During the Globsec conference on April 15–17, the audience was asked whether it was time for the EU to have its own intelligence agency. Over two-thirds voted yes. Almost half of those respondents said any such agency should be under the control of the European Parliament. Of those who voted no, most believed it was up to the EU member states to deal with intelligence and counterterrorism issues.

This snap poll was telling. It showed how the public (if a bunch of foreign, security, and defense policy experts can be described as the vox populi) was finally coming round to the idea that European citizens cannot depend on their own governments to protect them, despite governments’ best intentions. This is because the nature of terrorism has fundamentally changed. The EU has to find ways to respond.

Judy Dempsey Dempsey is a nonresident senior fellow at Carnegie Europe and editor in chief of Strategic Europe. More > @Judy_Dempsey

A new paper, Towards a ‘Security Union’: Bolstering the EU’s Counter-Terrorism Response, published on April 20 by the European Political Strategy Centre (EPSC), takes up this issue. The EPSC, which was set up by European Commission President Jean-Claude Juncker to provide analysis and policy advice, makes a compelling case for a security union. This is something Juncker has been pushing for, but so far with no traction.

The main reason for the lack of progress is that the initiative would require political will and a major change of mind-set by all 28 EU member states to share intelligence and establish a counterterrorism network. As it is, the majority of EU interior ministers loath the idea of sharing information, even though no one country and its security agencies can cope with or assess the threats and possible attacks European citizens face.

Essentially, it is going to require a special pooling of sovereignty and of information and expertise if European governments want to enhance not only the security of their citizens but also essential infrastructure facilities such as energy, transportation networks, and utilities.

The EU already has a plethora of security agencies ranging from individual national police forces and judicial authorities to the EU law enforcement agency Europol, the judicial cooperation agency Eurojust, the EU Intelligence Analysis Center INTCEN, and the border management agency Frontex.

The problem with the EU agencies is that they are either underfunded or constructed in a way that does not facilitate genuine sharing of intelligence and information. Also, in the member states there is competition between the security and intelligence agencies rather than the instinct to share. The Belgian authorities admitted as much after the March 22 suicide bomb attacks in Brussels that killed 32 victims plus the three terrorists.

As the EPSC points out, the 9/11 attacks in New York and Washington forced the United States to bring all the security services under the roof of a new Department of Homeland Security. The EPSC report states there is no comparison between Europe and the United States. But the authors argue that “the larger lesson of better integrating and coordinating across various policy fields that pertain to security does appear to be necessary in order to prevent future attacks.” That’s some understatement.

The EPSC proposes that the EU should consolidate “a European multi-level counter-terrorism network.” Even though national security remains the sole responsibility of each member state, there is plenty of scope in the EU treaties for cross-border cooperation. In practice, this cooperation could be anchored on a data- and information-sharing arrangement. The Schengen Information System was designed for this purpose in the EU’s passport-free Schengen Area but was never developed in any systematic or sustained way.

Ideally, the new system outlined by the EPSC would also mean creating an interoperable and seamless exchange of information. This would entail all member states agreeing to set up a “single, user-friendly interface permitting single search as well as the ability to perform batch comparison across databases.” The ESPC rightly draws on the experience of Estonia, which has integrated its databases, to show how a Single European Identity Management System could work. In principle, as the ESPC points out, such an arrangement would avoid the multiple collection, registration, and storage of personal data.

Critics of these ideas would justifiably question how individual data would be kept safe and private, who would have access to the system, and which authority would be accountable for it. These are important issues, but so is security to protect freedom.

Euroskeptics too would pull the EPSC’s ideas apart on the grounds that the European Commission was amassing more powers at the expense of the member states. Yet even British Prime Minister David Cameron, who is no fan of the EU, has repeatedly argued that Britain’s security would be weakened if the UK left the EU. He could also argue—but he won’t in the middle of the current referendum campaign on Britain’s future relationship with the EU—that the EU needs a much stronger security policy focusing on counterterrorism.