Who is in Charge of Cybersecurity? Contested Responsibilities in the Political System of the European Union

In the recent past, member states of the European Union (EU) have successfully securitized cyberspace, established military institutions at the national level and thus documented their authority claims in this novel domain of increasing relevance. I argue that understanding cyberspace as either a novel opportunity structure for adversaries or the backbone of economic growth ultimately determines of who is in charge of cybersecurity in Europe: member states’ governments, or the European Union (esp. the agency ‘European Union for Network and Information Security’ – ENISA). The objective of this paper is to explore how authority over governing cyberspace was established in the EU. First, I seek to study selected discourses at both EU and member state level to investigate the process of how cyberspace was gradually securitized and by which actors. Given that this delegitimizes the capacities of the EU, I will analyze its strategies of resistance, which could be both discursive and action-oriented. More specifically, I will build on Guzzini’s proposition to conceptualize attempts at de-securitization as causal mechanisms to enable policy reforms. Second, I will turn to the more specific struggle over political competencies within the emerging governance of cyberspace from approval of the EU’s cyber strategy to transforming it into legislation (i.e., the Directive on security of network and information systems [NIS directive]). This exploration will not only contribute to debates on the interaction between old and new authorities, but also shed light on how the EU’s supranational bodies attempt to resist different forms of power exercised by member states.