The institutional grammar of cybersecurity agencies: a comparative study

In this article, we investigate e specific aspect of the ongoing institutionalization of cybersecurity as a public policy in the European Union (EU). As of 2023, 25 out 27 members of the EU have established a cybersecurity agency. Although the mandates, powers and scope of such agencies vary greatly across the EU sample, we still fall short of a systematic account of the structural differences (and similarities) that characterise these relatively new public sector organizations. To start filling this gap, we rely theoretically on Ostrom’s Institutional analysis and development (IAD) framework and focus on the cybersecurity agencies of the four largest countries of the EU by population: Italy, France, Germany and Spain. Case selection is guided by a most similar systems design, considering the political regime, international relations, and cybersecurity capacities of the four countries. Empirically, we leverage the Institutional Grammar Tool (IGT) and the semantic categorization of institutional statements in rule types to analyse the laws establishing and regulating the agencies (and their amendments) in these four countries. Through this type of analysis, we are able to reconstruct and compare the different action situations which stem from agencies’ legal design/rules-in-form. In the context of the comparison, we also test hypotheses about Europeanization, institutional isomorphism, and diffusion. In a successive step, we contrast the evidence arising out of the analysis of institutional design to implementation, with the aim to provide an initial evaluation of the effectiveness and coherence of design. The study contributes to institutionalist literature, as well as to regulatory agencies’ and specialised cybersecurity scholarships.