Unrest is growing in cyberspace. Cybercriminals, spies, and “hacktivists” have been inhabiting cyberspace since its inception. More recently, there has been a growing presence of state-sponsored cyber-attacks, which are often driven by espionage goals. As we underlined in our last report, cyberspace is increasingly becoming an arena in which national interests collide and thus where international confrontations are mirrored. The United States and China are the two main actors leading the race in technological advancements, and they are already setting the agenda in the world’s chancelleries for what concerns the export of information and communication technologies (ICT). The race to become the leading technology provider is already involving security concerns and exclusive foreign policy choices (as in a new version of “with us or against us”), which go far beyond the mere procurement of ICT. Indeed, according to Washington, there is a real danger that ICT coming from China may allow Beijing to steal trade secrets. More recently the US administration warned some European governments (including Italy and Germany) not to adopt Huawei technology for their national 5G networks. According to Zhu Feng, professor of international relations at Nanjing University, “It is clear that Sino-US relations have entered a new era of comprehensive competition”. The going gets tough. What about Europe? Europe gets going. 

The European Union (EU) is equipping itself with a brand new policy – the Cybersecurity Act, which is strengthening the Union’s cybersecurity competency with innovative and frontrunner tools. In this dossier, we are addressing its multiple implications from both the internal and external standpoints. As such, it includes an analysis of the (geo)political meaning of the act and how its concretisation could be considered a strongpoint for the EU vis-à-vis other international players. The EU did not copy-paste other cyber-policies, nor did it opt to withdraw from competition in cyberspace. Rather it built upon shared member states’ interests and mediated compromises for a unified cyber posture which will (hopefully) protect and improve EU citizens’ security in-of-and-around cyberspace. Therefore, the Cybersecurity Act is a great achievement for the EU from both an internal and external dimension. 

From an internal dimension, it should be stressed that the EU is not equal to other main actors in cyberspace, namely the US and China, which are nation-states; the EU still has an intergovernmental nature and has specific competencies set by common treaties, which still confer the management of national security to member states. Because of these characteristics, the adoption of cybersecurity policies has to be gradual and go hand in hand with areas of competence on which the EU can rule, namely the single market (which has included the digital single market since 2015) and internal security (in terms of justice and police cooperation). 

If we look at the dawn of EU digital policies, they were about cooperation on IT security certification because they were understood as essential to continuing the development of economies and completion of the single market.^[1] It was only in the mid-2000s that the EU acknowleged  the risk of possible external attacks to critical infrastructure IT. Therefore, the single market dimension and the internal security dimension began to be entwined regarding cybersecurity. Moreover, as described in an article by Helena Carrapico and André Barrinha, “The national level was presented as being insufficiently equipped to respond to these increasingly transnational threats adequately and a common approach, characterised by approximation and developed at the EU level was, instead, introduced as a necessary response.” This led to the adoption of a first full-fledged EU cybersecurity strategy that was published in 2013. This, despite being a comprehensive document that included concepts such as cyber defence, cybercrime, market and industrial resilience, was more a high-level political paper rather than a detailed and binding action plan. Its cybersecurity operational capacity was still relying on its member states. 

However, cyberspace was becoming an increasingly contested space. China, Russia, Iran and North Korea were using cyberspace more intensively to push forward their strategic interests and visions. In addition, cybercriminals became a significant threat to the global economy. Moreover, the revelations by US whistle-blower Edward Snowden broke down trust in the US in many European chancelleries. In light of such challenges, the EU member states sought a path to digital self-assertiveness. Resilience became the guiding principle. It was in this political context that the EU proposed a law to harmonise and improve cybersecurity across member states, called the Network and Information Security Directive (NIS). Subsequently, in September 2017 the President of the European Commission, Jean-Claude Juncker, affirmed that “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks”. Meanwhile, the European Commission adopted a cybersecurity package with new initiatives to further improve the EU’s cyber resilience, deterrence and defence. This package led to the proposal of an ambitious reform of EU cybersecurity strategy, a proposal that took the name of the Cybersecurity Act. This is just a snapshot of the lengthy path to adoption of the Cybersecurity Act, which had to overcome a long and tortuous legislative process before getting final approval from the European Parliament last March. 

As previously mentioned, the Act does not only achieve a great result within the EU, but has important implications for the EU’s stance vis-à-vis external actors. First of all, the Cybersecurity Act completes the EU cybersecurity strategy, which is oriented to a particular type of “deterrence” in cyberspace, through denial. This can have extremely positive consequences in the digital domain since it works regardless of the problem of attribution. Indeed, although the EU has also approved the Cyber Diplomacy Toolbox,^[2] the EU Council as a whole has not yet reached agreement on a collective attribution. Instead, deterrence by denial, as Joseph Nye argues, can build resilience or the capacity to recover, which can reduce the incentive for some attacks by making them look futile. The EU’s approach, as stressed in a study by the German Institute for International and Security Affairs, adopts a comprehensive meaning of resilience, which “includes a unified market for cybersecurity based on ‘security by design’ in networked devices as the centrepiece of the digital single market”. As a matter of fact, the Act seeks to achieve an important step to anticipate and minimize the impact of cyber-attacks. As well explained by Corrado Giustozzi in his article, the Act gives the ENISA a reinforced role in this sense. 

Second, the Cybersecurity Act provides a cybersecurity management model which is based on political paradigms opposed to both the US liberal-technology model and the Chinese and Russian digital sovereignty model. As recently argued by John Thornhill in the Financial Times the European “Third Way” could obtain further success after the positive feedback received from the other side of the Atlantic regarding the General Data Protection Regulation (which, for example, inspired California’s data protection law). Therefore, should implementation of the Cybersecurity Act be accurately conducted and positively assessed around the world, the EU could strengthen its position as an international “normative power” in cyberspace. Here there are still plenty of normative gaps, which could be filled by customary law.  

Third, the Cybersecurity Act may have very important implications regarding the external dimension of the EU, in particular regarding trade. As a matter of fact, if we look at Title IV, regarding the Final Provisions, article 67 on evaluation and review of the regulations affirms in paragraph 3 that “The evaluation shall assess whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services and ICT processes entering the Union market which do not meet basic cybersecurity requirements.” In other words, the EU may adopt non-tariff barriers which will have an effect both in cyberspace and the real world. It is a provision that could be implemented five years after the entry into force of the Act. Beyond its economic implications, the provision sets clear boundaries vis-à-vis products, services and processes inside and outside the single digital market. 

Cyberspace has become a domain of harsh competition and unrest. As briefly described, there are some nations (like the United States and China) that are acquiring more and more power in cyberspace and pushing their interests in this domain. The EU, with all its legal conundrums, does not stand still and it is working to make its own way through in cyberspace in order to safeguard its interests in a more and more volatile security environment.

[1] White Paper on Growth, Competitiveness and Employment. The Challenges and Ways Forward into the 21st century (European Commission, 1993); Report on Europe and the Global Information Society (Bangemann Group, 1994).

[2] The main objective of the Cyber Diplomacy Toolbox (CDT) “is to develop signaling and reactive capacities at an EU and member state level with the aim of influencing the behavior of potential aggressors, taking into account the necessity and proportionality of the response.” (Erica Moret and Patryk Pawlak. 2017. “The EU Cyber Diplomacy Toolbox: towards a cyber sanctions regime?”, Brief ISSUE 24, European Union Institute for Security Studies (EUISS)).