Key Takeaways:
- The EU should try to use its position as a more neutral actor in East Asia to deepen a trilateral cybersecurity framework - encouraging closer Japan-ROK cybersecurity cooperation, strengthening a more resilient and coordinated democratic front against the rising tide of digital authoritarianism
- Seoul and Tokyo to jointly counter DPRK cyber threats, signaling a potential shift toward region-led cybersecurity collaboration beyond the U.S. framework.
- With parallel Security & Defence Partnerships (2024) and Digital Partnerships (2022) already in place with both Japan and the ROK, plus a PIPA–GDPR data adequacy agreement, the EU has the infrastructure to quickly build a cohesive trilateral framework to defend shared democratic norms in cyberspace.
Concern about the security of
the technical, especially digital and information technology infrastructure,
has become an increasingly central security concern over the last few decades.
Technical cybersecurity concerns and how to better respond to cyberattacks,
hacking attempts, or the increase in cybercrime are now regularly discussed in
bilateral cybersecurity dialogues, and the broader concern about how cyberspace
is governed and regulated, and how international laws and regulations can and
should apply in cyberspace and how data and information can be better protected
has long been debated in regional and global forums.
In an increasingly volatile and
unpredictable geopolitical landscape, and because highly digitalized economies
such as the ROK, Japan, the U.S., and the EU, and their member states have
distinct cyber-attack vectors and ways to respond to them, most have set up
bilateral cyber dialogues and similar processes to deepen their cooperation. Securing
digital and information technology infrastructure has become a central concern
for all advanced economies. Therefore, the European Union (EU), Japan, and the
Republic of Korea (ROK) share similar cyber threats. Over the last decade, the
EU has begun to build bilateral cybersecurity partnerships with Japan and the
ROK; direct cooperation between Seoul and Tokyo remains strangely
underdeveloped. This gap persists despite facing identical adversaries in
cyberspace, creating a significant vulnerability in the collective security of
like-minded nations.
This article argues that the EU,
having established itself as a trusted and neutral partner to both, should try to
use its position as a more neutral actor in East Asia to deepen a trilateral
cybersecurity framework. By taking advantage of its institutional ties and
shared normative values, the EU is interested in encouraging closer Japan-ROK
cybersecurity cooperation, strengthening a more resilient and coordinated
democratic front against the rising tide of digital authoritarianism.
Continued US-Centric
Reality of ROK-Japan Cybersecurity Cooperation?
Both Japan and the ROK have been
targets of persistent cyber aggression from North Korea, whose state-sponsored
hacking syndicates, such as the Lazarus Group, have a long history of targeting
their critical infrastructure. These attacks range from theft from Japanese
crypto-asset companies to fund the regime's weapons programs[1] to sophisticated zero-day
exploits against South Korean financial entities[2].
Despite this shared existential
threat, bilateral cooperation has been historically limited, with the primary
venue for collaboration being the trilateral framework with the United States.
The August 2023 Camp David summit between the U.S., Japan, and the ROK leaders finally
formalized a common concern over the DPRK's illicit cyber activities. A key
outcome was the establishment of the Japan-U.S.-ROK Trilateral Diplomatic
Working Group on North Korea's Cyber Threats in November 2023 to better
coordinate an effective response to North Korea's cyber activities that are
abused as a critical source of funding its nuclear and WMD programs, and
blocking North Korea's cyber-enabled sanctions evasion[3]. This
working group has since become the main engine of cooperation, focusing on
enhancing incident response, sharing threat intelligence on cryptocurrency
theft, and crafting robust joint defense strategies.
Significantly, this U.S.-led
initiative has also highlighted a direct link to European security. A joint
statement issued by the working group in August 2025 noted that North Korean IT
workers are targeting clients not only in East Asia and North America but also
in Europe[4],
which might convince Europe. For the ROK, this addresses one of the core
differences between the EU-Japan and the EU-ROK cybersecurity cooperation,
namely the centrality of the national security, defense policy, and cyber
threat aspect of cybersecurity cooperation with any partner, including the EU.
While the EU-Japan cybersecurity dialogue has traditionally focused more on
international cyber norms and the free and open internet, those with the ROK had
a more explicit focus on threats from North Korea.
The EU's Parallel
Partnerships: A Foundation for Trilateralism?
While the U.S. has acted as the
central pillar for ROK-Japan security ties, the EU has quietly and effectively
built the foundations for a complementary track. Over the past decade, Brussels
has pursued a dual-track engagement, deepening its cybersecurity cooperation
with both nations in parallel.
With Japan, the relationship has
evolved from regular Cyber Dialogues, initiated in 2014, to a comprehensive
Security and Defence Partnership in 2024, which explicitly includes commitments
on cyber defense and resilience[5]. This partnership aims to
coordinate efforts to promote a UN framework for responsible state behavior and
implement confidence-building measures within the ASEAN Regional Forum (ARF).
At the July 2025 EU-Japan summit, both sides stressed the need to improve
situational awareness, advance cyber capacity building, and combat foreign
information manipulation and interference (FIMI)[6].
The EU's engagement with the ROK
has followed a near-identical timeline. Regular cyber dialogues began in 2015,
focusing on strengthening collaboration on global cyber issues and capacity
building in forums like ASEAN, the UN, and NATO[7]. Ultimately, this culminated in
a parallel Security and Defence Partnership in 2024[8]. A crucial element of the
EU-ROK relationship has been deep regulatory alignment. South Korea harmonized
its Personal Information Protection Act (PIPA) with the EU's GDPR, leading to a
data adequacy agreement that facilitates the trusted and seamless transfer of
personal data, a key development to strengthen digital trust[9].
The latest developments are security-focused
initiatives such as the EU-Japan Digital Partnership and the EU-ROK Digital
Partnership, both established in 2022[10]. These partnerships are central
to the European Commission's 2030 Digital Compass strategy, which seeks to
promote a human-centric digital agenda globally by forming alliances with
like-minded partners[11]. They provide a formal
structure for cooperation from semiconductors and AI to data governance and
cybersecurity, demonstrating a shared vision for a digital society guided by
democratic values.
A Common Front Against
Digital Authoritarianism
A strong normative alignment
reinforces the potential for a deeper trilateral partnership. The EU, Japan,
and the ROK are all liberal democracies committed to the rule of law, human
rights, and a free and open internet. They are deeply concerned about the
aggressive cyber activities and authoritarian governance models. This shared
worldview has led to close coordination in global forums like the United
Nations Group of Governmental Experts (UNGGE) and the Open-Ended Working Group
(OEWG) and bilateral cooperation on combating international cybercrime and
supporting capacity building in third countries[12]. This common ground provides a
solid basis for moving beyond shared principles to coordinated action.
The
Path to Future Cooperation from Bilateral to Trilateral?
While structural and historical
issues remain difficult, in the case of Europe, they have mostly been overcome
by the necessity of solving common challenges; recent developments suggest a
potential turning point for ROK-Japan relations. In a significant breakthrough,
the first joint press statement in 17 years, issued after the ROK-Japan summit
in August 2025, explicitly emphasized the need to "jointly address North Korea's
illegal cyber activities"[13],
which might indicate that Tokyo
and Seoul have begun to treat cybersecurity as a common challenge.
The EU can play an essential
role as a neutral convenor to facilitate a trilateral dialogue, not replacing
the existing US-ROK-Japan trilateral. One way could be informal, expert-level
meetings on the sidelines of the existing Digital Partnership Councils, and joint
capacity-building initiatives in Southeast Asia, where all three partners have
a shared interest in promoting a secure digital ecosystem. Co-organizing
workshops for ASEAN nations would serve a strategic purpose and build the
operational trust necessary for deeper intelligence sharing. Given the severity
of the threats from North Korea, China, and Russia, isolated national efforts
are no longer sufficient. The EU has already laid the diplomatic and
institutional groundwork. The next logical step is to weave these strong
bilateral threads into a resilient trilateral, creating a powerful coalition of
democracies to defend the rules-based order in cyberspace.
[1]
National Police Agency (NPA) et al., Cyber Attacks Targeting Crypto
Asset-Related Businesses by a Cyber Attack Group Called "Lazarus,"
Believed to be a Subgroup of the North Korean Authorities, Cyber Alert
(Tokyo, 2022), https://www.npa.go.jp/cyber/pdf/R041014_cyber_alert.pdf.
[2]
Ravie Lakshmanan, “Lazarus Group Exploits Zero-Day Vulnerability to Hack South
Korean Financial Entity,” Article in The Hacker News, 2023, https://thehackernews.com/2023/03/lazarus-group-exploits-zero-day.html.
[3]
Ministry of Foreign Affairs of Japan, The Spirit of Camp David: Joint
Statement of Japan, the Republic of Korea, and the United States, 2023, https://www.mofa.go.jp/files/100541827.pdf.
[4]
Ministy of Foreign Affairs of Japan, Joint Statement on North Korean
Information Technology Workers (2025), https://www.mofa.go.jp/files/100895560.pdf.
[5]
European Union and Government of Japan, Security and Defence Partnership
Between the European Union and Japan (Tokyo, 2024), https://www.eeas.europa.eu/sites/default/files/documents/2024/EU-Japan%20Security%20and%20Defence%20Partnership.pdf.
[6]
Council of the European Union, Joint Statemen: EU-Japan Summit (Tokyo, 23
July 2025) (Council of the European Union, 2025), https://data.consilium.europa.eu/doc/document/ST-11834-2025-INIT/en/pdf.
[7]
European External Action Service (EEAS), 6th Annual European Union –
Republic of Korea Cyber Dialogue, 2020, https://www.eeas.europa.eu/delegations/south-korea/6th-annual-european-union-%E2%80%93-republic-korea-cyber-dialogue_en;
European External Action Service (EEAS), 5th Annual European Union –
Republic of Korea Cyber Dialogue, 2019, https://www.eeas.europa.eu/node/65194_en;
European External Action Service (EEAS), EU and Republic of Korea Hold 7th
Cyber Dialogue, 2025, https://www.eeas.europa.eu/eeas/cyber-eu-and-republic-korea-hold-7th-cyber-dialogue-seoul_und.
[8]
European External Action Service (EEAS), Security and Defence Partnership
Between the European Union and the Republic of Korea (Seoul, 2024), https://www.eeas.europa.eu/sites/default/files/documents/2024/EU-RoK%20Security%20and%20Defence%20Partnership.pdf.
[9]
European Commission and Government of the Republic of Korea, Commission
Implementing Decision (EU) 2022/ of 17 December 2021 Pursuant to
Regulation (EU) 2016/679 of the European Parliament and of the Council on the
Adequate Protection of Personal Data by the Republic of Korea Under the
Personal Information Protection Act (Notified Under Document C(2021) 9316),
Decision L 44/1 (2021).
[10]
European Commission and Government of Japan, Japan-EU Digital Partnership
(Tokyo, 2022), https://www.consilium.europa.eu/media/56091/%E6%9C%80%E7%B5%82%E7%89%88-jp-eu-digital-partnership-clean-final-docx.pdf;
European Commission, European Union- Republic of Korea Digital Partnership
(2022), https://digital-strategy.ec.europa.eu/en/library/republic-korea-european-union-digital-partnership.
[11]
European Commission, 2030 Digital Compass: The European Way for the Digital
Decade, Communication from the Commission to the European Parliament, the
Council, the European Economic and Social Committee and the Committee of the
Regions COM(2021) 118 final (Brussels, 2021), https://ec.europa.eu/info/sites/info/files/communication-digital-compass-2030_en.pdf.
[12]
Wilhelm Vosse, “EU-Japan Cooperation in Combatting Cybercrime: From the
Strategic Partnership Agreement to Global Partnerships,” in Europe and Japan
Cooperation in the Fight Against Cross-Border Crime: Challenges and
Perspectives, ed. Shin Matsuzawa et al., Globalisation, Europe,
Multilateralism Series (Routledge, 2023).
[13]
Ministry of Foreign Affairs of Japan, Joint Press Release on the Outcome of
the Japan-South Korea Summit Meeting (Tokyo, 2025), https://www.mofa.go.jp/mofaj/files/100893690.pdf.
