Disentangling the EU’s Actorness in Cyber Security Governance: A Case Study on EU Cyber Security Strategies Towards Asia

Over the past decade, cyber security has emerged as a significant issue and an integral part of EU foreign and security policy which attaches increasing importance on the internal-external security nexus. With the launch of numerous initiatives such as the Digital Single Market Strategy, Cybersecurity Package, EU cybersecurity agency (ENISA) and NIS directive, the Union has considerably expanded the range of common rules and actions in cyber security at European level. More importantly, the EU has sought to externalize its domestic cyber agenda to the international arena by actively engaging with other international actors through bilateral and multilateral cooperation. By doing so, the EU seeks to play an ambitious role as a norm-settler and a regulatory power in global cyber security governance. Given that cyber security is a relatively new research and policy field in EU studies, a number of key questions remain unaddressed. To what extent is the EU a coherent security actor in cyber domain? How effective is the EU’s regulatory and normative power in cyber security governance beyond the Union’s immediate border? In order to answer these questions, this study examines the EU’s role as a security actor by taking into account both internal and external dimensions of EU cybersecurity policies. The paper is structured into four sections. The first section discusses the evolution of EU internal cybersecurity policies and competence, illustrating the normative underpinnings and institutional structures characterizing the EU’s cybersecurity governance at domestic level. The second section then evaluates how the Union seeks to externalize its norms, regulatory frameworks and specific policy-settings in cyber space at global level by taking the EU-Asia cyber security relations as an empirical case. Notably, in the EU’s 2018 Joint Communication ‘Connecting Europe and Asia’, cybersecurity was featured as one of the top priorities in the EU’s foreign policy agenda towards Asia. Focusing on the Union’s rhetoric and policy instruments vis-à-vis its Asian partners (e.g. China, ASEAN, Japan), this section examines the coherence and effectiveness of the EU’s actorness as a cyber security player in the Asia-Pacific region. Subsequently, the third section discusses a number of challenges and constraining factors hindering the EU’s cyber security governance at domestic and international levels. The final section sums up the paper and links this study to the wider academic debate on CSDP/CFSP and the EU as a global security actor. Methodologically, this paper draws on data collected from semi-structural interviews in Brussels and Asia, as well as content analysis based on a wide range of EU official documents.