The present chapter examines whether, and if so to what extent, customary international law applies within the internal legal sphere of the EU, that is, between EU member states within the EU law’s scope of application as well as in their legal relations to the EU. In essence, the relevance of customary international law within the EU’s internal legal sphere is about the EU’s assertion of autonomy and self-containment that has been unfurled by the CJEU. The analyses of key areas of customary law (e.g. diplomatic relations, sovereign immunity and equality, rules of responsibility) reveal a complex picture of the its rules’ relevance within the EU. They play a more tangible role in the relationship between EU member states, first and foremost in sovereignty-related areas, than in member states’ legal relationships to the EU. Nevertheless, the present chapter shows that despite being a ‘new legal order’, the EU treaties still constitute a subsystem of public international law, albeit one which manifests typical characteristics of self-containment.

Acknowledging the difficulties of reliable and timely attribution in the immediate aftermath of a malicious cyber operation that may prevent states from invoking self-defence or countermeasures as remedies to justify protective conduct, the chapter zooms in on the customary doctrine of necessity as a circumstance precluding the wrongfulness of state conduct that does not require a responsible adversarial party. The requirements of successfully invoking necessity are analysed with regard to perilous cybersecurity incidents. In particular, it is inquired whether necessity can ever be capable of justifying the use of force by the imperilled state in order to prevent or mitigate harm. Finally, the legal consequences of invoking the doctrine are examined.