Cybersecurity Trends in the European Union: Regulatory Mercantilism and the Digitalisation of Geopolitics
本文分析2023年欧盟网络安全政策发展,提出“监管重商主义”框架解释欧盟如何通过加强内部监管和对外输出规范来应对地缘政治脆弱性,适合关注欧盟数字主权与安全治理的学者。
The European Union (EU)'s cybersecurity policy has, over the past two decades, undergone dramatic changes that have positioned it not only at the forefront of the EU's security policy landscape but also as one of the most influential policies across the EU policy spectrum (Carrapico and Farrand, 2020; Christou, 2015; Dunn Cavelty, 2013; Obendiek and Seidl, 2023). Over the years, the EU has become particularly aware of its increasing reliance on digital infrastructure and services, namely, how sectors such as transport, trade, finance, health, energy and education rely on accessing secure information and communication technology infrastructure. This dependency has been understood as highlighting the EU's vulnerability to the exponential growth in cyberthreats online (Carrapico and Farrand, 2021). Having developed mainly in a reactive fashion to these perceived vulnerabilities, the EU's cybersecurity strategy was officially introduced in 2013 as an umbrella for a set of pre-existing, albeit scattered, initiatives (European Commission and High Representative of the European Union for Foreign Affairs and Security Policy, 2013). Since then, it has transitioned from a set of foundational measures to a mature, comprehensive and strategic policy focused on resilience, co-operation and technological advancement. It is composed of four main sub-policy areas: cybercrime and law enforcement; critical information infrastructure protection; cyber-defence; and cyber-diplomacy. Although distinct in their focus, these areas all work together towards the protection of the EU's digital infrastructure and residents. The evolution of the EU cybersecurity policy can be characterised as having three distinct phases: the first was the genesis phase (1985–2003), during which the different sub-fields of cybersecurity developed separately (in particular in the context of the former EU First and Third Pillars), and the EU gradually positioned itself as a co-ordinating actor capable of addressing cross-border cybersecurity threats. This phase saw the initial recognition of the need for a co-ordinated approach to cybersecurity within a European framework. The second was the institutionalisation phase (2004–2018), where the EU pushed towards a more consistent policy framework by advocating for coherence and dialogue between the different sub-fields. This push involved the introduction and expansion of the number of EU cybersecurity co-ordinating bodies and adopting resilience as a strategy to protect businesses, public bodies and citizens. The third phase can be classified as the regulatory phase (2019–present), which has been marked by a significant attempt by the EU to gain control of cybersecurity governance. This has been achieved through a discursive framing of cybersecurity as a matter of European sovereignty (Farrand and Carrapico, 2022), the translation of this discourse into a substantial body of legislation (Farrand and Carrapico, 2022; Heidebrecht, 2024), the continued expansion of the number of EU bodies involved in this field and the introduction of international leadership ambitions in this field (Carver, 2023). Overall, the history of EU cybersecurity policy is one of continuous expansion and systematisation, having emerged as ad hoc initiatives aimed at protecting the common market and, at a later stage, at furthering the EU Justice and Home Affairs agenda. Having outgrown these policy areas, EU cybersecurity is now also firmly present within the Common Foreign and Security Policy (CFSP) and beyond, making it a truly transversal policy.1 The present article analyses the 2023 developments in EU cybersecurity, placing them in their broader geopolitical and policy contexts. In the geopolitical context, the Commission perceives the EU as vulnerable to new threats, and their technological dimension, in a world that is increasingly polarised and unstable. In terms of policy, this has translated into the pursuit of regulatory controls aimed at creating a unified approach to cybersecurity in the Union, characterised by increased oversight and hierarchical EU governance, along with actions aimed at exporting its cybersecurity norms as international standards through cyber-diplomacy initiatives. The article proposes that developments in this field can be understood through the lens of regulatory mercantilism (Farrand and Carrapico, 2022). This framework highlights that there has been a unification of sovereignty, security and economy discourses, in which the EU frames its own vulnerabilities to external threats as necessitating increased regulatory control and exports of its own norms and values as international standards (Farrand, 2023). Regulatory mercantilism is characterised by a rhetorical performativity (Couture and Toupin, 2019) that ‘contrasts the geopolitical, security and economic challenges that the EU is facing in the twenty-first century with the vision it has for its future as an integration project’ (Bellanova et al., 2022, p. 348). In this sense, regulatory mercantilism identifies policy formation as a means of state-building in response to geopolitical concerns, which this article aims to unpack. It does so by taking the three characteristics of regulatory mercantilism and applying them to the 2023 developments in cybersecurity policy. The first section highlights the EU's growing sense of geopolitical insecurity and vulnerability as a driver of policy; the second explores those policies in more depth, identifying the increased regulatory control the EU is seeking to exert in this policy domain; and the third reflects on the attempts at norm exporting through cyber-diplomacy. The EU's 2023 actions in the field of cybersecurity are best understood in relation to the broader policy agenda and initiatives of the EU. With the formation of the von der Leyen Commission, a discourse of ‘digital sovereignty’ became central to the EU's actions in technology governance (Bellanova et al., 2022). The EU's digital sovereignty discourse expresses a desire for increased control as a response to a perceived sense of vulnerability to external threats posed by both non-EU states and private sector actors that may not align themselves with EU values or interests (Carrapico and Farrand, 2020). Shaping Europe's Digital Future, the Commission's policy agenda concerned with the ‘digital pillar’ of its 2019–2024 work programme framed this sovereignty ambition in terms of developing EU capabilities and reducing external dependencies (European Commission, 2020b, p. 3). It is closely linked to the concept of strategic autonomy (Broeders et al., 2023). The State of the Union 2023 underscores that this European sovereignty is ‘an economic and national security imperative to preserve a European edge on critical and emerging technologies’ (von der Leyen, 2023, p. 7), reinforcing this notion that EU security is determined by its ability to act independently of external constraints or pressures. These constraints include, namely, a lack of control over externally held or operated infrastructures, services and content providers (Madiega, 2020) with implications for the EU's capacity to protect citizens' data and security (Celeste, 2021; see also Chander and Sun, 2023); a dependence upon critical natural resources possessed or processed by other states required for producing technologies needed for cybersecurity purposes (DeCarlo and Goodman, 2022); and a perceived vulnerability to increased cyberthreats, whether in the form of disinformation, ransomware attacks, denial of service attacks or data breaches (Moerel and Timmers, 2021). These identified digital vulnerabilities are closely related to the EU's broader sense of its own geopolitical vulnerabilities. This has often been implied in concerns expressed over challenges to the liberal international order as a rejection of globalisation (Braw, 2024), with increased disregard for international organisations and norms (Stephan, 2023) and a return to ‘great power’ politics between larger states (Weiß, 2023). In the context of these geopolitical changes, there has been a blurring of ‘cyber’ and ‘material’ security, with the EU discussing concerns over ‘hybrid’ threats in 2016 (European Commission and High Representative of the Union for Foreign Affairs and Security Policy, 2016), with cybersecurity being one means by which hostile actors could destabilise the EU, whether through spreading disinformation or attacking critical information infrastructures (European Commission and High Representative of the Union for Foreign Affairs and Security Policy, 2016, p. 10). This 2016 document was followed up in 2018 by a Communication on increasing resilience and bolstering capacities to address hybrid threats, where it was stated that ‘cybersecurity is critical to both our prosperity and security. As our daily lives and economies become increasingly dependent on digital technologies, we become more and more exposed’ (European Commission and High Representative of the Union for Foreign Affairs and Security Policy, 2018, p. 7). In 2023, the Russian war on Ukraine served to highlight the EU's perceived cyber-vulnerability resulting from broader geopolitical instability, with CERT-EU2 monitoring the potential for Russia's actions to expand into cyber-operations against the EU's institutions. One of CERT-EU February 2023 report's key findings was that ‘cyber operations associated with Russia's war on Ukraine have not been confined to the belligerents. Since Russia's invasion, allies of Ukraine, such as EU countries, have faced several types of cyberattacks’ (CERT-EU, 2023, p. 3). New technologies are also classified as threats, with generative artificial intelligence (AI) featuring in both the State of the Union 2023 and a report produced by CERT-EU. In the State of the Union, it is explicitly framed as a security threat, with von der Leyen citing experts claiming that preventing human extinction by AI should be prioritised in the same way as preventing nuclear war, stating that AI ‘is a general technology that is accessible, powerful and adaptable for a vast range of uses – both civilian and military. And it is moving faster than even its developers anticipated. So we have a narrowing window of opportunity to guide this new technology’ (von der Leyen, 2023, p. 9). Similarly, CERT-EU stated that whilst generative AI could have potential cyber-defensive capabilities, they have significant concerns regarding its potential for cyber-offence, with uses including sophisticated social engineering attacks, more effective forms of phishing and automation of the identification of cybersecurity vulnerabilities allowing for the uncovering of previously unknown attack vectors (CERT-EU, 2023, p. 4). Given the concerns regarding the security implications of increased AI use, the European Commission has made clear the desire to regulate the use of the technology internally, through mechanisms such as the AI Act,3 as well as seeking to guide the development of rules at the international level, both through the AI Act serving as a blueprint for the rest of the world and through guiding innovation and the implementation of minimum standards for safe and ethical use (von der Leyen, 2023, pp. 9–10). 2023 was a particularly active year for the EU's regulatory efforts in cybersecurity. Whilst admittedly agreed upon at the end of 2022, the directive on measures for a high common level of cybersecurity across the Union (Directive 2022/2555), also known as the NIS2 Directive, entered into force in January 2023. This directive repealed the original NIS Directive and is indicative of a form of regulatory cybersecurity ‘state making’ on the part of the EU. In its public facing FAQ document, the Commission explained its decision to repeal the original directive and create new legislation on the basis that it was responding to an expanded threat landscape and needed to address ‘an insufficient level of cyber resilience of businesses operating in the EU; inconsistent resilience across Member States and sectors; insufficient common understanding of the main threats and challenges across Member States; [and a] lack of joint crisis response’ (European Commission, 2023a). The proposal for the directive made clear the desire for increased control in this field, stating that the proposal was part of a package aimed at ‘strengthening the Union's strategic autonomy to improve its resilience and collective response’ (European Commission, 2020a, p. 1). Interestingly, in the final text of the directive, the link to vulnerability as a basis for intervention is found in recital 37, where it is stated that ‘intensified cyberattacks during the COVID-19 pandemic have shown the vulnerability of increasingly interdependent societies’ (Directive 2022/2555). As well as updating the pre-existing requirements under NIS1 (Directive 2016/1148), NIS2 provides for stronger oversight and enforcement in order to guarantee resilience from cyberattacks (Vandezande, 2024). Article 12 provides for co-ordinated vulnerability disclosure between member states (MSs), as well as the creation of a vulnerability database that will be maintained by European Union Agency for Cybersecurity (ENISA). Article 13 mandates co-operation at the national level between MSs, and Article 14 establishes a co-operation group ‘to support and facilitate strategic cooperation and the exchange of information among Member States’, the membership of which includes representatives of the MSs, the Commission and ENISA, with the European External Action Service acting as an observer. 2023 also saw a deepening of cybersecurity regulation in line with a regulatory mercantilist frame of heightened oversight and regulatory hierarchy, going from beyond the narrower confines of setting private sector obligations to the establishment of an all-encompassing cybersecurity framework. First, the Commission proposed modifications to the Cybersecurity Act, which had been adopted in 2019 (Regulation 2019/881) to expand its certification schemes to include managed security services. The Commission proposed this as means of raising the overall level of cybersecurity in the Union, which would facilitate the emergence of trusted cybersecurity service providers as a priority for the ‘industrial policy of the Union in the cybersecurity field’ (European Commission, 2023e, p. 1). The establishment of a European certification system based on European standards was central to the rationale of the Cybersecurity Act (Kohler, 2020), with the expansion of this regime to cover additional sector actors a deepening of this regulatory The which has had its first European and is the first states that its is to support the EU Act, which was also in 2023 (European Commission, 2023e, p. Interestingly, the main basis for the act is Article which concerns the creation of the for the of the EU's which with the regulatory mercantilist The proposal for the Act the link to the digital sovereignty highlighting the threat posed by external actors with to Russian and as well as from other and actors (European Commission, p. through and to cybersecurity threats (European Commission, p. see form of cybersecurity policy being within this framework – the means by which these are to be achieved are through the of in the form of security operations the EU the creation of an response to support in for and responding to as well as from and the establishment of the European cybersecurity to for the and of significant with the and response being by the Digital (European Commission, p. 3). Article of the proposed Act explicitly includes in its reinforcing of and services in the Union the digital economy and to the Union's technological sovereignty in the of (European Commission, p. reinforcing the regulatory mercantilist adopted by the Commission in this As of the act has between the and and is now to the first (European Commission, 2024). other measures focused on cybersecurity also made significant in 2023. The EU Act, first proposed in (European Commission, 2022), in 2023, was by the European in and is now the first (European 2024). The of the Act, which has Article as its is to that and made in the EU are through measures aimed at cybersecurity through a as well as that are information the security of (European Commission, 2022, p. The act is framed as the Shaping Europe's Digital allowing the EU to all the of the digital and to its and innovation within safe and ethical (European Commission, 2022, p. 3). This regulation will the Commission under the of market and including as with the regulation and as a significant cybersecurity based on an The Commission will be to applying up to and including from the market under Article (European Commission, 2022, p. Interestingly, concerns regarding AI are in the with classified as AI under the proposed AI Act as under the of the Act under Article 2023 saw the of the EU Cybersecurity (Regulation which was in the in 2023 and entered into force in January This regulation all Union to have their own cybersecurity governance and control under Article the of measures under Article and to have a cybersecurity by January under Article Article establishes the Cybersecurity a of of the Union's which is with monitoring and oversight of with the regulation under Article These measures a comprehensive deepening of the EU's cybersecurity regulatory in which the Commission has a cybersecurity policy, oversight within a regulatory mercantilist framework. As stated by and the EU does not the the and of its policy are indicative of a towards a stronger of its sovereignty’ et al., p. have these different which they to be at EU level, in order to a stronger common level of cybersecurity across the The at which the have and have through the most being adopted first is indicative of the high level of in this the need to coherence within this policy and the of the of of the of the European Union, These that will as the field to As in the the third of the EU's regulatory mercantilist approach to cybersecurity in the attempt to its norms and values beyond its with the to its vision of cybersecurity, and protect itself from This ambition is particularly in the EU which identified international leadership as one of the main priority areas of EU external (European Commission and High Representative of the Union for Foreign Affairs and Security Policy, 2020). The EU to this leadership through seeking to and international cybersecurity norms and which it is through its cyber-diplomacy 2020). The EU perceives itself as a natural in this field and as being to and such standards based on its for the of law and it that international standards are often being by non-EU to and (European Commission and High Representative of the Union for Foreign Affairs and Security Policy, p. which are to EU prosperity and security, making EU in this field a particularly Although EU efforts to become a key cyber-diplomacy actor are not new of the European Union, 2015; European External Action 2016), we have been to an in this rhetorical ambition into new policy initiatives and In this has to an increased of EU cybersecurity policy from the common market and the of security and to the The new policy initiatives include an increased in a growth in the number of the EU has and aimed at deepening EU integration the the EU cyber-diplomacy is particularly of as it for the first a joint response to of the European Union, This in a number of such as in third countries, the introduction of and with non-EU and the of measures beyond the EU The of the European Union has the of the link between EU external the of its cybersecurity and the ambition to EU digital 2023 developments in this field and this by the need for more and effective EU policy and in digital to EU and of the European Union, 2023, p. 2023 saw the EU to in four main to cybersecurity norm increasing the coherence between cybersecurity policy and other externally facing digital based on the that cybersecurity as an of in these other policy areas include, for the digital of human a more in international where cybersecurity standards are such as the Union and the for to over increasing the EU's in other organisations where governance is being namely, the the and the for and and to expand and the of and 2023 saw the of the and the digital which cybersecurity, digital and in EU priority areas such as technologies and AI (European Commission, are 2023 the of the and Digital which on capacity innovation and in the (European Commission, this year also saw the proposal to with the private sector of the European Union, 2023). Although we have a on the of the EU to expand its capacity to cybersecurity norms beyond its and to with one on the international stage, there is for the insufficient to whether this approach is third on the 2023 was not a year of or policy in the field of cybersecurity in the EU. it is a year in which the that have been in have been to a comprehensive EU cybersecurity policy which can be as being by regulatory deepening and active attempts at norm In line with the framework in this this deepening has been by an and vulnerabilities in which is required in order to that the EU is to against the threats posed to it by external actors and over which it it has This of control has also the EU to a norm exporting in line with regulatory As a response to external threats, the EU is seeking to use its regulatory capacity to standards for cybersecurity internally, which can be to other states and to the international in the form of best standards and based on European as a means of the EU's as a itself as a and in so reducing its vulnerabilities. the lens of regulatory we see a blurring of economic and security as well as cybersecurity and security concerns, on the of digital sovereignty and strategic In EU cybersecurity policy be or of to experts only – it as a central of the initiatives by the EU in its desire to leadership to a world it perceives as threats to its and security. the evolution of EU cybersecurity, we to the exponential expansion of this policy In is needed to how this policy field is being by and the digital sovereignty discourse has had on its advancement. it is to the implications of the in EU regulatory cybersecurity not only for the EU as an international in cybersecurity but also for its for a more influential on the world New in this field need to EU cyber-diplomacy efforts and their in the context of both organisations and a future may to the of for furthering cybersecurity their coherence and The would to their to the of the for their to this and for all the and