Investigating Public-Private Relations in Cybersecurity Policymaking: An Experimentalist Governance (EG) Perspective

Distrust and uncertainty permeate today’s global political landscape, and the realm of cybersecurity is no exception to this prevailing sentiment. In the field of cybersecurity policy, the European Union has witnessed the emergence of a new discourse centred on "digital sovereignty". Through a series of speeches and legislative proposals, the European Commission has consistently emphasised the need to secure its digital borders against external competitors while also maintaining control over its future in the virtual realm. Historically, private entities have played a key role as partners of the EU institutions, actively participating in the policymaking process through both formal and informal arrangements. Following the principles of Experimentalist Governance (EG), this collaborative approach has been extended to the domain of cybersecurity, which is characterised by high interdependence, polyarchic power structure, and inherent uncertainty. However, the European Commission’s stance has undergone a notable shift due to critical junctures. These shifts have been triggered in part by high-profile scandals and controversies involving major tech companies. Some scholars, such as Farrand and Carrapico (2022), argue that the Commission has become increasingly selective in its choice of partners, moving away from an open approach. This shift has been labelled in various ways, including "regulatory mercantilism", "sovereignty turn" or "protectionism". In this context, it is important to consider the implications for the openness of EU policymaking at this crucial juncture, marked by widespread distrust and uncertainty. What are consequences of this shift for the dynamics of public-private cooperation in policymaking, and how will it shape the future of EG within the cybersecurity domain of the EU? Last but not least, how is the private sector responding to this shift?