The new EU Cybersecurity Strategy and the fight against cybercrime in times of COVID-19: a result of policy learning (2013-2020)?

In February 2013 the European Union adopted the first comprehensive EU Cybersecurity Strategy. Since then, the cybersecurity threat landscape rapidly evolved. The salience of the so-called hybrid threats significantly increased. What is more, the COVID-19 pandemic and the confinement measures adopted by governments to stop the spread of the virus critically accelerated digitalization, resulting in a well-documented rise of cybercrime. In December 2020, the European Commission and the High Representative presented a new EU Cybersecurity Strategy for the Digital Decade, designed to bolster Europe’s collective resilience against cyber threats. Focusing specifically on the cybercrime dimension, this paper has two interrelated goals: to assess the success of the 2013 Cybersecurity Strategy and to verify if the changes introduced by the new Cybersecurity Strategy are a result of policy learning. Drawing on theoretical insights from the literature on policy evaluation (e.g. Bovens and ‘t Hart, 1996; 2016; Bovens, ‘t Hart and Kuipers, 2008; McConnell, 2010) and on policy learning (e.g. Hall, 1993; Bennett and Howlett, 1992; Howlett, 2012; Dunlop, Radaelli and Trein, 2018), our goal is to answer two main research questions: How successful was the 2013 Cybersecurity Strategy in tackling cybercrime? Are the changes introduced by the new Cybersecurity Strategy to deal with cybercrime a result of policy learning?