The EU as a Collective Security Actor: Cyber Defense Efforts of the EU Between 2013 and 2019

Abstract

In the past decade, cybersecurity concerns became paramount to national and supranational security. As a security actor, the European Union has responded to the exponential rise in threats by implementing new policies aimed at defending the Union against malicious cyber-attacks. This thesis evaluates to which extent the European Union can be classified as a collective security actor in the field of cyber defense. Through a targeted sentiment analysis and a critical discourse analysis, this thesis proposes that the EU passed through multiple cycles of the collective security framework between the early 2000s and 2019. As such, the EU published the groundbreaking Cybersecurity Act in 2013 and the Cyber Defense Policy Framework in 2014. Even though the EU attempted to implement supranational decision-making, these policies remained at the intergovernmental level. In 2016, a new cycle of the collective security framework commenced, when NATO classified cyber as the fifth domain of war. Consequently, the NotPetya attack in 2017 disrupted critical infrastructures all over the world. As a response, the EU revised the Cyber Defense Policy Framework in 2018 and the Cybersecurity Act in 2019. This thesis concludes that with these documents, the EU was able to shift decision-making to the supranational level, even though some problems of institutional fragmentation persist. Therefore, the EU almost classifies as a collective security actor, but should act on intentions to solve institutional fragmentation.