Uncovering the Complex Dynamics Shaping EU Cybersecurity Policy

Sivan-Sevilla found that inconsistent attempts to follow economic integration practices in cybersecurity have led to alarming gaps in policy development. Despite promises by EU policymakers to fundamentally change the existing non-functional, fragmented and nationally oriented certification ecosystem, the 2019 act created a regime that largely maintained the status quo.

As well, Sivan-Sevilla showed that it was in the best interests of almost all parties involved—the European Commission and its member states—to only slightly diverge from existing arrangements. In particular, powerful member states—France, Germany and the UK—wanted to maintain their political sovereignty over cybersecurity issues and opposed the commission’s efforts to gain decision-making powers over the cybersecurity apparatus.

What has emerged is a model that Sivan-Sevilla calls “Europeanization on demand,” certification of digital products across the EU happens on a case-by-case basis. Authorities in member states still decide on the level and extent of integration based on national interests, he says, but supranational institutions such as private cybersecurity certification bodies may play a bigger role in certifying products on behalf of the EU.

“Because EU nations want to maintain decision-making powers, it leads to suboptimal cybersecurity policy outcomes,” says Sivan-Sevilla, who previously was an Azrieli Graduate Studies Fellow at the Hebrew University of Jerusalem, a postdoctoral fellow at Cornell Tech and a Fulbright Scholar at the University of Minnesota. “As economic and sovereignty-related policy issues shape cybersecurity policy, we need to monitor how political compromises in this arena may affect the public interest.”