Stuck in the Middle, EU? Origins and Evolution of Technical Solutions to (Fundamentally) Political Problems in EU Cybersecurity Policy

As the European Union asserts itself as a regulatory power in the digital domain, cybersecurity has become a key site of negotiation between governance, security, competitiveness, and democratic values. While scholarship and policy often frame cybersecurity through technical logics (standards, expertise, and regulatory instruments) many of the challenges it addresses are inherently political, involving conflicts over authority, distribution, and international power dynamics. This paper asks: when, how, and why have EU member states and the EU framed and implemented technically oriented policy solutions in response to political cybersecurity problems? The paper examines how the EU develops, implements, and projects digital and security policies within and beyond its borders, including its position vis-à-vis global competitors and the role of private actors in shaping policy responses. It builds on a core distinction in political science between technical problems, typically addressed through expertise-driven solutions, and political problems, which require authoritative decision-making under conditions of conflict and compromise. It argues that the persistent technicisation of EU cybersecurity policy is not merely a functional response to complexity, but the outcome of interacting political mechanisms operating across domestic, European, and international arenas. Three mechanisms are theorised. First, the dominance of private expertise: cybersecurity expertise is concentrated among private actors who shape policy agendas while deliberately avoiding political costs. By promoting expertise-based solutions, these actors reinforce their market position and generate dependency among public authorities, enabling influence without political accountability. Second, international divergence over hard-security norms constrains the policy space of middle and small EU states. The strategic incentives of major powers to preserve ambiguity around cyber operations and avoid binding international constraints limit the ability of EU member states to address international cybersecurity politics directly, fostering fragmented responses and favouring technical regulation over political coordination at the EU level. Third, domestic political cost considerations influence instrument choice. Decisions over who bears compliance costs, which sectors are defined as critical, and who assumes residual risk are inherently distributive and politically contested. To minimise political exposure, public authorities often adopt technically-oriented solutions or defer responsibility to supranational levels, enabling blame-shifting in contested outcomes. These mechanisms are not mutually exclusive but interact across policy phases and governance levels. Empirically, the paper adopts a mixed-methods research design, triangulating text-as-data techniques with qualitative analysis. Computational text analysis is applied across United Nations, EU-level, and national policy documents to map the evolution of problem framings, narratives, and policy solutions, while process tracing reconstructs causal mechanisms linking political problem definitions to technically oriented policy responses. The analysis draws on UN state submissions, GGE and OEWG documents, verbatim records of UN Security Council Arria-formula meetings and High-Level debates, submissions to the Secretary-General’s reports under “Developments in the field of information and telecommunications in the context of international security,” as well as EU-level documents and national cybersecurity strategies of EU member states. By foregrounding the politics embedded in regulatory responses to cybersecurity challenges, this paper contributes to debates on EU digital sovereignty, public–private interactions, and the limits of technicisation in addressing politically contested issues.