European Union: policy, cohesion, and supranational experiences with cybersecurity
Cybersecurity is one of the greatest areas of policy prioritization for the European Union (EU) (European Parliament and Council, 2016). Time and again, the statements of EU officials and the language of major policy documentation has emphasized the degree to which networks and network-enabled critical infrastructures constitute the foundation of the Union’s economic and political processes. Today, the EU contains hundreds of millions of citizens using billions of Internet-connected devices to engage in commercial activity, to participate in politics and, perhaps most significantly, to communicate across the regional, national, and linguistic lines that so clearly define the European community.
In large part, it is the scope of the Union’s supranational constitution that defines the nature of EU cybersecurity' challenges and policy approach. Much as has been the case in other areas, the cohesiveness of policy intention and outcomes across all elements of the Union is the paramount concern of those institutions and individuals driving new formulations of approach to the various issues bound up underneath the “cyber” moniker. As Barrinha and Farrand-Carrapico (2018) note, however, the significance of coherence for the EU is not only the traditional need to square expectations and approaches across the naturally broad surface area of the continental bureaucracy (i.e., horizontal integration) and of the membership landscape (i.e., vertical integration) (Nuttall, 2005). Rather, the need for coherence stems from a deep-seated need to ensure congruence of meaning on the nature of cybersecurity challenges, the extent of EU responsibilities in the domain (both vis-a-vis member states and vis-a-vis private industry) and the potential for both to change (Cremona, 2008; Pomorska & Vanhoonacker, 2016). Here, the EU experience with cybersecurity is arguably unique by comparison with that of other major sovereign world powers. Even given that cybersecurity is itself an issue area perhaps best identified by its heterogeneous and changeable character, the pressures for EU policy that is comprehensively adaptive to changing circumstances are being felt exceedingly acutely, driven particularly by the need to protect (1) the single market and the euro, and (2) the political integrity' of a membership body that has seen the rise of numerous threats to its credibility in recent years.
To many eyes, the European Union’s effectiveness in responding to cyber imperatives has been slow to materialize. Ironically, this has likely been largely the fault of efforts to ensure cohesiveness in approach at early stages of the institutionalization process. Though the EU stands apart from other countries in that the impact of cybersecurity realization episodes (i.e., first-of-their-kind major cyber threat incidents prompting policy and political response) has naturally been less clearly felt due to the supranational setting of the broader community, its initial approaches have mirrored those seen in the United States, the United Kingdom, and elsewhere that saw too many engaged stakeholders and too little recognizable authority gimp the potential of new institutions (Healey, 2013). In Europe, early strategy emerged as a joint effort of multiple EU agencies and was framed broadly in its attempt to address crime, defensive issues, and the protection of critical infrastructures. Resultantly, this gave the EU only blunt tools with which to remedy the traditional tension bound up in determining who has responsibility (and, therefore, where capacity' should be developed) for various cyber issues - the EU itself or member states?
The remainder of this chapter describes the state of cyber affairs within the European Union and contextualizes the nature of challenges to ensuring coherence in approach that, even given recent developments that streamline and centralize approaches to cy'bersecurity, appear likely to persist in y'ears to come. After offering a brief perspective on the history of cyber threats to the supranational security and prosperity of the European experiment, the chapter details the development of strategy, institutions, and major cybersecurity initiatives over the past decade, culminating in the EU Cybersecurity Act in 2019 that overhauled Europe’s cybersecurity agencies and granted a more concrete mandate for defense, development and standardization to the European Union Agency for Cybersecurity. Then, the chapter discusses the manifestation of enduring challenges in the drive to maintain coherence of approach amidst changing technological and political conditions.
Europe’s experiences Avith cybersecurity
While a large number of Western countries can point to one or a few particularly pronounced early experiences with cyber threats to national security as the impetus for institution and strategy development on cybersecurity writ large, the pressure felt by the European Union to act on cyber issues has generally been brought to bear by threats more economic than geopolitical. In the spirit of the European experiment, the eyes of EU officials and other interested stakeholders have been drawn to cybersecurity threats wherein the eventual target appears to be prosperity and the integrity of those fundamentals that underlie economic potential. This focus, in many ways, makes the EU utterly unique as a cyber actor in international affairs. While many countries have allowed their institutions to be shaped by incipient cyber crises of varying flavor, the EU has been most clearly shaped by those cyber threats with the broadest implications for societal stability. In addition to the early experiences with seemingly unrestrained utilizations of malicious code like Conficker and ILoveYou, the European Union has taken point specifically from attacks on intellectual property and critical infrastructure. Some of these are discussed further below, but most recently the EU has been propelled to new heights of cyber institution development and coordination by worm-enabled ransomware attacks like WannaCry and NotPetya. These attacks took on an almost pandemic shape in their spread across sectors of European society, caused billions of dollars’ worth of damage and spurred the EU on in what has been its most recent set of efforts to streamline and make coherent a strategic vision for a secure Europe online.
European Union cybersecurity policy: early efforts
Over the past two decades, the struggle within the European Union to better define the scope of cybersecurity issues relevant to the organization — and the responsibilities implied thereby - has reflected the challenges that countries like the United States have grappled with in attempting to determine what whole-of-government approaches to information technology issues should look like. Cybersecurity, to many, has consistently presented as either a somewhat esoteric area of concern or one characterized by such diverse prospective policy machinations as to not be particularly distinct from the generic focus on communications technologies as meaningful for economic function that came before. Resultantly, the 1990s saw initial focus on cybersecurity by the Union only as an adjunct element of core economic policy. A number of significant early documents — including the White Paper on Growth, Competitiveness and Employment. The Challenges and Ways Forward into the 21st Century (European Commission, 1993) and the Report on Europe and the Global Information Society (Bangemann Group, 1994) — identified information technologies as important to the growth of European markets, the development of the fundamentals of the single market, and the robust maintenance of Europe’s innovation economy. In such documents, there was a clear implication that the role of information technologies in aiding democratic outcomes and ensuring stability in political engagement across the EU was a significant corollary of such objectives. Nevertheless, it is important to note even here that early EU focus on cyber issues reflected a focus on coherence of economic objectives and outcomes over and above salient social or political motivations.
As noted above, few major cybersecurity incidents had major impact on EU policy towards cyber issues until at least the late 2000s. Nevertheless, though security documents like the 2003 European Security Strategy remained mum on issues of information security,1 the rise of cybercrime during the 1990s — typically unorganized, pedestrian criminal activity that nevertheless became remarkably common among the rapidly expanding community of Europeans with personal Internet access — did prompt a series of attempts to better square the development of the web with the governance responsibilities of the organization. Much as similar concerns led to the Computer Fraud and Abuse Act (CFAA) and subsequent legislation in the United States between the mid-1980s and the late-1990s, worry about harmful material and activity online produced a wave of initiative at the Union-level aimed at harnessing nascent member state capabilities and expanding awareness of potential cyber threats to consumers. During this period, which extended through at least the mid-2000s, much focus was placed upon coordination of knowledge initiatives for member state populations, building common definitions of what computerized crime looked like and standardizing language with a mind towards building consensus on what a secure web- enabled society in Europe should look like.2
The game-changer for EU cyber policy came in the mid-2000s, as the Western world grappled with the notion that global terrorism and “new” forms of interstate conflict characterized by the use of organized crime and other proxy actors were the most immediate threats to international security (European Union, 2016). The Global War on Terror, in particular, prompted many within the European Union to reassess the validity of approaches to organization policymaking that emphasized devolved governance over centralized management (Tickner, 1995; Bigo, 2000; Trauner & Carrapico, 2012). With the threat of international terrorism and organized crime (often linked to violent foreign political enterprise), it was envisioned that prospective member-level solutions would often be inadequate for a range of reasons. For one, such threats would likely be characterized by transnational targeting of European society. For another, the preponderance of new EU member states in Eastern and Southern Europe were dramatically less developed than the original members in Western Europe in terms of the resources available and institutions required to coordinate effective response, information sharing and more. Though motivation to effectively combat non-state and non-traditional threats to European security was equally enthusiastic across the organization, such differences presented as clear spoilers of the EU’s capacity to defend European society'.
By' 2003—2004, these concerns and the implied shortcomings of member-level solutions were seen to apply' directly to the security' of infonnation systems and digital communications as well. In particular, EU officials grew concerned about the manner in which different member states’ laws diverged dramatically in their treatment of cybercrime and user protections (Cremona, 2008; Van Vooren, 2012). The result was a sea-change in the way that the EU approached cybersecurity', most notably in the shift from the use of non-binding instruments of supranational coordination to legally binding ones.
Cyber defense and the European Union
Since the mid-2000s shift in focus towards diminished reliance on member state solutions in favor of cohesive organization-determined ones, cy'ber policy under the EU has significantly focused on the protection of critical infrastructure and the mitigation of cyber-criminal threats (including the protection of the users of digital systems). A third area, cyber defense, has received somewhat less attention by the EU, despite growing transnational threats to Europe in cy'berspace. As this area lies somewhat separate from other cyber policy efforts in the European context, the chapter discusses it separately here.
Through at least 2014, EU policy' focus on cy'ber defense was largely driven by' the threat of politically' motivated industrial attacks from belligerent foreign powers. A substantial volume of malicious activity culminating in the theft of terabytes-worth of valuable industrial and government data through the early 2010s - particularly the “GhOst RAT” series of intrusions — was seen by EU officials as a clear and present threat to the economic coherence of the continent. Likewise, the increasing use of malicious code to achieve very real disruptive outcomes presented European stakeholders with a form of cyber threat that for the first time seemed the direct relation of transnational terrorism. Stuxnet, the worm employed to actual destructive effect in Iran’s uranium enrichment facility' at Natanz, set Europe’s cybersecurity community abuzz. Not only was the outcome of a cyberattack — for the first time under non-laboratory' conditions — physical; the code itself was generic insofar as there was immense potential for tailoring the malware to be effective against any' kind of industrial control system target (Langner, 2011; Lindsay, 2013). Two years later, the use of the Shamoon virus — ostensibly by the Iranian government — to “destroy'” data on tens of thousands of Saudi Aramco’s hard drives reinforced the emerging consensus position that the scope and nature of cybersecurity threats had evolved to such a form that it was no longer the stuff of “low” politics. Rather, cybersecurity was a cross-level issue that required coordinated response as much as it also necessitated diffuse efforts to better secure Europe’s digital society.
The first major nods to cyber defense occurred in 2010, with the first enumerated focus on cyber capabilities as a critical national security development area appearing in the Capability Development Plan that year (and then endorsed in 2011) (Pupillo, Griffith, Blockntans & Renda, 2018). Early focus on cy'ber defense emphasized two main areas of activity' — (1) the articulation of crisis response coordination mechanisms
(and the role that the EU should play) and (2) the cultivation of national cyber capabilities. Over the next three years, EU organizations like the European Defense Agency (EDA) and the European Commission worked to stand up a range of programs designed to harden EU capabilities to coordinate member state defensive efforts. The EU Cyber Security Strategy' (EUCSS) published in 2013 defined the relationship between these efforts as aimed at encouraging member states to adopt comprehensive roadmaps for the development of defensive capabilities, at filtering cyber response into crisis response infrastructures across member states, at generating and maintaining robust education opportunities and at creating synergistic initiatives that strengthen ties to private and non-EU cybersecurity' stakeholders. On this last point, significant emphasis was placed — and has continued to be placed — on formal cooperation between the European Union and NATO, notably in the form of engagement between the EDA and NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCoE).
Since the publication of the EUCSS, the EU has increasingly recognized the need for better abilities to detect and recover from sophisticated digital threats alongside an obvious need to respond during crises (European Commission, 2017a). In many ways, the EUCSS stemmed from the formal recognition that cybersecurity was one of very few significant areas where the EU was pulling up short in terms of possessing necessary' capabilities. Between 2016 and 2018, the organization took significant steps forward in developing such capabilities. In 2016, for instance, the European Union and NATO issued a Joint Declaration that announced cooperation on numerous cyber issues, including the need to combat hybrid threats to European sovereignty' and the need to further harden continental digital defenses. In 2017, the Pennanent Structured Cooperation (PESCO) framework was agreed by volunteer participants that included 25 of the 28 national anned forces of EU member states (PESCO, 2017). PESCO’s aims revolve around the notion that community responses to cyber threats are likely to produce greater resiliency overall and greater response outcomes during crisis episodes. To these ends, PESCO signatories committed to the standard steps of creating Cyber Rapid Response Teams and better infonnation sharing platfonns.
Despite a range of promising developments focused on cyber defense, however, the European Union’s response to cy'ber threats from a supranational security' perspective remains somewhat fragmented. As Griffith notes, EU capabilities remain (as of 2018) relatively' siloed within agencies and institutions whose missions and coordinative responsibilities are not always set out clearly in law and policy. One noteworthy issue that persists to this day' is the response obligations of members under the Treaty' on the European Union. The mutual assistance clause of the Treaty, Article 42(7), does not define “anned aggression” sufficiently to provide nuanced threshold criteria for determining the status of some cy'ber threats (say', large-scale denial of service attacks against a member state) vs. others (such as intrusions leading to theft of sensitive intellectual property) (Pupillo, Griffith, Blockmans & Renda, 2018). Secondarily', in cases where cyberattacks do not include an identifiable threat actor, it is unclear where the responsibility of fellow member states would lie (though this is somewhat controlled for via reference to the “solidarity' clause” of the Treaty that allows for common security action against terroristic threats). Beyond response obligations, cyber defense also remains a fragmented affair in part because so much effort has been assigned to the construction of standard approaches to regulation of digital society across member states. In other words, cy'ber defense remains somewhat under-emphasized in no small part because of the top-down view that it should fit within a holistic framework for coherent action on the totality of cy'bersecurity' issues facing the EU.
Integration, cohesion and conditions on the ground
Beyond the narrower scope of cyber defense issues, the European Union has been developing the institutional capacity to deal with cybersecurity in a comprehensive fashion — at least, ostensibly - since the mid-2000s. Over the past two decades, the EU has developed a robust and diverse ecosystem of agencies tasked with different elements of the cybersecurity mission, from the EDA and DO Migration and Home Affairs (tasked with a variety of cybercrime missions) to the DG for Communications, Content and Technology, the European Network and Information Security Agency (ENISA) and the full range of Computer Emergency Response Teams (CERTs).
In many ways, it is hard to avoid the picture of EU institutional development focused on cyber issues as one wherein coordination has been emphasized over the rapid construction of new capacities. From at least 2004, when ENISA came into existence (2004), emphasis has been placed on cohesion of the EU approach as an agreed set of mission objectives and institutional underpinnings as a necessary prerequisite to the broader protection of Europe’s digital society. According to Carrapico and Barrinha (2017), this project of constructing cohesion has evolved along at least two lines and with both horizontal and vertical integration in mind. First, the EU (and the Council specifically) has attempted to build the institutional ecosystem necessary for securing European society online. In the context of member states themselves (i.e., horizontal relationships), this has meant efforts to reconcile policy instruments and national laws that pertain to cybercrime, user rights and more, as well as ensuring that approaches to coordination with the private sector are supported by EU institutions that offer frameworks and assurances to better chances for successful partnerships. Specifically, this has led the EU to develop numerous specialized agencies, from ENISA to elements of Interpol responsible for cyber-criminal investigation. Between member states and the EU (i.e., the vertical relationships) (Biscop & Andersson, 2008), this has involved ensuring that the EU itself has methods of assuring its own relevance and learns from its engagement with member state stakeholders. Second, the EU has attempted to ensure that there is common understanding of what the scope and objectives of the European cyber mission is. Horizontally, this has led to more than a decade of initiative aimed at aggregation and amalgamating understandings of the Internet’s impact on European society. Likewise, this has meant significant investment in and negotiation around notions of responsibility on the part of member states, EU agencies and the private sector so as to ascertain what types of institutions will work most effectively to affect better cyber outcomes supranationahy. Finally, the need to generate and maintain common meaning in cyber governance discourse has led to mechanisms for both accommodating and shaping national-level articulations of cyber priorities.
Overall, it should perhaps be unsurprising that this focus on cohesion preceding effectiveness has produced a cyber policy ecosystem within the EU characterized by gradualism. Many elements of the Union’s approach to cyber issues are defined by international frictions that present obstacles to progress not found in other major polities around the world. While public-private partnerships are difficult to develop on cyber issues across the Western world, European Union agencies have faced particular issues in their development. After all, not only does the EU face the traditional issues of mismatch public—private interests (particularly vis-a-vis things like data sharing) and low historical involvement in loosely coupled infrastructural sectors (like the Internet technologies sector); it also finds itself forced to play a multi-level game with national governments that often, despite desiring progress on cybersecurity issues, are politically loathe to regulate private industry.
The NIS directive, ENISA and the EU cybersecurity act
EU gradualism on cybersecurity presents as a significant obstacle to effectiveness across a number of fronts. The multi-faceted nature of the EU’s cyber ecosystem, in particular, has often meant a scarcity' of resources (or, sometimes, simply a lack of access to the right resources) for agencies like ENISA, Interpol, and EDA. Likewise, there has rarely been an effective presentation of a strategic vision for EU interests and approaches to cybersecurity. While there have been numerous important strategies promulgated and vision statements published, it is hard to escape the fact that these have rarely implied a streamlined set of methods for rapid response to cyber crises at the organizational level. Moreover, barriers to cooperation — specifically, barriers to communication and transfonnation of meaning (Carrapico & Barrinha, 2017) — across EU stakeholders and counterparts in member states remain high to this day.
That said, recent years have seen several important steps taken towards mitigation of these challenges. In July 2016, for instance, Directive 2016/1148 (hereafter the “NIS Directive”) (2016) was published to further streamline processes of cyber threat mitigation among member states. In many ways, the legislation, which was aimed horizontally at member states, is not unlike the voluntary National Institute of Standards and Technology (NIST) Cybersecurity Framework in the United States in that it offered for the first time definitions of the categories of operators, types of private industry stakeholders, and types of actions that should be addressed by state regulation (Markopoulou, Papakonstantinou & de Hert, 2019). It then mandated the adoption of these frameworks by national authorities via the publication of relevant strategies, the construction of rulemaking and enforcement agencies (where they did not already exist) and adherence to certain standards of national practice (regarding things like data breach notification).
The NIS Directive catapults ENISA, the EU’s agency for cybersecurity, to a much more centralized, significant role in ensuring continental cybersecurity than has existed to this point. Under the Directive, ENISA is named as solely responsible for the provision of support by the EU to member countries and for the assurance of member state compliance with the Directive (Markopoulou, Papakonstantinou & de Hert, 2019). ENISA must provide relevant expertise to member state agencies and must help develop all guidelines for public-private cooperation to be utilized by the Cooperation Group (the EU sub-unit tasked with that support mission). Moreover, the Directive places ENISA in a mandatory consultative role wherein the EU Commission must be advised by the agency before taking formal action. These mandates, alongside the new role the agency is given under the Directive to help appoint representatives at various levels of coordination, situate ENISA as the nucleus of all decisions vis-a-vis the development of the EU’s coordinative cyber workforce and the distribution of needed resources. By implication, they also put ENISA in a position to articulate more cohesive strategic visions going forward. The EU Cybersecurity Act (2019), adopted in mid-2019, augments this propulsion of ENISA to the fore of EU cyber policy enforcement by mandating that the agency be the sole and permanent authority for a range of operational-level initiatives to enhance cyber crisis response. Finally, these mandates also streamline the implications of cybersecurity activity in the EU in the context of the General Data Protection Regulation (GDPR). The GDPR, adopted alongside the NIS Directive, is a piece of broad-scoped regulation aimed at bettering data security for European citizens. Though there are numerous potential points of operational contradiction in instances where both pieces of legislation apply, such as when personal data is found during crisis response to a data breach, ENISA’s placement at the heart of Europe’s ecosystem for cyber policymaking and enforcement at least promises to help bring order where before there may have been confusion.
The architecture of EU cybersecurity policymaking and enforcement is complex, both in terms of the issues to be grappled with and along the traditional horizontal and vertical axes that have characterized integration on the continent for several decades. There remains a broad set of challenges facing the organization and the Single Market. More significantly, there remains a real need for greater cohesion of vision and subsequent action on the part of EU agencies, particularly when it comes to cyber defense. Recent developments have certainly made significant strides in streamlining the institutional landscape of cyber policy for the EU. In addition to the propulsion of ENISA to the fore of this ecosystem, new authority given to the European Council to sanction cyberattacks and the introduction of an EU-wide certification (among other developments) stand to make the continent more resilient than it has historically been. And yet, as President Jean-Claude Juncker stated in his 2017 State of the Union address, “Europe is still not well equipped when it comes to cyberattacks.” To even the untrained eye, for instance, the absence of a true defense agency — an EU equivalent to the US Cyber Command, or at least to the Joint Task Forces that preceded it — should be glaring. It is also the absent development perhaps most indicative of an enduring problem stemming from the EU’s unique status as a supranational body - much of what EU agencies do is advisor)’ in nature. This Is only not the case where years of horizontal and vertical negotiation has successfully allowed for concerted action among formally-committed stakeholders.
Moving forward, there is significant hope that the European Union can continue to capitalize on the momentum of progress over the past several years to become the effective international cyber authority it claims it can be. And yet, it would not do to end this brief recounting of Europe’s experiences with cybersecurity and cyber policymaking on anything but a cautionary note. Cyber issues are heterogeneous and prone to transformation in a way that few issues are. What makes the European Union unique as a global cyber actor among other actors - that are, by-and-large, sovereign nations in their own rights — is its status as an advisory governance entity and the resultant gradualism that emerges from the need to ensure coherence in perspective among its members. The natural suggestion here, of course, is that the EU may suffer in a way that more organically coherent political entities might not when faced with radical transformation of the issue at hand (say, in the form of novel evolutions of artificial intelligence or unexpected manifestations of the Internet of Things). Indeed, even if gradualism comes to benefit Europe in this regard as caution leads to prudent policy evolutions, it seems not unreasonable to suggest that the EU approach will be vulnerable to the under-realization of new threat areas out into the future.
- 1 See, Toje (2005) for further details.
- 2 See, for instance, the eEurope 2002 — Information Society for All — Action Plan or the Commission Communication on Improving the Security of Information Infrastructures anil Combating Computer-related Crime. See, Martin (2005) and Walden (2005) for further details.
Calcara, A., Csernatoni, R. & Lavallee, C. (eds.). (2020). Emerging Security Technologies and EU Governance: Actors, Practices and Processes. Abingdon: Routledge.
Choucri, N. & Clark, D. D. (2018). International Relations in the Cyber Age: The Co-Evolution Dilemma. Cambridge, MA: MIT Press.
Christou, G. (2016). Cybersecurity in the European Union: Resilience anil Adaptability in Governance Policy (New Security Challenges). Basingstoke: Palgrave Macmillan.
lives, L. K., Evans, T. J., Cilluffo, F. J. & Nadeau, A. A. (2016). “European Union and NATO Global Cybersecurity Challenges: A Way Forward,” PRISM, 6(2): 126—141.
Wessel, R. A. (2019). “Cybersecurity in the European Union: Resilience through Regulation?” in E. Conde, Z. Yaneva & M. Scopelliti (eds.), Routledge Handbook of EU Security Law and Policy (pp. 283-300). Abingdon, Routledge.
Westby, J. (2019, October 31). “Why the EU Is about to Seize the Global Lead on Cybersecurity,” Forbes, forbes.com/sites/jodywestby/2019/10/31 /why-the-eu-is-about-to-seize-the-global-lead-on- cybersecurity/#38rtb62c2938
Barrinha, A. & Farrand-Carrapico, H. (2018). “How Coherent Is EU Cybersecurity Policy?’’ LSE European Politics and Policy (EUROPP) Blog, https://blogs.lse.ac.uk/europpblog/2018/01/16/how- coherent-is-eu-cybersecurity-policy/
Bangemann Group. (1994). “Report on Europe and the Global Information Society,” Bulletin of the European Union, Supplement 2/94.
Bigo, D. (2000). “When Two Become One,” in M. Kelstrup & M. C. Williams (eds.), International Relation Theory and the politics of European Integration, Power, Security and Community (pp. 171—205). London: Routledge.
Biscop, S. & Andersson, J. (2008). 7he EU and the European Security Strategy: Forging a Global Europe. Abingdon: Routledge.
Carrapico, H. & Barrinha, A. (2017). “The EU as a Coherent (Cyber) Security Actor?” Journal of Common Market Studies, 55(6): 1254—1272.
Cremona, M. (2008). “Coherence through Law: What Difference Will the Treaty of Lisbon Make?” Hamburg Review of Social Sciences, 5(1): 11—36.
Directive 2016/1148 of the European Parliament and the Council Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union (the “NIS Directive”).
European Commission. (1993, December 5). “Growth, Competitiveness, and Employment. The Challenges and Ways Forward into the 21st Century,” COM (93) 700 final.
European Commission. (2017a, September 19). “State of the Union 2017 - Cybersecurity: Commission Scales up EU’s Response to Cyber-Attacks,” Press Release. http://europa.eu/rapid/press-release_IP- 17-3193_en.htm
European Commission. (2017b, September 13). “Resilience, Deterrence and Defence: Building Strong Cybersecurity for the EU,” Joint Communication to the European Parliament and the Council, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=JOIN:2017:0450: FIN
European Commission. (2019). “The EU Cybersecurity Act.” https://eur-lex.europa.eu/eli/reg/2019/ 881/oj
European Parliament and Council of the European Union. (2016, September). “Directive (EU) 2016/
1148 of the European Parliament and of the Council of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union,” Official Journal of the European Union, L 194/119.
European Union. (2016, June). “Shared Vision, Common Action: A Stronger Europe — A Global Strategy for the European Union’s Foreign and Security Policy.” www.eeas.europa.eu/archives/ docs/top_stories/pdf/eugs_review_web.pdf
Healey, J. (ed.). (2013). “A Fierce Domain: Conflict in Cyberspace, 1986 to 2012.” Cyber Conflict Studies Association.
Langner, R. (2011). “Stuxnet: Dissecting a Cyberwarfare Weapon,” IEEE Security & Privacy, 9(3): 49-51.
Lindsay, J. R. (2013). “Stuxnet and the Limits of Cyber Warfare,” Security Studies, 22(3): 365-404.
Markopoulou, D., Papakonstantinou, V. & de Hert, P. (2019). “The New EU Cybersecurity Framework: The NIS Directive, ENISA’s Role and the General Data Protection Regulation,” Computer Law & Security Review, 55(6): 105336.
Martin, B. (2005). “Information Society Revisited: From Vision to Reality,” Journal of Information Science, 31(1): 4-12.
Nuttall, S. (2005) “Coherence and Consistency,” in C. Hill & M. Smith (eds.), International Relations anti the European Union (pp. 91—112). Oxford: Oxford University Press.
“Permanent Structured Cooperation (PESCO) - Factsheet.” https://eeas.europa.eu/headquarters/head quarters-Homepage/34226/permanent-structured-cooperation-pesco-factsheet_en
Pomorska, K. & Vanhoonacker, S. (2016). “Europe as a Global Actor: Searching for a New Strategic Approach,” Journal of Common Market Studies, 53(S1): 216-229.
Pupillo, L., Griffith, M., Blockmans, S. & Renda, A. (2018). “Strengthening the EU’s Cyber Defence Capabilities,” CEPS Task Force Report.
Regulation (EC) No 460/2004 ot the European Parliament and ot the Council of 10 March 2004 Establishing the European Network and Information Security Agency (Text with EEA Relevance), as Amended by Regulation (EC) No. 1007/2008 and Amended by Regulation (EC) No. 580/2011.
Tickner, A. (1995). “Re-Visioning Security,” in K. Booth & S. Smith (eds.), International Relations Today (pp. 175-197). Cambridge: Polity Press.
Toje, A. (2005). “The 2003 European Union Security Strategy: A Critical Appraisal,” European Foreign Affairs Review, 10(1), 117—133.
Trauner, F. & Carrapico, H. (2012). “The External Dimension of Justice and Home Affairs after the Lisbon Treaty: Analyzing the Dynamics of Expansion and Diversification,” Foreign Affairs Review, 17: 1-18.
Van Vooren, B. (2012). EU External Relations Law and the European Neighbourhood Policy. A Paradigm for Coherence. London: Routledge.
Walden, I. (2005). “Crime and Security in Cyberspace,” Cambridge Review of International Affairs, 18(1): 51-68.