Niinistö Report: Enhancing the European Union’s Resilience for Future Uncertainties

With the experiences of the pandemic, an active war on its doorstep, and the sharp increase of foreign hybrid operations on European soil within the last few years, the European Union (EU) has found itself lacking in its ability to respond to these new threats in a coordinated manner. Though some resilience legislation was already adopted during the last Commission–most notably the Critical Entities Resilience (CER) and Network and Information Security 2 (NIS2) directives–an integrated framework for responding to threats across domains has been a major weakness of the 27-nation bloc. 

On October 30, former Finnish President Sauli Niinistö released a new report on enhancing Europe’s civilian and defense preparedness and readiness. This report–part of a series of reports by Mario Draghi on competitiveness and Enrico Letta on the single market–has the daunting task of both assessing the challenges and presenting recommendations to enhance the EU’s preparedness and readiness for future crises. The Niinistö report offers bold steps forward, bringing Finnish resilience culture to the EU level and calling for a reevaluation of the bloc’s role as a security actor capable of responding to complex threats across multiple domains.

Bringing Finnish Comprehensive Security to the EU Level

Choosing former President Niinistö to take the lead on drafting the report was no coincidence. Finland proposed an EU preparedness strategy back in March 2024, to export its own expertise in the field of resilience to the rest of the Union. And that is what this report is at its core: an effort to apply the tried-and-true Finnish model of Comprehensive Security to the whole EU. This model, outlined in the Finnish Security Strategy for Society (which is scheduled for an update by the end of the year), lends itself especially well to the EU's needs. Compared to the Swedish Total Defence model, which sets the baseline of resilience at times of armed conflict and society’s role in supporting a military that the EU does not have, the Finnish model is more civilian and adaptive in nature and designed with all possible threat levels in mind.

What does the Finnish Comprehensive Security model bring to the table? First, it recognizes a wider spectrum of threats than what was traditionally considered as falling under the umbrella of national security. Instead of focusing on man-made threats such as terrorism and cyberattacks, it encompasses everything from large-scale accidents to severe weather events, civil unrest, water and food disruptions, as well as sudden waves of migration. 

Second, it recognizes the need for a whole-of-government approach to security and preparedness. Instead of viewing resilience as an isolated area of policy under the responsibility of a sole government agency, preparedness and security considerations should underly or serve as a benchmark for all public policy and legislation. Equally as important is facilitating formal and effective channels of communication and cooperation between government bodies, both during planning and implementing preparedness measures as well as during crisis response.

Choosing former President Niinistö to take the lead on drafting the report was no coincidence. Finland proposed an EU preparedness strategy back in March 2024, to export its own expertise in the field of resilience to the rest of the Union. And that is what this report is at its core: an effort to apply the tried-and-true Finnish model of Comprehensive Security to the whole EU.

Third, and most importantly, it covers and involves all sectors of society in every measure. From private companies to NGOs and cultural institutions to private citizens, everyone has a role to play in times of crisis and is subsequently expected to be ready to keep up operations and able to assist each other without immediate government assistance. Thus, this whole-of-society approach recognizes that security is not something that is only built top-down through legislation and investment, but also bottom-up by engaging citizens directly. Translating this critical whole-of-society approach of resilience from the national level–especially from a country in which preparedness is as culturally embedded as in Finland due to its history with Russia–to the EU level will prove challenging, but the Niinistö report suggests tangible steps for the bloc to take, demanding a considerable shift in mindset.

Single Security and a Shift in Mindset 

For the EU to implement the recommendations of the Niinistö report, one of the central challenges will be changing the mindset of its citizens. Even after more than two years of war in Ukraine, many Europeans do not seem to feel that their societies are at risk or grasp the urgency of the situation. For decades, European citizens (especially in Western Europe) have enjoyed the security provided by NATO without meaningfully contributing to it themselves. Now, with the recommendations of the report, they must learn to become providers of security. This will likely prove to be one of the hardest elements of reaching the enhanced state of comprehensive preparedness proposed by this report, as it requires actively changing the freerider-way of thinking that has been promulgated since the Cold War. But that also makes this shift in thinking one of the most acute changes the report suggests; involving businesses, organizations, and citizens will be impossible if they do not see a reason to get involved in the first place.

For decades, European citizens (especially in Western Europe) have enjoyed the security provided by NATO without meaningfully contributing to it themselves. Now, with the recommendations of the report, they must learn to become providers of security.

The report also links the multi-pronged security threats posed by extreme weather and climate change, the pandemic, and the return of kinetic war to Europe’s doorstep. Recognizing that different EU member states are experiencing security in varied ways–from those in the East more acutely feeling the knock-on effects of Russia’s invasion of Ukraine, to those countries experiencing catastrophic flooding or environmental disasters–and that the response to these crises must be more uniformly addressed by the EU. Rather than viewing each of these as separate issues to address, resilience is a solution to threats across multiple domains. It highlights the interdependence of European security infrastructure: the EU can only be as secure as its weakest link or member state. Additionally, the report asserts that most crises are not military in nature, nor do they require a military response, focusing instead on the gray zone nature of hybrid threats. The linkage of seemingly unrelated security threats into a single view of security then demands a shift in thinking. The EU performed its first comprehensive threat assessment in the creation of the Strategic Compass—a document praised for its meaningful and tangible steps towards deepening the EU’s underdeveloped defense policy. The Niinistö report adds to the previous work of the Strategic Compass in widening the EU’s threat spectrum, in particular in its considerable mention of hybrid threats. 

Treating threats under a single security mentality, as is proposed in the report, is critical to addressing the increased frequency of hybrid threats facing the region. Niinistö's report highlights how the open and interconnected societies of the EU’s member states are increasingly targeted by acts of sabotage, disinformation, and threats of disruption. To combat this rise in hybrid activities, the report proposes closing gaps through increased dialogue between the EU and NATO, in particular to build on resilience standards NATO has implemented. The report calls for the EU to reinforce its capacity for deterrence by denial—to prevent hybrid attacks in the first place—while boosting the bloc’s capacity to engage in deterrence by punishment—or by political attribution of hybrid attacks to their source. With a demonstrable increase in cyber and hybrid threats, so too must the EU’s capacity to respond be strengthened in order to best prepare the EU for the next major crisis.

Enhancing EU Preparedness 

In Niinistö's report, it is rightly pointed out that the EU has adapted to face the crises of the last 5 years and is better poised than ever to respond. However, the complexity and variety of these challenges has outpaced the EU’s ability to act, necessitating better preparedness. Although the EU has some preparedness capabilities in individual sectors, it lacks the capacity to bring together all necessary EU resources in a coordinated manner across institutional silos in the event of a major strategic shock. The report uses as an example of such a shock, if conflict in Taiwan began and impacted supply chains as well as the global economy. There is also inadequate preparation for the possibility of a Russian attack on an EU member state. 

Rather than viewing each of these as separate issues to address, resilience is a solution to threats across multiple domains. It highlights the interdependence of European security infrastructure: the EU can only be as secure as its weakest link or member state.

What actions must the EU take to enhance preparedness? First, the report proposes developing European preparedness baseline requirements, similar to those of NATO but involving a much wider scope of actors, sectors, and threats to reflect all the domains in which the EU is active. The EU Security Union Strategy, released in July 2020, is due for a major overhaul in light of renewed war in Europe. The newly proposed European Defence Commissioner has been tasked with preparing a new white paper on the future of European defense within 100 days of the start of the next Commission. The EU therefore has several upcoming opportunities to translate the recommendations in this report into policy.

Second, it proposes strengthening European cooperation on intelligence. This is not only about sharing information, but creating a common situational awareness to make sure the whole union perceives common threats the same way, minimizing the risk for contradictory reactions to crises. In addition to the steps listed in the Strategic Compass to bolster intelligence sharing, this new report calls for the strengthening of the Single Intelligence Assessment Capacity (SIAC), including the Hybrid Fusion Cell, and an overall deepening of intelligence sharing among EU member states. Intelligence sharing within the EU remains controversial, and although the report calls for a deepening of trust in other member states, in practice there are many differences in how EU member states approach espionage, intelligence gathering, and internal escalation ladders. For example, both the German and Austrian governments have in recent years been infiltrated by Russian spies, undermining the trust needed to have a credible intelligence sharing system at the EU level.

In the end, achieving the goals set out in the report is going to require a significant increase in investments and the budget allocated to societal resilience. Niinistö's report calls for at least 20% of the overall EU budget to contribute to the EU’s security and crisis preparedness. This is a steep figure as many member states grapple with rising debt and the commitment of at least 30% of the bloc’s budget towards climate neutrality through 2027. The gaps highlighted in the report must be addressed in the negotiations ahead of the next Multiannual Financial Framework (MFF), and the report argues that the cost will be too high if the EU waits until the 2028 MFF to begin to further invest in its resilience capabilities. 

The former Finnish President’s groundbreaking report proposes tangible steps for the EU to take to ensure preparedness. Although this report is not a binding document but instead advises future action, it will surely influence the future direction of the next European Commission’s policies. The calls for an intelligence cooperation service—which would be difficult to implement at the EU level—might not be as actionable, but it will at the very least spark a conversation on increasing intelligence sharing. Highlighting the EU’s urgent need for more than a million cybersecurity experts might spur investment in this gap, for instance. 

This report further reinforces the lessons learned within the EU’s frontline states on resilience and the need for a whole-of-society approach to security gaining traction in Brussels and Western European capitals since the invasion of Ukraine. While the wide-ranging report challenges EU leaders to do more to enhance resilience, it is up to the incoming Commission to carry Niinistö's recommendations into policy to make the EU more capable of responding to the crises of tomorrow.