An interview with Bart Groothuis — the man writing the EU’s cybersecurity laws

Bart Groothuis has become one of the European Union’s most significant voices on cybersecurity since becoming a Member of the European Parliament (MEP) just over three years ago. These days his concerns range from a legal proposal in Brussels that would allow the EU to stockpile cybersecurity vulnerabilities, through to the continent needing its own version of the Five Eyes intelligence alliance to become an effective actor on the world stage.

Before joining the European Parliament in 2020, Groothuis served as the head of cybersecurity for the Dutch Ministry of Defence. He told The Record that he had loved the job, enjoyed his colleagues, and found the work itself “terrifically interesting.” So when his political party — the Volkspartij voor Vrijheid en Democratie (VVD) — told him it was “looking for someone who knew how modern wars were being fought” and asked him to think about running as their candidate in the European parliamentary elections, he said no.

VVD asked again, and Groothuis again declined. But Groothuis and his colleagues — both at the Ministry of Defence and in the wider cybersecurity community — were frustrated by the way that European and Dutch authorities were responding to cyberattacks. In particular, when analysts identified hackers behind specific incidents, Groothuis felt there was an insufficient response. “There were no sanctions and we weren’t always imposing costs on the attackers,” he said.

Even a decade after a major cyberattack attributed to Iran involving the country’s root certificate authority, Dutch businesses and government agencies hadn’t gotten its act together, he said.

“CEOs weren’t paying attention to cybersecurity,” said Groothuis. “It needs to be what they call in Germany Chefsache [a matter for the boss], it needs C-level attention, but despite these debates and calls from experts this never truly materialized,” he said.

He found it frustrating to visit companies to tell them they had been hacked and their intellectual property had been stolen only to discover how basic the security measures were that the businesses were employing. He began to think that legislation was necessary.

The cybersecurity community was also being hampered by clumsy interpretations of the EU’s General Data Protection Regulation (GDPR) which lawyers claimed prohibited the sharing of Whois data — an essential tool for cybersecurity investigators. “I thought that was ridiculous, because GDPR did not have that intention or substance,” said Groothuis. The next time they asked, he agreed to stand for the VVD.

Following Brexit in January 2020, new seats opened up in the European Parliament, vacated by British MEPs. Groothuis joined just as Parliament was looking for a new rapporteur — an MEP elected by their colleagues to represent the whole body on specific issues — to take the reins on cybersecurity legislation.

“I lobbied my best and Parliament appointed me as the rapporteur on cybersecurity, which I was very grateful for,” he told The Record. He quickly began negotiating the revisions of the Network and Information Security (NIS2) directive, which had covered mandatory reporting and minimum security requirements for critical infrastructure providers.

This interview, which took place in a phone call earlier this April as Groothuis drove from Belgium to The Netherlands, has been edited for clarity.

The Record: How does a rapporteur contribute to the legislative process in the EU?

Bart Groothuis: As rapporteur, I work on behalf of the more than 700 MEPs. So whenever I say something, I should be darn sure that I have support for that. So you need to drink loads of coffee or tea to know what people think, and the opinions they carry, and to take that into account. But also convincing people is important. And then you negotiate on new legislation. That's what I came to Brussels for.

TR: How do you negotiate a single position among 700 MEPs?

BG: Well, like I said, loads of tea and coffee. I don't drink coffee, so tea. But you also ask for amendments, so people with strong opinions can consider an amendment to the Parliament's position. So the Commission sets forward a proposal, a law, and then we amend it. And I think about a thousand amendments were put in [for a recent law] — some of them were very strong opinions, some of them were like slight adjustments. So with the very strong opinions, you start dealing, saying 'Why do you want this, what is behind it? What is your real request here?' And then you start negotiating. But if you want to negotiate with politicians, it comes out quite handy if you know something about cybersecurity and the technicalities concerning that issue. So I was glad I came from that sphere, from that field.

TR: What have you been working on this week?

BG: This week on the Chips Act [to address global semiconductor shortages and the risks to supply-chains posed by a China-Taiwan conflict], because I negotiate that, semiconductors. But it's not that relevant for cybersecurity, or it is but indirectly. And on the Cyber Resilience Act, the new piece of legislation. There's two major pieces of legislation when it comes to cybersecurity. The first, the NIS, focuses on entities such as critical service providers. That's been dealt with. And the other one is on products. That's the Cyber Resilience Act, and that's about hard software, about coding, about responsibility, about software updates, about altering giving default passwords, etc. And about the Internet of Things (IoT), that sort of stuff. And I'm very worried that we’re overdoing it.

TR: How are you concerned that it’s being overdone?

BG: Unlike the similar laws in the UK and Singapore on consumer IoT and the industrial control systems for critical infrastructure, the scope is too large. An annex to the legislative proposal says that any product which contains a microprocessor has to go through a conformity assessment. These assessments, firstly, require money which makes the products more expensive, and secondly, the assessments require time. So the time to fail has been reduced significantly. And the other thing I'm worried about is whenever there's a vulnerability, the Cyber Resilience Act requires vendors to notify ENISA, the European Union’s cybersecurity agency in Greece. I don't like them stockpiling critical vulnerabilities. It's a risk in itself for the safety and security of the internet because other agencies might want to go for that. It's a treasure.

TR: Are there any other issues with the Cyber Resilience Act?

BG: It describes how to code. I don't want that. I want the open source community to feel free how to code. I was in Barcelona at the World Mobile Congress, looking at the latest AI machineries that Qualcomm and others demonstrated. I was just astonished at what they could do. Just take a piece of code from a GitHub repository, put it in the newest AI capability and ask it to look for errors in the code. It finds them and it repairs them. I mean, come on, are we really writing legislation to have people look at third-party conformity assessments of hard software, or could machines do that much better? I don't know, that question is still out there. The jury is still out, but I want the jury to say something about that before we take these steps.

TR: What should Europe’s role be in a future where China is the world’s predominant power?

BG: This is the age of the U.S., the 21st century. It's really not going to be China's century. And I think that European countries and the U.S. will be closer and closer. It's an ever-closer growing cooperation. But I think intelligence matters. We really need a European-continental based equivalent to the Anglo-Saxon alliance of the Five Eyes.

TR: Does this not exist in Maximator — the intelligence sharing alliance between the Danish, Swedish, German, French and Dutch intelligence agencies — as reported in The Economist and the Intelligence and National Security journal?

BG: Maximator is a form of cooperation, or it might be a form, it might not. That's not relevant. What's relevant is that there should be a political will that Europe go towards such a cooperation and we're not close to doing so. We're not even close to knowing where we need to go.

TR: Would there be issues with such a large number of states involved in this cooperation? I’m thinking particularly of states like Hungary which appear closer to Russia in certain respects than to the West.

BG: Such a broad collection platform with all of the European intelligence services, both domestic and foreign… there's too many risks of course. We've seen examples with Austria, examples with Hungary. The European Court of Justice would also bind some of the nations, saying if there's severe rule of law and human rights violations then intelligence sharing will be hampered by law. So I think that's too broad. You need four or five to go upfront and then the rest will follow and everyone would benefit from that.

TR: Is Maximator not a good model for that?

BG: I really don't know. That's not up to me, but look at how the run-up to the war in Ukraine came across when it comes to intelligence assessments in Europe. It wasn't that they were wrong, they didn't even have a clue. The German Bundesnachrichtendienst [the Federal Intelligence Service, Germany’s foreign intelligence agency] chief was in Kyiv when he called the FSB chief saying ‘If there's a war, you will warn me, won't you?’ This is outrageous. And the France DRM [Direction du renseignement militaire, France’s military intelligence agency] chief was sacked after the invasion. France takes this intelligence failure seriously, but Germany doesn't.

Let’s talk for example about cyber attribution, which was the topic of today. Why do some states not make these attributions? Do they not have the capability, or are they reluctant because of certain political doctrines? I'm not always sure. But if you want to make a fist on the world stage, you at least have to know who's behind these campaigns. And that will become more and more difficult when it comes to disinformation and AI. The basis of a geopolitical Commission should be an intelligence apparatus that would deliver. And we're not even close to where we want to be yet. And it’s not that this would leave us less aligned with the U.S. or with the Five Eyes, it is not, it's the opposite. It's more and more alignment. But there's also a need for a sovereign continental capability.

TR: Does the European Union have a role to play in combating authoritarianism?

BG: Before I started as an MEP, I wanted to do something about the rise of authoritarian states. I was in a task force of the ECFR [European Council on Foreign Relations], one of the most important think tanks in Brussels. And they were tasked by the European Commission to think of an economic coercion instrument — how China coerced Lithuania is a good example — and the question is, how does Europe respond?

And I think that we need to say we have a right to collectively respond to such threats on any individual nation. So for example, if the Chinese were to coerce the Dutch now over Dutch export controls on exporting ASML chip machines to China, I would say that the rest of the European Union — but also our Japanese, Canadian and U.K. friends, for example — could say we have the right to collectively self-defend against such aggression. And the problem with the existing state liability law is that it is only reserved for military aggression. If it's below the threshold of military aggression, you can only respond with support, with logistics or with intelligence or with food or medicines, but you cannot do anything unfriendly or aggressive.

And I think retorsion, real and just retorsion, would mean that you would collectively do that. It raises the cost for any adversary if we do that with our Japanese, Korean, Canadian friends as well. So the right to collectively respond, that is something I would like to see in the European Union. Who is holding this position? At the moment there are just three countries. Estonia was the first. New Zealand adopted that position. Recently, I saw a Polish position on countering cyberattacks and then collectively responding to it. That was a new position by the Polish Foreign Ministry, three or four months ago, which positively surprised me as well. And I think more and more states are getting a grip on how to play this game better. I think in two or three years it will be there.

TR: Is there a risk that such collective responses undermine members states’ autonomy? I think of Hungary's opposition to EU sanctions on Russian oil and natural gas.

BG: That might be true, but there's another thing. I like to read books on game theory. If you want to deflect any expected threat from an adversary, the best way is to blame someone else, and here it is to say ‘it was Brussels.’ So Brussels is a very effective platform, very effective machinery. If you would look at Vladimir Putin but also Boris Johnson and also Xi Jinping, they all failed to address anything that Brussels collectively put forward. You can't bilaterally hold negotiations on trade with EU countries. There's no leverage for any individual state. You have to go through a process.

It's very effective because, below the threshold of military aggression, the European market is by far one of the most interesting elements and the interesting leverage that we have. We should say if you continue to put aggression against us, we will translate that to restricted market access. That's a significant way of putting forward a message to another state. And I think that the Dutch for example, even the French, are too small to do that individually. The EU is oftentimes much much better positioned to respond to such threats than NATO, and NATO acknowledges that.And I think that Ukraine has demonstrated very well that market access cannot be restricted by NATO. We did. Energy, travel arrangements, financial restrictions, that's all the competence of the European Union.

So I tend to think of the EU in the future when it comes to authoritarian states, my ideal scenario is that we have a joint hiring of the new secretary general of NATO and the High Representative Joseph Borell’s successor, like [Javier] Solana and [George] Robertson did. Solana and Robertson, [the EU's high representative for the common foreign and security policy, and NATO’s secretary general, respectively] traveled the world together. They were so powerful, it was NATO and the EU together putting forward our interests. And I want to see that again. As I said to my colleagues on Capitol Hill, these are not two separate security providers. It's one and the same. But both have their comparative advantages.

TR: How should we measure your success in Brussels, as Bart Groothuis?

BG: The Digital Services Act… Let me start with Brexit. I’m so sorry, but I have to. It was Boris Johnson in the House of Commons saying ‘I don't want an investigation towards the Russian influence of the Brexit vote. I don't want that.’ And I thought that was the biggest strategic failure you could think of. I know the Brits, they have great strategic thinkers, but this was a failure, because now it's above the markets hanging somewhere that Vladimir Putin had something to do with a sovereign British decision. Why would you grant such a great strategic victory to the Kremlin saying ‘we might have had something to do with the Brexit vote’? I was thinking this is not the Brits I know, but then I started realizing they don't even have the data.

And then I started thinking about the Mueller report [on Russian interference in the 2016 U.S. presidential election]. The U.S. doesn't even have the data to establish the influence of the Russians for the Trump election. Why? Because they could go to Facebook and ask how much did the Russians pay you? ‘It's a little over $100,000,’ and that's not much, you can say. But how did that content spread into other platforms like Twitter, like Facebook or YouTube? You don't know because you don't have that data.

So when the Digital Services Act came across in Europe, I put forward some eight amendments to actually make sure that we in Europe have that data, that platforms are obliged to give insight, not just on the effects of such advertisements, but also about the cross-platform effects, and how some people are being drawn into that rabbit hole and are being radicalized. That effect, we want to measure. Who's going to measure it? Not just the police forces or intelligence forces, but also academics and investigative journalists.

If you ask me, the real thing we’re doing with these amendments is democratizing the debate around disinformation, for example, or cyber. Then journalists like yourself can say ‘I can check, I can verify this is true. This was the effect, this wasn't.’ And I did the same with the NIS. The Whois database is being rebooted and there's a significant amount of data that will go through what we call ‘legitimate access seekers.’ That was from the Digital Services Act, and I stole that and I put it into the NIS2.

So if you want to know who registered a domain, it's probably anonymized as you know, but I mean, what bitcoin address did they use? What VPN provider did they use? What session cookie was there? Right? Very technical data is being put forward on the request of legitimate access seekers to the population, to democratize that debate. To have a democratic debate on the extent of the cyber threat. And then now Mandiant says it's Russia, and some are denying as a conspiracy whether DNC was being hacked by the Russians or not. In the future that won't happen, because people can verify the basis or correlation of data in the context of attribution.

TR: Is the availability of this information enough to protect the open society?

BG: Last week I received a personal letter from Ursula von der Leyen [the president of the European Commission], it was sent to me personally, and I was ‘Okay, that's interesting, that doesn't happen that often, there's more than 700 MEPS.’ Because I sent her a letter co-signed by more than 60 of my colleagues about a Chinese company named Nuctech, a company that sells scanning equipment for airports and harbors, etc.

Now, currently, there’s a public procurement in the European Union for the outer borders on these harbors and airports to scan people, cargo, equipment, etc. And the Chinese will win if you do nothing, you and I know this because they always underbid by 25% to 35% their U.K. or U.S. competitors. So I sent her a letter saying ‘This can never go through, I want you to throw them out of the tender, and then it took her four months and she sent me a personal letter saying ‘I agree and I've put forward recommendations or guidance to member states to always put national security before price, and we will personally as a commission see that this entire process of procurement is being done with national security over pricing,’ which is a great result, right? It's a great result for me personally, as I get such a letter.

It's a landslide shift from the world's largest consumer market to basically ban the Chinese state-owned enterprise. But at the same time, I felt like I've always felt, even before I got to Parliament, that there's a structural error in how we address the threat. Because for now we do this on Nuctech scanners, but is it hard legislation? No. Can different outcomes from these public procurement instruments from different countries still arise? It might. Is it different from Huawei? Yes, it is. But shouldn't we do the same for HikVision cameras, or for Xiaomi phones, or for AI or for quantum, etc? So we don't have a structural alignment, a structural answer to the new threat that has been posed by those countries which have offensive espionage programs. That’s the first objective criteria and any agency can confirm.

Secondly, these countries have legislation that obliges any company but also citizens to comply with any request of the state, i.e. the security and intelligence services. They do that extraterritorially, in our backyard. And last but not least, the criteria is they have a revisionist view of the liberal world order. So they want to change our system and undermine our strengths. So if you would combine those criteria it would leave Iran, Russia, China and maybe North Korea, and I think that we need extra scrutiny for those countries not just for tenders, but also for visa and migration, for let's say students and academic exchanges for those programs, but also for 5G and 6G, for hard software sales. You need to scrutinize and really structurally think about those countries. You need a list of countries, because now we go through processes with a different outcome every time. But that's what we want to go towards.

TR: There isn’t unanimous support for your position, is there?

BG: There are always people, companies, institutions, countries, who say, ‘Well, this is a U.S.-China battle and you shouldn't be drawn into the U.S. aggressive schemes, and Europe has their own way of handling China.’ Of course that's true. In general, we have the same approach and we have the same interest and we have the same aggression and we have the same threat and I think we can learn a lot from how the U.S. is operating in this sphere, so I don't really see the problem.

TR: What do you regard as a success?

BG: I've been thinking a lot on why I should do this, why should I go to Brussels? And if you asked me, the only thing I get up for in the morning is that the cybersecurity community for which I stand, and the services at the MoD, and all the personnel there, I want them to do their jobs well. If they think this is good legislation, if they say to me, 'you're making my job easier,' then I'm doing a good job.