped.

In the end, the EU and China are caught in a digital limbo – neither true allies nor outright rivals. Dialogues like the EU-China Cyber Task Force and Sino-European Cyber Dialogue offer a flicker of hope, but deep-seated differences in governance and persistent concerns over Chinese cyber activities make a comprehensive agreement a distant prospect. As the digital warzone grows more perilous, the EU must decide whether to double down on diplomacy or draw a harder line against a partner it can’t fully trust.

EU and China’s cyber dance: allies or rivals in the digital trenches?

In the intensifying digital battleground of the 21st century – where cyberattacks, economic coercion and technological competition define power dynamics – the EU has responded with two pivotal strategies: the “European Defence Readiness 2030” and the “EU’s Preparedness Union Strategy”. Released in March 2025, just a week apart, these initiatives represent the EU’s urgent drive for resilience and strategic autonomy amid mounting tensions with systemic rivals, most notably China – a global leader in hybrid warfare and cyber influence.

The “European Defence Readiness 2030”, presented through the White Paper for European Defence on March 19, outlines an ambitious €800bn investment plan to rearm Europe by the end of the decade. This strategy targets key capability gaps – such as drones, air defence and AI-driven systems – while aiming to reduce dependence on non-European technologies. Although largely focused on Russia’s aggression, the plan clearly anticipates long-term competition with China, whose technological rise and military modernisation pose strategic challenges to Europe’s industrial and security architecture.

Cybersecurity, once treated as a technical concern, now features prominently. The White Paper elevates it to a cornerstone of defence policy, acknowledging cyber dominance as a decisive front in EU-China relations. It warns of “authoritarian states like China” seeking influence over European economies and societies, and it frames China’s rise as both a systemic and strategic threat – rooted in contrasting governance models and a pursuit of technological supremacy.

Complementing this is the “EU’s Preparedness Union Strategy”, launched on 26 March. It adopts a broader lens, emphasising non-military resilience against cyberattacks, disinformation and economic pressure tactics. Inspired by the Niinistö Report’s call for “preparedness by design”, the strategy outlines 30 actions to strengthen societal resilience, including horizon scanning for emerging threats, like quantum hacking and enhancing public-private cooperation. Unlike the defence-heavy White Paper, this approach focuses on civilian and economic vulnerabilities – an essential counterpart in countering China’s non-kinetic playbook.

Together, these documents form a two-pronged response to the EU’s cybersecurity challenge. The “Defence Readiness 2030” builds the Union’s hard power and technological muscle, while the “EU’s Preparedness Union Strategy” tackles today’s more nebulous, hybrid threats. Yet, both underscore a common dilemma: can a consensus-driven, soft-power bloc act decisively enough to counter China’s strategic ambiguity and cyber assertiveness?

Central to the EU’s defence vision is the ReArm Europe Plan, supported by financial tools like the Security Action for Europe (SAFE) loan mechanism. It aims to supercharge innovation and industrial competitiveness, placing cybersecurity at the heart of European defence policy. Proposed measures include investments in AI and quantum computing, as well as a voluntary scheme for developing offensive cyber capabilities- a notable shift toward deterrence.

A new diplomatic frontier

This evolving posture isn’t just about technology or defence spending – it’s a recalibration of EU-China relations in the digital era. As China expands its ‘Digital Silk Road’ and asserts global cyber influence, the EU is moving to protect its critical infrastructure and economic sovereignty. The White Paper captures this urgency, warning that cyber resilience may ultimately determine the integrity of military mobility, border security and civilian systems increasingly targeted by foreign actors.

At stake is more than just digital security. The EU’s approach to AI, data privacy and internet governance stands in sharp contrast to China’s model of state control and surveillance. This philosophical divide – privacy versus sovereignty – complicates cooperation, creating a diplomatic impasse. While the EU explores privacy-preserving AI for threat detection, China deploys similar technologies to reinforce state power. Meanwhile, US pressure adds another layer, urging Brussels to remain wary of Beijing’s intentions.

Can the EU’s Strategic Frameworks effectively mitigate Chinese cyberattacks on European infrastructure?

The “White Paper for European Defence – Readiness 2030” and the “EU’s Preparedness Union Strategy” together mark a decisive shift in Europe’s posture – from digital vulnerability to digital assertiveness. They reflect a growing recognition that cyber warfare is not tomorrow’s problem – it is today’s battlefield. For the EU, the challenge is not just defending its networks, but redefining its role in a world where technological power is the new currency of diplomacy. In this contest, the Union is no longer content to play catch-up. It’s preparing to push back.

The “EU’s Preparedness Union Strategy” represents a well-intentioned yet strategically insufficient framework for addressing the evolving cyber threat landscape posed by the People’s Republic of China. While the initiative aspires to safeguard European digital infrastructure – responding to incidents such as the cyberattack on Portugal’s EDP energy grid in 2021 or the 2018 industrial espionage targeting German carmaker BMW – the strategy is overly reliant on static, defence-oriented mechanisms. This reactive posture evokes an unfortunate historical parallel: France’s Maginot Line, whose imposing fortifications failed to prevent German forces from circumventing static defences by exploiting alternative invasion routes through Belgium. Similarly, China’s cyber operations are unlikely to engage the EU’s protective structures head-on but will instead exploit systemic vulnerabilities – be they technological, institutional or economic.

A key pillar of the “EU’s Preparedness Union Strategy” is its emphasis on “horizon scanning,” aimed at preemptively identifying emerging threats, including AI-generated malware and quantum-enabled decryption techniques. However, this approach underestimates the strategic sophistication of Chinese cyber operations, which thrive on ambiguity and deniability. Beijing’s use of intermediary actors- whether “patriotic hackers”, proxy organisations or third-party infrastructures – complicates attribution and dilutes accountability. The cyberattack and cyberespionage on the Dutch defence in 2024 exemplifies this problem.[9]

Moreover, the strategy’s reliance on voluntary public-private cooperation reflects a dangerously optimistic reading of market behaviour. Despite years of political debate, an estimated 40% of EU 5G infrastructure continues to rely on Huawei components.[10] The 2023 breach involving a German supplier highlighted the enduring conflict between profit incentives and security imperatives, as corporate actors prioritised short-term economic benefits over long-term strategic resilience. Without the imposition of mandatory cybersecurity standards, accompanied by enforceable penalties – including civil liability for negligence – private sector compliance is likely to remain fragmented and insufficient.

Critically, the strategy isolates cyber threats from the broader geopolitical context in which they are embedded. China’s approach to cyber conflict is neither isolated nor exclusively technical; rather, it is an integrated component of a broader statecraft arsenal that includes economic coercion – as evidenced by the trade retaliation against Lithuania in 2021 – industrial espionage, exemplified by the APT10 infiltration of Airbus, and systematic supply-chain manipulation.[11] The EU’s compartmentalised treatment of cyber risks as discrete technical challenges, rather than manifestations of geopolitical rivalry, leaves European infrastructure dangerously exposed to multifaceted and synchronised campaigns.

A credible European response must shift from a paradigm of passive defence to one of active cost-imposition. The Union should adopt real-time exposure and disruption strategies, including the public attribution of state-sponsored Advanced Persistent Threat (APT) groups, the controlled release of technical indicators and malware samples and the blacklisting of front companies known to facilitate cyber operations. Additionally, an automatic sanctions mechanism should be instituted, triggering economic countermeasures against strategically significant Chinese exports – ranging from rare earth elements to luxury goods – within 72 hours of verified cyberattacks. Prohibitions should also extend to any contracts involving enterprises with ties to the People’s Liberation Army’s cyber units.

Legal instruments must likewise be leveraged. The EU should pursue litigation against Chinese corporate entities implicated in intellectual property theft and human rights violations, while establishing a compensation fund designed to empower European companies to initiate private legal actions against foreign actors complicit in cyberattacks.

In its current form, the Preparedness Union Strategy may offer partial mitigation against low-level threats, but it is structurally ill-equipped to counter China’s coordinated hybrid campaigns. The failure of the Maginot Line was not a failure of engineering, but of strategic imagination – a failure to recognise and adapt to the fluidity of adversary tactics. Europe now faces a comparable dilemma: whether to invest in ever-higher digital fortifications or to cultivate the capacity for credible and immediate retaliation. Without the latter – anchored in swift policy responses, unified legal-economic instruments, and a resolute political will – the EU’s cyber strategy risks becoming little more than a digital Potemkin village: formidable in appearance, yet devoid of substantive resilience.

The enduring lesson is clear: a strategy of defence alone is a strategy of defeat.

Bridging the EU-China cybersecurity gap: a herculean task

Aligning EU and China on cybersecurity feels like herding cats – divergent priorities, fragile trust, and heavy geopolitical baggage make it a daunting challenge. Yet, inaction is not an option; cyberattacks cost the global economy $6tn in 2021, according to Cybersecurity Ventures, with hybrid threats and supply chain breaches adding to the burden. Both regions have significant stakes, and there’s a strategic roadmap to navigate this complex landscape. Here’s how they can transform tension into progress:

• Dialogue and exchange – launch a cyber roadshow: while talk may be cheap, understanding is invaluable. A travelling summit, alternating between Beijing and Brussels, could foster collaboration among academics, coders and policymakers. The EU’s CyberNet project already trains experts globally, and China boasts a formidable tech talent pool. By pairing these experts to analyse real-world cases, such as the 2021 SolarWinds hack, [12] which affected both Western and Chinese-linked firms, best practices could emerge. The EU-Japan Cybersecurity Dialogue, active since 2018, has successfully produced joint training programmes, demonstrating the potential of cross-border collaboration. [13]
• Crisis management – establish a cyber hotline: when the next major breach occurs – like a Volt Typhoon-style attack on power grids – blame games won’t suffice. A 24/7 hotline for sharing intelligence and coordinating responses could prevent chaos from escalating. NATO’s Cyber Rapid Reaction Team, launched in 2019, has effectively defused live incidents across Europe by quickly pooling data. The EU and China could adapt this model, building on their 2020 Digital Dialogue commitment to enhance cooperation on cyber incidents. This is about ensuring critical infrastructure remains operational.
• AI collaboration – focus on cybercriminals, not citizens: AI is a double-edged sword – China uses it for surveillance, while the EU employs it to detect threats. The focus should be on non-controversial applications, like combating ransomware. The EU’s AI Act identifies cybercrime-fighting tools as “high risk” but allows their use with oversight. China has used AI to crack down on crypto scams since 2022. A joint project, such as an open-source algorithm to trace phishing networks, could avoid surveillance pitfalls while targeting shared threats. INTERPOL’s Global Cybercrime Programme, involving 190 countries including China and EU states, exemplifies successful tech-driven collaboration. [14]
• Sustained engagement – leverage the digital dialogue: the EU-China Digital Dialogue, active since 2020, is more than a photo opportunity – it’s a long-term trust-building exercise. Use it to forge small, concrete agreements, such as a no-hack pact for hospitals or a shared alert system for supply chain breaches. The UN’s 2021 cyber norms, endorsed by both, prohibit attacks on critical infrastructure; this could be the next step. Progress is achievable: the EU-US Trade and Tech Council, launched in 2021, has already aligned cyber policies across the Atlantic. Small steps here could lead to significant advancements.

By focusing on these strategic initiatives, the EU and China can begin to bridge their cybersecurity gap, fostering a more secure digital future for both regions.

The future: digital Cold War or truce?

The stakes are high. The EU’s strategic policies aim to prepare Europe for a range of threats, from Russian aggression to China’s digital ambitions. China, in turn, views cyberspace as a strategic domain to assert its influence without military conflict. Failure to find common ground could lead to a digital Cold War, with fortified firewalls and divided alliances.

However, a successful collaboration could stabilise the digital landscape, leading to safer infrastructure, stronger defences against cybercrime and the potential for global norms that aren’t dictated by a single superpower. The urgency is clear – cyber threats won’t wait for diplomatic breakthroughs. Will the EU and China rise to the challenge, or continue their shadowboxing in the digital arena? Pragmatism may be the key to turning this standoff into a productive partnership.

[1] U.S.-China Cybersecurity Cooperation, available at: https://digital.library.unt.edu/ark:/67531/metadc795686/

[2] Information available at: https://www.eeas.europa.eu/sites/default/files/eu_china_factsheet.pdf

[3] The 7th China-EU Cyber Taskforce was Held in Beijing, January 13, 2020 available at: https://www.mfa.gov.cn/eng/wjb/zzjg_663340/jks_665232/jkxw_665234/202406/t20240606_11405091.html

[4] EU-China 2020 Strategic Agenda for Cooperation available at: https://www.eeas.europa.eu/delegations/china/eu-china-2020-strategic-agenda-cooperation_en?s=166

[5] “CICIR and DSI Jointly Hosted the 10th Meeting of the Sino-European Cyber Dialogue” available at: http://www.cicir.ac.cn/NEW/en-us/event.html?id=594a6c6f-ce83-4093-b5b2-b68f29cb5642 

[6] “EXCHANGING IDEAS ON EU-CHINA RELATIONS: AN INTERDISCIPLINARY APPROACH” at p17 available at https://www.coleurope.eu/sites/default/files/research-paper/eu-china_observer_issue419_0.pdf

[7] Information available at: https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking  

[8] “The EU must respond to Chinese efforts to change the rules-based order” available at: https://www.europarl.europa.eu/news/en/press-room/20231208IPR15781/the-eu-must-respond-to-chinese-efforts-to-change-the-rules-based-order

[9] Pierluigi Paganini, “China-linked APT deployed malware in a network of the Dutch Ministry of Defence” 2024, available at:  https://securityaffairs.com/158765/apt/china-linked-apt-dutch-mod.html 

[10] Iain Morris, “Huawei has hardly been weakened in European 5G, data shows” 2025, available at https://www.lightreading.com/5g/huawei-has-hardly-been-weakened-in-european-5g-data-shows 

[11] Western technology firms targeted by Chinese threat actors, 2019, available at: https://cert.europa.eu/publications/threat-intelligence/threat-memo-190702-1/pdf 

[12] Dina Temple-Raston,  ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack,” 2021 available at: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

[13] Cyber: EU and Japan hold 6th Cyber Dialogue in Tokyo, 2024, information available at: https://www.eeas.europa.eu/eeas/cyber-eu-and-japan-hold-6th-cyber-dialogue-tokyo_en

[14] Cybercrime Short strategy EN information available at:  https://www.interpol.int/en/Crimes/Cybercrime

The views expressed in this #CriticalThinking article reflect those of the author(s) and not of Friends of Europe.