An investigation into the “mercantilist turn” of cybersecurity policy in the EU: Unveiling the evolving public-private relations in the EU cybersecurity policy architecture and related private sector’s responses

Since 2013, the EU has been pursuing a strong agenda in the field of cybersecurity. In this context, private entities have always been considered key partners for achieving security in cyberspace and they have been integrated in the EU policy-making cycle through formal and informal arrangements. Given the close collaboration between public and private actors in the field of cybersecurity, some authors have begun to describe the development of EU cybersecurity policy in terms of “regulatory capitalism” (Carrapico and Barrinha, 2017; Carrapico and Farrand, 2017), a form of governance, where the private sector increasingly became involved in both the implementation and the design of cybersecurity provisions. Nevertheless, more recently some authors (Farrand and Carrapico, 2020, 2021, 2022) have emphasised how this approach is gradually changing. Thus, the EU is moving away from “regulatory capitalism” and it is entering a new era, which can be described as “regulatory mercantilism”, where the “foreign” private sector is no longer part of the solution to cybersecurity threats. In this context, research has so far focused on studying the EU’s efforts to promote new policy goals “regulatory mercantilism” (such as in AI, Data, Cloud Policy, etc.) and has not yet address how the private sector is responding to this shift. Nevertheless, I argue that this is an essential element to consider, given that private entities are able to shape governance arrangements through their behaviour. Therefore, this research pursues two main goals: In a first step, the research will assess how “regulatory mercantilism” is affecting EU governance arrangements in practice. In a second step, it will reflect on the behaviour of private actors, which in turn could impact governance arrangements.