Conference Agenda

Panel 508: Cybersecurity
Tuesday, 07/Sept/2021:
11:30am - 1:00pm

Session Chair: André Barrinha, University of Bath


The New EU Cybersecurity Strategy in Times of Covid-19 Pandemic: A Result of Policy Learning?

Isabel Camisão1,3, Ana Paula Brandão2,3

1Faculdade de Letras Universidade de Coimbra, Portugal; 2EEG, Universidade do Minho, Portugal; 3CICP, Research Center in Political Science, Portugal

Aligned with the goal of achieving a digital Europe, in February 2013 the European Union took a decisive step to overcome the piecemeal approach to cyber threats by adopting the first comprehensive EU Cybersecurity Strategy. Since then, the cybersecurity threat landscape rapidly evolved. The salience of the so-called hybrid threats (including cyber-attacks, electoral interference and disinformation campaigns) significantly increased. What is more, the COVID-19 pandemic and the confinement measures adopted by governments to stop the spread of the virus critically accelerated digitalisation and, consequently, greatly increased cyber hazards. Last December, the European Commission and the High Representative presented a new EU Cybersecurity Strategy for the digital decade, designed to bolster Europe’s collective resilience against cyber threats. The present article aims to assess the success of the 2013 Cybersecurity Strategy and to pinpoint what triggered the recent policy change in this domain. Drawing on theoretical insights from literature on policy evaluation and on policy learning, our goal is to answer two main research questions: How successful was the 2013 Cybersecurity Strategy? What trigged the adoption of a new Cybersecurity Strategy?

The 2020 EU Cybersecurity Strategy: was COVID-19 a key factor?

Eva Saeva

Newcastle University, UK

This paper will examine the EU’s legislative approach to cybersecurity seen through the lens of the COVID-19 pandemic.

The EU adopted its first Cybersecurity Strategy in 2013. It defined the three pillars of cybersecurity: network and information security (NIS), law enforcement and defence, which, through the years, have been achieved with different success. The NIS Directive 2016 was the first milestone of the legislative efforts that followed. The revamped Cybersecurity Strategy of 2020 offers instead a more holistic approach, focusing on three areas: resilience, operational capacity and advancing an open cyberspace. It includes two legislative proposals, one on a revised NIS Directive and the other - on the resilience of critical entities. 2020 also marked the first time the Cyber diplomacy toolbox was used – twice – when the EU named foreign nationals for having conducted cyberattacks affecting EU Member States.

2020, however, passed under the sign of COVID-19. The pandemic revealed the many benefits of digitalisation, but also exposed the vulnerabilities: the health sector across many Member States was heavily targeted. The European Medicines Agency also fell victim of cyberattacks in late 2020. As a result, EU officials insisted on a more assertive EU. Academics, however, have argued that the pandemic has not had any major impact on the development of the overall EU cybersecurity approach. The new Strategy has not risen to the challenge of addressing state accountability or collective attribution and countermeasures in case of foreign interference.

By analysing the EU legislative efforts to tackle cybersecurity challenges over the years, this paper will examine whether the pandemic was a missed opportunity for the Union to play the global leader’s role in developing cybersecurity legislation.

The European Intelligence Academy as an intelligence education hub in the European Union

Artur Gruszczak

Jagiellonian University, Poland

The European Union and its Member States for many years have been striving to develop and increase the effectiveness of intelligence activities. The cooperation established through EU agencies and bodies aimed to support decision-making processes at the national and supranational levels in regard to the identification of risk sources, prevention of threats and reduction of security deficits. An exchange of experiences, good practices and training methods has been one of the dimensions of that cooperation, seeking to contribute to the emergence of a strategic intelligence culture in the EU. Educational initiatives which have accompanied the rather narrow practical cooperation aspired to establish a solid framework for an EU-wide professionalisation of intelligence services contributing to a more effective intelligence sharing.

This paper makes an insight into the European Intelligence Academy (EIA) as a pioneering initiative of intelligence education on the EU level. Taking the principal objectives of that initiative into account, the paper presents EIA as a case study in institutionalization of cooperative networks seeking to improve intelligence skills of national services and EU officials. A theoretical framework encompasses the concept of nodal governance and the model of intelligence hubs embedded in a networked organisational structure on the international level. An argument developed throughout the paper holds that EIA is an intelligence education hub which seeks to contribute to a political rationale for the EU as a security union responsible for an effective coping with major threats to EU citizens.

Digital Sovereignty of Europe – What’s in the Name?

Michał Rekowski

Jagiellonian University, Poland

As the tensions between the private sector and the public institutions over the control of digital transformation in contemporary societies intensify, the concept of a ‘digital sovereignty’ becomes more popular worldwide, from France to China. In early 2020, it has made its way to the official agenda of the new Commission President Ursula von der Leyen as the idea of “technological sovereignty” (European Commission 2020). Ever since, it became a driving goal for the European Commission that has undertaken to launch numerous EU’s digital initiatives, from the 5G toolbox to the Digital Services Act package. Nevertheless, the concept still remains elusive and ambiguous.

The aim of this paper is twofold. First, it provides for a definition of a ‘digital sovereignty’ identifying it in the digital context as a part of the ‘digital strategic autonomy’ of Europe, an element of a broader concept that signals the EU’s ambition in global politics, to which digital prowess has been recognized as critical (European Political Strategy Center 2019; Timmers 2019). Second, it elaborates on the operationalization of how ‘digital sovereignty is being understood and implemented in relation to key digital technologies and challenges as established by the European institutions and policymakers: digital single market, 5G, data spaces, cybersecurity or Artificial Intelligence. To this end, the paper is based on empirical qualitative research concentrated around the content analysis of the key EU strategic documents on cybersecurity and digital affairs produced by the European Commission, the Council, ENISA, European Parliament, as well as the reports and policy papers of major European think-tanks engaged in the debate (2016-2021).