The EU as a Collective Security Actor: Cyber Defense Efforts of the EU Between 2013 and 2019
Summary
In the past decade, cybersecurity concerns became paramount to national and supranational
security. As a security actor, the European Union has responded to the exponential rise in threats by
implementing new policies aimed at defending the Union against malicious cyber-attacks. This thesis
evaluates to which extent the European Union can be classified as a collective security actor in the
field of cyber defense. Through a targeted sentiment analysis and a critical discourse analysis, this
thesis proposes that the EU passed through multiple cycles of the collective security framework
between the early 2000s and 2019. As such, the EU published the groundbreaking Cybersecurity Act
in 2013 and the Cyber Defense Policy Framework in 2014. Even though the EU attempted to
implement supranational decision-making, these policies remained at the intergovernmental level. In
2016, a new cycle of the collective security framework commenced, when NATO classified cyber as
the fifth domain of war. Consequently, the NotPetya attack in 2017 disrupted critical infrastructures
all over the world. As a response, the EU revised the Cyber Defense Policy Framework in 2018 and
the Cybersecurity Act in 2019. This thesis concludes that with these documents, the EU was able to
shift decision-making to the supranational level, even though some problems of institutional
fragmentation persist. Therefore, the EU almost classifies as a collective security actor, but should
act on intentions to solve institutional fragmentation.