![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
Abstract
Reflecting a central premise of the collective securitisation model, it is argued in this article that both specific events and longer-term trends have galvanised and reinforced the EU discourse of increasing threat and risk around cybersecurity, at different points in time. Thus, whilst major cyberattacks have caused the EU to reflect with some urgency on the increasing threat and review its approach, new policy initiatives evolved incrementally thereafter, rather than being the product of any emergency action outside the EU’s normal politics. It is shown further that, in the case of cybersecurity, discourses of threat and risk have continued beyond policy initiation, and that this discourse has very much run in parallel with further action and initiatives. Finally, this article demonstrates how collective securitisation and legislation in certain key areas related to cybersecurity can also be subject to EU institutional desecuritisation moves, leading to national policy differentiation following a precipitating event.
Disclosure statement
No potential conflict of interest was reported by the author.
Notes
1 For a conceptual exploration and critical discussion of the role of public–private partnerships in EU cybersecurity see Bossong and Wagner (2017). See also Dunn Cavelty and Suter (2009) on PPPs and critical infrastructure protection.
2 A mandatory requirement to report network and information security breaches was included in the revised EU Electronic Communications Regulatory Framework in 2009 (European Parliament and Council of the European Union Citation2009). This requirement (Art. 13a, Directive/140 EC) was restricted to the telecommunications sector, however, whereas the NIS Directive broadened the scope to a wide array of actors involved in network and information security.
3 The EU’s discourse and policy on cybercrime has also borrowed from existing national, international and regional frameworks such as the Council of Europe Conference on Criminological Aspects of Economic Crime (1976), the US Crime Control Act (1984) and the Computer Fraud and Abuse Act (1986). See Deflem and Shutt (Citation2006) for a detailed account of the evolution of computer crime legislation.
4 An interesting perspective on the role of private actors as important regulators in themselves (as opposed to just co-enforcers) in the area of EU critical information infrastructure is provided by Carrapico and Farrand (Citation2017).
Additional information
Notes on contributors
George Christou
George Christou is Professor of European Politics and Security at the University of Warwick, UK, a Senior Associate Fellow of the UK Cyber Policy Centre, a member of the Global Internet Policy Observatory (GIPO, European Commission) Advisory Group, and a member of the Information Assurance and Advisory Council (UK) Academic Liaison Panel. His is the author of The European Union and Cybersecurity: Adaptation and Resilience in Governance Policy (Palgrave Macmillan, 2016). His work on the EU, cybersecurity and security governance has appeared in European Politics and Society, European Security, Journal of Common Market Studies, Comparative European Politics, European Foreign Affairs Review, Journal of European Public Policy, Political Geography and Cooperation and Conflict.