By 2017 the cyber posture of the European Union had by then achieved an early stage of maturity. Some essential steps had been taken to allow its member states to benefit from a shared approach to national capacity development to support EU’s missions and operations. The Network and Information Security Directive had established a EU-wide standard for member states to follow and transpose in their legislation. However, in June 2017 the world learned of NotPetya – a malware attack, unprecedented both in terms of its global reach as well as destructiveness. Coming shortly after another malware attack, WannaCry, the effects of the two attacks served as a wake-up call for Europe, drastically changing the cyber threat picture and making it evident that the EU had only limited options for joint action against malicious cyber activities that could target the EU countries. The incoming Estonian Presidency of the Council of the EU, together with the European Commission launched several new initiatives to overcome some of those gaps. This paper discusses the development of the EU’s cyber posture to date (Disclaimer: the contents of this paper were presented at the Cydef conference in Tokyo on April 4, 2018. As a result, it might not include reflections on any of the more recent developments between 2018–2019 in the EU that could be relevant to the topic of the paper at the time of publishing.) and analyses one of the areas where a joint response was agreed in 2017 – cyber diplomacy.