Abstract
The European Union (EU) is currently experiencing significant geopolitical shifts and is concerned that its dependence on externally produced or foreign-owned technologies risks its strategic autonomy, with implications for its security and economy. In response, it has placed sovereignty at the forefront of its agenda and at the centre of its relations with the world. Academic literature has so far paid limited attention to understanding the interactions between geopolitics, perceptions of technological dependence, and the impact on policy governance in cybersecurity. Bearing this gap in mind, the article asks how the EU's discourse of sovereignty and reducing external dependencies is shaping its approach to cybersecurity. Applying regulatory mercantilism and policy analysis to three case-studies—focusing on control of semiconductors, data server location, and cybersecurity certification— the article finds that the EU's depiction of its cybersecurity as impacted by dependence on externally manufactured products resulted in the merging of security and economic rationales. This has translated into efforts for greater control, either through promoting production within the European physical space through security-influenced industrial policies or—when this is not possible—by exerting regulatory influence beyond Europe's borders. Where globalization is believed to have failed, regulatory mercantilism becomes more likely as a policy approach.
Europe has, according to European Commission President Ursula von der Leyen, witnessed the ‘birth of a geopolitical Union’.1 This geopolitical turn in European Union law and policy-making is a response to the EU's perception of the world as increasingly multipolar, combative and unstable. Security, broadly understood, has become something of a fixation for the EU, with the call for increased competences and funding for security and defence forming the basis of von der Leyen's bid for a second term as Commission President.2 In particular, this would entail increased arms spending in the form of a defence industrial policy, with EU-made munitions at its centre.3 Where globalization and liberalized trade were once at the centre of EU international efforts,4 reducing dependencies for critical industries is now intentionally framed in terms of geopolitical and strategic autonomy. At the centre of these concerns is the dependency of Europe on externally produced or possessed technologies, which link European cybersecurity and the protection of its digital systems5 with its material security and national defence. Geopolitical instability, together with a growing sense of technological competition with the US and China, increasingly frame the EU's actions to the extent that they have been referred to as fostering a ‘strategic turn’ in its policies.6 Concerns over state and non-state actors using cyber attacks in the broader context of military conflicts, online disinformation campaigns aimed at EU institutions and the role of ‘cyber’ within the ‘hybrid warfare’ toolbox, mean that cybersecurity is already an area of central importance to EU security policies.7 What is new, however, as this article will argue, is the EU's intentional framing of EU cybersecurity policy in sovereignty terms, and the governance approach that emerges from this new framing: the EU depicts its technology sectors as being particularly vulnerable to external threats and as being essential to the EU's viability as a project, through the merging of security and economic rationales. The resulting governance approach translates this merger of security and economic rationales into the need to transfer objects of regulation into the European physical space, or alternatively to exercise regulatory control over that which cannot be physically relocated.
The authors, therefore, ask how the EU's discourse of sovereignty and reducing external dependencies is shaping its approach to cybersecurity. They propose exploring the interactions between geopolitics, perceptions of insecurity, and insecurity's impact upon EU policy priorities, highlighting how the provision of EU cybersecurity is presented as necessitating the reduction of its dependency technologies produced or maintained beyond its borders. The article presents key studies that all highlight the centrality of physical proximity to European cybersecurity—control of semiconductors, data server location and cybersecurity certifications for hardware. In line with the objectives of this special issue,8 the article makes both a conceptual and an empirical contribution to the academic literature. Conceptually, the article contributes to advancing a novel theoretical framework, regulatory mercantilism, for understanding the behaviour of international actors, in conditions of geopolitical instability and perceived vulnerability, as they feel compelled to reassert control over sectors through regulatory interventions. This article will argue that these interventions are aimed at preserving the sovereignty and security of these actors, and often entail the convergence of economic and security ambitions. These actors' objective is to ensure that critical technologies and resources are either brought under their geographical control or are made subject to their regulatory oversight beyond their borders, in accordance with their own rules and values. It is important to state, however, that regulatory mercantilism does not represent a wholesale economic programme akin to traditional mercantilism, nor is it holistic in its application in the context of EU policy. Instead, it is relevant in those contexts in which the EU perceives itself as highly vulnerable to external security threats posed by control over critical technologies. It is not that interdependence and globalization are seen as inherently threatening, but that in certain key sectors, they place the EU at a disadvantage that negatively affects its security.
Empirically, this research contributes to the EU studies literature by examining the role of current international tensions and conflicts in shaping the EU's adoption of a more geopolitical stance within the international system. These tensions/conflicts are perceived as affecting the EU's ambitions to become a leading cybersecurity actor and as threatening its economic and physical security. The article also makes an empirical contribution to the cybersecurity literature, as the case-studies explore how the EU's cybersecurity ambitions are reflective of the material and the cyber having become inextricably linked9 as well as becoming central to contemporary geopolitics. Methodologically, the article analysed more than 50 pieces of legislation and policy documents that refer to the EU's semiconductor, data server and cybersecurity certifications, as well as outlining its digital sovereignty ambitions and perceived vulnerabilities. The documents were selected through purposeful snowball sampling until data saturation was achieved.
The article starts by further explaining why regulatory mercantilism is well placed to help us understand the interconnections between perceived vulnerability in the context of geopolitical instability and regulatory interventions. In the following section, the development of the EU's digital sovereignty approach is outlined, indicating the bloc's desire for—and its planning towards—increased controls over diverse technology sectors. The section also highlights the unifying of economic and security concerns in the desire to ensure strategic autonomy through reducing external dependency, and how this has resulted in cybersecurity and physical security becoming characterized by questions of physical space and location. This results in a far-reaching regulatory agenda coherent with a regulatory mercantilist approach to policy-making, which is demonstrated through the article's case-studies. These focus on the EU's approach to the regulation of semiconductor manufacture, its policies on data governance and common data spaces, and new cybersecurity requirements for hardware made available in the EU's internal market. In each case, action is motivated by a desire for increased regulatory control predicated on concerns over security, including over where goods or services are produced or located.
Regulatory mercantilism, sovereignty and security
Central to the argument in this article is that the drawing together of cyber and material security by European policy-makers has been instigated by a perception of vulnerability to external geopolitical shocks, resulting in technology regulations increasingly being framed in terms of economic and state security, rather than economic efficiency. To understand this geopolitical turn in technology control, and the belief in the indivisibility of cyber and physical security as well as the concerns over territoriality expressed by the EU, it is useful to outline the concept of regulatory mercantilism.10 This new framework will enable the authors to argue that while the logic of regulation of digital technologies has historically been driven by efficiency concerns,11 with the result that private actors have increasingly come to shape regulatory approaches in an environment of light-touch oversight,12 this logic of efficiency is increasingly being replaced by one of security.13 As a result, light-touch regulation, based on the idea of private sector actors constituting key experts and equal partners, is also brought into question, with market operators instead subject to systems of increased regulatory oversight and hierarchical control, whether in the form of co-regulation or active state regulation. Regulatory mercantilism, as an approach to sectoral governance, is most apparent where states or actors such as the institutions of the EU consider themselves vulnerable to external threats arising from perceived geopolitical instability.14 In this respect, regulatory mercantilist approaches are responsive. At a broader, systemic level, this vulnerability perception is a response to the increased perception on the part of policy-makers that globalization, understood as a liberal economic order in which free flows of trade and economic interdependence are ultimately positive, has failed in some key areas, including those related to new and emerging technologies.15 Within this negative understanding of interdependence, technologies beyond a state's physical control or jurisdiction are increasingly seen as a threat, and therefore accumulation within one's own territory is a preferred means of guaranteeing security. The possession of those technologies by actors beyond a state's own borders in itself increases external vulnerability, as continued security is dependent upon the continued supply of goods or services by those externally positioned actors. The result is that, within a regulatory mercantilist approach, interdependence is seen as a vulnerability and something to be limited in the name of strategic autonomy.16 For our understanding of cybersecurity in contemporary international relations, it means that ‘cyberspace’ is no longer a borderless world nor therefore is it regulated as such, but it is a world in which borders are actively sought in the name of security and in which efforts are made to exert regulatory control beyond those borders—that which is within borders and under the state's control is less of a threat than that which is physically located in another state.
The link to mercantilism rests in the response to this sense of vulnerability. Mercantilism, briefly, was a system of thought (although admittedly not a unified one) that held that the security of a state was intimately linked to its economic power.17 For this reason, market protectionism was promoted through both the strict limiting of imports of high-value goods and the encouraging of their export. There were also restrictions on the exporting of natural resources, while attempts were made to accumulate as much of those natural resources as possible, be they fish, minerals or wood, or alternatively to accumulate the currencies used for trade.18 In regulatory mercantilism, it is, rather, regulation that is the export—with actors seeking to export their own regulatory standards as global standards, based on their own rules and values,19 while minimizing the level of externally imposed regulatory ‘import’. In the context of digital technologies, the ‘accumulative’ dimension of regulatory mercantilism can also be seen in the desire to bring resources into the territory or regulatory influence of the EU, with those resources including elements such as data, and raw natural resources used for producing technological goods.20 Interdependence serves as a weakness, as it places the state at the mercy of outside forces, which may either be ambivalent towards the interests of other states at best, or actively hostile at worst. In terms of trade, security and economy become inextricably linked, resulting in policies that can be classified as ‘economic nationalism’.21 In a regulatory mercantilist framework, this is conceptualized as necessitating strategic autonomy and reduced external dependency, which serves as a discursive tool in policy formulation, in which interdependence is framed in terms of vulnerability. This does not necessarily occur in all fields, but in those in which actors perceive themselves as at a competitive disadvantage in a way that presents security risks, resulting in a desire to exert increased control through either physical proximity or regulatory intervention with high levels of prescriptiveness.
Regulatory mercantilism, therefore, is also intimately linked to the concept of sovereignty. Mercantilism, according to scholars such as Schmoller and List,22 was the pursuit of state-building and unification as a means of achieving the security desired by those state-like actors. Mercantilist policies were pursued as a means of unifying the power of a sovereign ruler, demarcating their territory and unifying the markets internally while bolstering economic power externally. In regulatory mercantilism, there is a desire on the part of the state to reinforce sovereignty and ‘take back control’ over regulatory activities,23 both from potentially hostile states, as well as private sector actors deemed to threaten the interests of the state. As we will see in subsequent sections of this article, the EU's adoption of the ‘digital sovereignty’ agenda is an example of this type of policy initiative.24 Ultimately, regulatory mercantilism is an approach to policy-making that links the promotion of sovereignty, economic goals and security goals, which are understood as mutually dependent and mutually reinforcing (for the depiction of this interdependence, see figure 1).
The interdependent concerns contributing to regulatory mercantilist policy approaches
Regulatory mercantilism is therefore an approach that encompasses three main elements, which will be operationalized in the empirical section of this article: it sees states or state-like entities seeking to establish regulatory control on the basis of: 1) a security logic, linking economic and security goals, with 2) a desire to export regulatory standards as global standards, while 3) ensuring domestic production as a protective means and as a response to perceived geopolitical instability and vulnerability. As indicated in the three case-studies, the discourses associated with the regulatory mercantilism rationale will make references to sovereignty, the right to choose, and the need to protect the security and values of a geographical territory through reducing external dependencies. Nothing here suggests that the EU does not possess strong normative beliefs in its regulatory model. Instead, it is about how the EU seeks to reinforce it, using a discourse of sovereignty as a basis for increased regulatory control, exporting its influence beyond its own borders, and the underlying geopolitical concerns that mean that security concerns and economic concerns have been inextricably intertwined. Cybersecurity regulation serves to demonstrate how this operates, particularly given the increased attention on the material dimension of cybersecurity, and the importance of physical location or extraterritorial control that is being seen in diverse fields of technology governance. The next section of this article will explore this in more detail, expanding on the EU's cybersecurity policies, and what impact they have on its regulation of semiconductors, data spaces and cybersecurity obligations for hardware manufacturers.
The EU's response to geopolitical conflict over technology
This section analyses the EU's perception of its own position within the cybersecurity realm, its increased sense of vulnerability and how this perception affects technology policies. The three regulatory mercantilist elements identified in the theoretical section are woven through the empirical analysis and used to identify three EU responses to the current geopolitical conflict over technology: 1) the usage of a sovereignty discourse to frame the challenges that the EU is currently experiencing; 2) the EU's attempt to merge economic and security rationales in order to draw attention to the urgency of tackling these challenges; and 3) its highlighting of the deep interconnection between cyber and material security, and the importance of the physical location of technologies, to underline that cybersecurity can only be achieved if the latter is equally prioritized, namely by exporting regulatory standards as global standards or bringing technologies within the EU's territorial control.
As mentioned at the start of this article, the EU's approach to cybersecurity-related technologies has been deeply shaped by the EU's concept of digital sovereignty, which appeared in the von der Leyen Commission Political Guidelines as a recognition of the importance of achieving ‘technological sovereignty in some critical technology areas’.25 This concept was expanded in the discussion of digital sovereignty in the 2020 Commission publication Shaping Europe's digital future, in which the Commission described it as:
… the integrity and resilience of our data infrastructure, networks and communications … creating the right conditions for Europe to develop and deploy its own … capacities, thereby reducing our dependency on other parts of the globe for the most crucial technologies.26
Furthermore, resilience in these fields will allow the EU to define its own rules and values, deemed essential in the guaranteeing of its continued sovereignty, as well as to export these rules and values to the international community.27 Its joint communications on cybersecurity made it clear that the EU sees its physical security as at risk from cyber threats,28 whether in the context of critical information infrastructures29 or the hybrid threats posed by cyber attacks, combined with actions such as disinformation as means of destabilizing the EU and its member states;30 hence, there is a blurring of cyber and material security threats.
The 2020 Joint Communication, The EU's cybersecurity strategy for the digital decade, highlights two aspects of digital sovereignty pertinent to this article. The first is that the Commission is explicitly linking material and cybersecurity: ‘Transport, energy and health, telecommunications, finance, security, democratic processes, space and defence are heavily reliant on network and information systems that are increasingly interconnected.’31 The second is that the Commission not only recognizes that cybersecurity is just as dependent on material security as the other way around, but that it sees these interests as vulnerable to external influences: ‘The threat landscape is compounded by geopolitical tensions over the global and open Internet and over control of technologies across the whole supply chain.’32 In order to address these geopolitical threats, the Joint Communication argues, the EU should reinforce its resilience, digital sovereignty and leadership.33 This is explicitly framed in geopolitical terms in the 2020 Strategic foresight report, with the Commission stating that the ‘rapidly escalating US–China technological confrontation [reinforces] the need for the EU to pursue its technological sovereignty agenda and strengthen its key digital capacities’.34 These goals can be understood in regulatory mercantilist terms: in order to ensure the EU's security in the face of perceived external threats, actions must be taken that help establish an effective response that explicitly unifies economic and security concerns, allowing the EU both to set its own regulatory standards and to ensure technology control, while promoting its own standards, rules and values as global standards, rules and values.35
Bringing manufacturing home: policies for semiconductors
As a result of recent ‘semiconductor shocks’ and concerns over Taiwan's continued independence, given its position as the main producer of advanced chips,36 states are increasingly seeking to boost their own industries and reduce dependency on foreign components, while engaging in increasingly hostile trade policies against rivals for these technologies.37 The heightened tensions seen in the semiconductor industry is one of a range of technology-related fields in which conflict between the US, China and the EU is particularly visible. According to Matthijs and Meunier, European ‘faith in the survival of the liberal economic order was shaken by Chinese mercantilism and, to a lesser extent, by the trade wars of U.S. President Donald Trump’,38 resulting in a significant change to its traditional approach to foreign economic policy. While the EU had previously voiced concerns over the economic effects of Japanese and US semiconductor manufacturing in the European Single Market, leading it to initiate, for example, anti-dumping investigations on Japanese activity in the 1980s,39 the present concerns represent a shift in the EU's approach to technology policy. The Commission's 2020 industrial strategy also launched a series of in-depth reviews, which would identify securing semiconductor production and supply as a key area of strategic dependency and of fundamental importance to the EU's security. As part of this process, a European Chips Survey was carried out among industry representatives to better understand the EU's landscape in this field, namely whether demand for chips was being met and how the chip shortage was affecting companies in this sector.40 The results of the survey were quite revealing. The EU is highly dependent on third countries for chip supply, with the chip shortage affecting all areas of production. The report made no distinction between ‘commodity semiconductors’—used in technologies such as fridges and cars—and more advanced semiconductors smaller than 7 nanometers for high-end processing, in terms of supply risk. Furthermore, costs were expected to rise due to continuous demand, and the Commission concluded that the security of digital software solutions is highly dependent upon securing access to physical resources. These concerns influenced the EU's approach to regulation of the semiconductor industry, which is reflected in two legislative initiatives, the Chips Act of 202341 and the Critical Raw Materials Act of 2024.42 Regulatory mercantilism helps us to understand this linkage of cyber and physical security, and the means by which it was to be secured—‘European officials are turning the machinery of the single market to protect the EU’,43 reinforcing its regulatory power as a means of securing its own territory.
The Chips Act was first raised in the State of the Union address in 2021, when von der Leyen stated the need to invest in European digital sovereignty as a means of shaping and securing digital transformation according to the EU's rules and values. On the topic of semiconductors, von der Leyen makes clear that ‘there is no digital without chips … But while global demand has exploded, Europe's share across the entire value chain … has shrunk’.44 Consistent with a regulatory mercantilist frame, the address stated:
This is not just a matter of our competitiveness. This is also a matter of tech sovereignty … We will present a new European Chips Act … that ensures our security of supply and will develop new markets for ground-breaking European tech.45
This resulted in a Communication on A Chips Act for Europe,46 which argued that European leadership in the semiconductor industry is essential for the EU's economic competitiveness, as well as its technological sovereignty and security.47 These cyber and material security interests are linked, with cybersecurity goals dependent upon securing material assets, as the Commission makes clear that it has less than 10 per cent of the market share for semiconductor manufacture, and of that, the vast majority being chip manufacture at higher than 22 nanometers—and none at all at 7 nanometers or below—with dependencies in design, packaging and assembly.48 Advanced semiconductors in particular are identified as necessary for developing technologies to meet cybersecurity requirements,49 again reinforcing the cyber–material interdependence. The interdependence of these three strategic aims is consistent with a regulatory mercantilist approach to policy-making. Security concerns are framed in terms of perceived geopolitical instability, and the threat posed by the US and China in a global technological race, which requires Europe to use its regulatory strengths, establishing greater leadership internationally.50 This requires legislative initiatives on the part of the EU intended to ‘build a resilient European ecosystem and strengthen Europe's technological leadership’.51
Reducing dependencies and reinforcing sovereignty in the semiconductor supply chain in the face of external crises are stated as objectives of Regulation 2023/1781,52 with the idea that security—both digital and material—is dependent upon the maximum possible share of the manufacture of semiconductors taking place in the geographical space of the EU. Chapter II of the regulation promotes a unified European response, framed as ‘Chips for Europe’, that would see market construction, funding through mechanisms such as Horizon Europe, and focusing on building internal capacity to reduce external dependencies, indicating a regulatory mercantilist approach to unifying market activity. Chapter III focuses on security of supply, including through the establishment of integrated production facilities, semiconductor manufacturing and design facilities, integrating multiple steps in the supply chain in order to ‘contribute to the security of supply and the resilience of the Union's semiconductor ecosystem and … where relevant [to] contribute to the security of the global semiconductor supply chains’.53 This is also supported by Open EU foundries under article 14, which are ‘facilities for semiconductor manufacturing in the Union that offer production capacity to unrelated undertakings and thereby contribute to the security of supply for the internal market and the resilience of the Union's semiconductor ecosystem’.54 Finally, annex III of the Regulation makes clear that the material security goal of securing semiconductor supply is synergistic with the Union's cybersecurity goals. However, while fabrication could potentially be realized within the Union's territory, the harvesting of natural resources cannot. For this reason, the EU explicitly states that access to critical resources is a key strategic security issue, necessary for ensuring access to materials for digital and defence applications,55 with a need to reduce dependencies on external suppliers, or alternatively, bring those supply lines under European regulatory influence.56
In its 2023 Communication on critical raw materials, the Commission explicitly links its material and cyber goals, stating that:
Ensuring secure and sustainable supply of critical raw materials … is at the core of [the] EU's political priorities for the twin [green and digital] transition. It is also essential for increased security capabilities in the defence [and] space sectors.57
Security concerns are predominant in the Communication, with concerns raised over the limited number of external providers of raw materials upon which Europe relies, with geopolitical instability having an impact upon the accessibility of these resources.58 In addition to the proposed regulation, this Communication highlights the importance to the EU of forming bilateral relations with third countries rich in specific critical raw materials such as lithium, cobalt and titanium, guaranteeing supply in exchange for EU market access and investment.59 In this respect, a certain mercantilist dimension to this Communication is made apparent—in order to ensure economic competitiveness and security, the EU intends to bring natural resources under its own control, while also exporting its own regulatory standards, rules and values as the basis for governance frameworks. The Critical Raw Materials Act begins by stating, in article 1, that the purpose of the legislation is to improve the functioning of the internal market by ensuring access to a secure, resilient and sustainable supply of critical raw materials, with an emphasis on identifying and supporting strategic projects that reduce external dependencies, monitoring and mitigating supply risks. The proposal for the regulation was framed in terms of geopolitical tension and EU vulnerabilities, significant enough that regulatory action was deemed critical.60 As such, it is stated to be aligned with goals of ensuring emergency mechanisms to protect the internal market in the event of disruption of supply of strategic goods, as well as ensuring the goals of the proposed Chips Act.61 For this reason, article 19 requires EU member states to draw up national programmes for exploration, seeking to identify any deposits of critical natural resources within the EU's territory as a means of increasing its security of supply. In article 20(3) there is a reference to ‘the geopolitical situation’ being a key risk indicator. Security of supply and production is of strategic importance ‘in guaranteeing the EU's open strategic autonomy and European sovereignty’.62 Therefore, cybersecurity, dependent upon semiconductors, ultimately rests upon the security of supply chains, best guaranteed through ensuring as much of that supply chain exists within Europe's physical territory as possible.
Location, location, location: EU data policies
Another field in which the link between cyber and material security is expressed, and therefore where there is a need for bringing technologies within the physical boundaries of the EU—or alternatively, externally under its regulatory control—is data storage. Digital data security is unsurprisingly a cybersecurity issue—however, vulnerability was not previously expressed in terms of external dependencies upon physical infrastructure. Even within the context of the conflict between the United States and the EU over the protection of personal data, in which the General Data Protection Regulation (GDPR)63 was used as a means of providing for extra-territorial regulatory effect,64 cybersecurity and material security were not explicitly centred within the policy outputs of the Commission. The GDPR was explicitly concerned with European values, and the protection of European citizens' rights, but this was not framed in terms of the EU's security interests. Furthermore, data could be transferred out of the EU, or be based on externally located data servers, on the basis of adequacy decisions.65 However, the proliferation of cloud-based data storage services based in US or Chinese territory, or where their headquarters are based within their jurisdiction, has increased the sense of vulnerability given the amount of data produced, stored, and transferred beyond the borders of the EU, much of it commercially sensitive or important for state security. The Communication on the Cybersecurity strategy for the digital decade, in its discussion of cyber and material security, referred to leadership ‘in digital technologies and cybersecurity across the digital supply chain (including data and cloud …)’,66 and the role of Europe in setting international standards in this field.67 Here, the concern goes beyond personal data and the protection of citizens, to the protection of information that could be considered confidential, commercially sensitive or important to EU actors' economic interests, and externally located data centres are framed as constituting a threat to this digital data. Here again, the digital and its security are based on the material, and on where objects are physically located. One such example of how this concern plays out is the Commission's ban on its staff using the social media app TikTok on any work-related devices, due to concerns over the transfer of staff data to China and its subsequent accessibility to the Chinese state.68 Digital security is thereby linked to the material, and the foreign ownership of hardware used to store or process data.
The European strategy for data (2020) made clear the geopolitical concerns the EU has in this field, blurring the line between economic and security issues. It states that a small number of ‘big tech’ firms hold a large proportion of the world's data, and that while the EU has the potential to be successful in the data economy, Chinese and US competitors were already innovating and growing market share.69 Furthermore, the EU was highlighted as having comparatively little market share for cloud storage when compared to China and US-based companies, with knock-on security implications—the EU is ‘highly dependent on external providers, vulnerable to external data threats and subject to a loss of investment potential’.70 Responding to security threats—not only in relation to personal data, but also to sensitive or economically valuable non-personal data—is framed as requiring actions consistent with regulatory mercantilism: considering jurisdictional issues relating to data and ensuring that service providers offering cloud data services in the EU are subject to European rules, and that ‘this should not be compromised by jurisdictional claims from outside the EU’,71 and making strategic investments in services such as cloud data servers within Europe, framed as developing ‘a dynamic ecosystem for a data- and cloud-based supply industry in Europe across the value chain’.72 The creation of common European data spaces is part of that ecosystem development, which will not only allow for innovation, but adherence to ‘the highest available cyber-security standards’.73 This would be achieved through ensuring that ‘by 2030, the EU's share of the data economy—data stored, processed and put to valuable use in Europe—at least corresponds to its economic weight, not by fiat but by choice’.74 Doing so would help to ensure the EU's data sovereignty, and by extension, its digital sovereignty.75
The push towards data sovereignty within the EU's broader digital sovereignty ambitions has resulted in a set of legal proposals seeking to extend regulatory control. The first was a proposal for a European Data Governance Act, which aimed to create the conditions necessary for incentivizing the development of common data spaces.76 The second was a proposal for a Regulation for a European Data Act that reaffirmed the desire to create common European data spaces by providing various mechanisms, including heightened data-security principles, in order to prevent third-country access.77 Third-country access to data, including commercial data, was presented as constituting a significant risk, as 85 per cent of cloud services offered in the EU were offered by providers headquartered outside the EU.78 The finalized Data Act79 states that (recital 101) ‘third countries may adopt laws, regulations and other legal acts that aim to directly transfer or provide governmental access to non-personal data located outside their borders, including in the Union’ and that, wherever possible, data services should inform the customers whose data are requested in order to ensure that there is no conflict with EU or national laws. In order to give this effect, article 32 requires that data processing services are required to take all adequate technical, organizational and legal measures in order to prevent international and third-country governmental access in the context of non-personal data, expanding the scope beyond the protection of citizens' rights to the protection of economically valuable or sensitive information with security implications. Where it is requested, the request shall only be enforceable if governed by international agreement, or where the request is deemed proportionate and reasonable, as well as to be specific in terms of its character, such as in order to identify a potential infringement of law. A similar provision exists in article 30 of the Data Governance Act.80 Such a mechanism seeks to ensure that EU rules and values have effect beyond Europe's borders, in cases in which data is held on servers physically outside the EU, but where this has implications for EU cybersecurity. If we return to the regulatory mercantilism ‘triangle’ represented in figure 1, data server control serves as an excellent example of the drawing together of the three key themes of economy, security and sovereignty.
While not quite as developed as its semiconductor fabrication policy, the EU's promotion of common European data spaces is progressing, incentivizing the development of ‘domestic’ cloud services. In its 2024 staff working document on common data spaces, the Commission states that this is essential to guaranteeing ‘technological sovereignty … in the context of an uncertain geopolitical environment’.81 Common to the data spaces being created, the Commission maintains, is a commitment to security, based on European rules and values,82 representing a widening of the approach initially begun under the GDPR, but one in which the discourse of fundamental rights protection has been subsumed into a broader ‘economy and security’ logic that characterizes external dependency as vulnerability. The EU is also seeking the promotion of EU-based infrastructure projects under the auspices of new European Digital Infrastructure Consortia, which can apply for funding from the EU.83 All of this is intended to increase the competitiveness of European cloud operators, countering the dominance of foreign firms and reducing dependency upon them, which has been framed in sovereignty terms—both in terms of ensuring companies play by European rules and values and also in order to protect the EU's strategic interests.84 Control therefore becomes central—both through achieving cybersecurity by incentivizing the relocation of resources within the EU's physical space, and through extending its regulatory influence beyond this physical space. In both respects, however, the linkages between cyber and material security, and the importance of location are present, underscored by a persistence of digital sovereignty claims.85
Letting the right ones in: EU cybersecurity for digital products
Cybersecurity goes beyond the protection of networks and information systems already provided for under the NIS2 Directive.86 Cybersecurity threats can arise from hardware as well as from internet-enabled software, which, for the EU, means that it seeks to reinforce the security of the entire technology supply chain as a means of ‘developing the EU's technological sovereignty in cybersecurity, building capacity to secure sensitive infrastructures such as 5G, and reduce dependence on other parts of the globe for the most crucial technologies’.87 Concerns over 5G in particular have motivated states and international organizations around the world,88 including NATO.89 In its 2019 publication EU–China: a strategic outlook, the Commission stated that ‘foreign investment in strategic sectors, acquisitions of critical assets, technologies and infrastructure in the EU, involvement in EU standard-setting and supply of critical equipment can pose risks to the EU's security’,90 highlighting the need for comprehensive cybersecurity actions that would ‘enable the EU to act collectively in protecting its economy and society’.91 As well as improving the existing cybersecurity provisions for critical information infrastructures as part of a move to strengthen the EU's strategic autonomy92 through the adoption of NIS2, the EU has proposed a number of measures aimed at strengthening cybersecurity that are predicated on notions of building European infrastructure within European space on the basis of external threats. The first is the proposal for a Cyber Solidarity Act,93 and the second is a proposal for a Cyber Resilience Act.94
The proposal for a Cyber Solidarity Act foregrounds geopolitical stability in its explanatory memorandum, referring to hybrid warfare and stating that ‘Russia's military aggression against Ukraine was preceded and is being accompanied by a strategy of hostile cyber operations, which is a game changer for the perception and assessment of the EU's collective cybersecurity crisis management’.95 The regulation was therefore based on ensuring Europe's digital sovereignty in the field of cybersecurity,96 through a number of measures including the deployment of pan-European infrastructure described as a ‘European Cyber Shield’.97 In this, we see strong regulatory mercantilism framing—external threat perception, a driver for increased regulatory control, and the merging of economic and security interests through the promotion of ‘European’ infrastructure development. The legal basis of the proposal is article 173(3) of the Treaty on the Functioning of the European Union, which concerns the competitiveness of European industry, in this context to build an effective security system, while the document states that no impact assessment was sought due to the urgent nature of the regulatory proposal.98 Recital 2 of the proposal refers to the cybersecurity threats posed due to geopolitical instability, and recital 3 states that in order to provide resilience, ‘it is necessary to strengthen the competitive position of industry and services sectors in the Union … Therefore, investment in infrastructures and services’ is necessary. The creation of the pan-European Cyber Shield is framed in recital 20 as promoting the EU's digital sovereignty, and, interestingly, securing this digital sovereignty is stated as an objective in article 1(2). Article 3 provides that the Cyber Shield will be supported by funding from the Digital Europe Programme, and article 8 states that member states are required to ensure a high level of data security and physical security for the Cyber Shield, strongly supporting the thesis of this article that cyber and material security are becoming inextricably linked in the EU's digital policies.
The Cyber Resilience Act focuses on the vulnerabilities in ‘products with digital elements’.99 As one of its main objectives, it targets the creation of conditions for the development of secure products, through ensuring that hardware and software applications made available in the EU are subject to cybersecurity through their entire life-cycle.100 While third-country manufacturers, or indeed the countries in which they are based, are not explicitly stated as a threat, the threat logic that motivated the creation of the proposal, drawing from the cybersecurity strategy, is strongly geopolitical.101 The central feature of the proposed regulation is that goods placed in the internal market should be subject to certain cybersecurity requirements applicable to the entire life-cycle of the product. Those goods considered to be of particular concern are listed under Class I and Class II, and are to be subject to stricter conformity assessments, as indicated in recital 26, with recital 27 making clear that microprocessors (which are largely produced outside the EU) constitute a greater threat, requiring mandatory third-party assessment. In order to guarantee this security, when goods physically enter the EU, they are subject to EU control through market surveillance and enforcement, overseen by ENISA, the EU's cybersecurity agency under article 41. Importers and distributors of products with digital elements are required to ensure compliance with the essential cybersecurity requirements listed in annex I, with Class I and II items, which include hardware such as microprocessors, routers, hardware security modules, cryptoprocessors, smartcards and smartcard readers, being listed in annex III. These items, should they fail to meet the conformity assessment criteria, can potentially be withdrawn from the internal market under article 45. The combination of the Cyber Solidarity proposal with the Cyber Resilience proposal presents a clear linkage of economic and security goals, with physical location being important in the context of providing for cyber and material security. While the European Cyber Shield focuses on infrastructure development in order to promote European responses to external threats, the mandatory conformity assessments for critical goods, many of which are produced outside the EU, are subject to regulatory controls intended to bind manufacturers beyond Europe's borders where those manufacturers wish to make their products available in Europe. In this sense, space, and its control in a physical sense, become essential to guaranteeing control also in a digital sense.
Conclusions
The EU's ‘geopolitical union’ has in large part been influenced by a perception that the world has become more unstable, and that the EU is vulnerable to these external shocks. The response to this perceived vulnerability in fields concerning critical technologies has been the pursuit of policies that align with a regulatory mercantilism framework: that is, ensure sovereignty through bolstering internal industry, accumulate important resources whether in the form of physical goods or data, and seek to further develop the economy in the interests of security. This has been done through regulatory reform, as a mechanism to build internally while promoting these regulatory standards externally. Within this vision of its external relations, the Commission has made clear discursively its perception of the links between cyber and material security objectives, and of the importance of location to cybersecurity, which was once characterized by discourses of borderlessness. Given the growing importance of security within its technology policies, the EU has adopted an approach that highlights the interdependence of economic and security goals in policy documents. In this approach, the relations between cyber and material serve as a basis for legislative interventions that seek to boost ‘domestic’ services and regulate those outside its control, reflecting an understanding of security that was not yet explicit in the EU's technology-related policies. In fact, the authors believe that the regulatory mercantilist framework also has the potential to provide insight into other policy areas being shaped by the EU's geopolitical ambitions and would encourage further research being carried out in those fields.
With its actions aimed at strategic autonomy in the semiconductor sector, its data governance framework and hardware cybersecurity compliance requirements, the EU seeks to achieve cybersecurity through the pursuit of de-risking and reducing external dependencies by focusing on physical location. The Commission highlights that its ability to provide for cybersecurity is ultimately dependent upon material security. Supply chains for semiconductor production and the raw materials of which they are composed need to be brought into the EU's territory, and if that is not physically possible, must be brought within its regulatory influence. Cloud data servers and common data spaces are to be invested in and promoted within Europe's physical space, or, when based outside it, are to be made subject to rules that seek to limit the security threats presented by third states. Hardware that fails to meet the designated cybersecurity standards, motivated by concerns over technology equipment produced outside the EU, is not to be made available in the internal market. In other words, trade and economic security affect cybersecurity as much as cybersecurity affects trade and economic security. In this context, there is something of a return to a mercantilist understanding that international relations are not about trade-offs between economic goals and distinct security goals, but represent a system in which economic goals are security goals, and vice versa. Achieving both is dependent upon, and in turn reinforces, sovereignty. If globalization is seen as failing in key sectors, regulatory mercantilism becomes increasingly visible in policy development.
Footnotes
Ursula von der Leyen, ‘Answering the call of history’, 2023 State of the Union address, Strasbourg, 13 Sept. 2023.
Elena Sánchez Nicolás, ‘Von der Leyen appeals for “new EU defence mindset”’, EUobserver, 28 Feb. 2024, https://euobserver.com/eu-elections/158155. (Unless otherwise noted at point of citation, all URLs cited in this article were accessible on 25 Sept. 2024.)
Lorne Cook, ‘A top EU official calls for a new defense industry strategy with locally made arms at its heart’, AP News, 28 Feb. 2024, https://apnews.com/article/eu-defense-industry-ukraine-war-russia-assets-9f0c46e058122958f621f198cd53d775.
See Joost Pauwelyn, ‘WTO dispute settlement post 2019: what to expect?’, Journal of International Economic Law 22: 3, 2019, pp. 297–321, https://doi.org/10.1093/jiel/jgz024; Ernst-Ulrich Petersmann, ‘Economic disintegration? Political, economic, and legal drivers and the need for “greening embedded trade liberalism”’, Journal of International Economic Law 23: 2, 2020, pp. 347–70 at p. 347, https://doi.org/10.1093/jiel/jgaa005; Paul B. Stephan, The world crisis and international law: the knowledge economy and the battle for the future (Cambridge, UK: Cambridge University Press, 2023).
Although it is not uncommon to see academics and practitioners use these terms interchangeably, this article equates ‘digital’ with online presence (namely, data), and ‘cyber’ with a more comprehensive concept that also includes infrastructure, such as online networks and computer systems.
Nicholas Zúñiga, Saheli Datta Burton, Filippo Blancato and Madeline Carr, ‘The geopolitics of technology standards: historical context for US, EU and Chinese approaches’, International Affairs 100: 4, 2024, pp. 1635–52, https://doi.org/10.1093/ia/iiae124.
Helena Carrapico and Benjamin Farrand, ‘Discursive continuity and change in the time of COVID–19: the case of EU cybersecurity policy’, Journal of European Integration 42: 8, 2020, pp. 1111–26, https://doi.org/10.1080/07036337.2020.1853122.
See the introduction to this special section: Linda Monsees and Tobias Liebetrau, ‘Cybersecurity and International Relations: developing thinking tools for digital world politics’, International Affairs 100: 6, 2024, pp. 2303–14, https://doi.org/10.1093/ia/iiae232.
Clare Stevens, ‘Assembling cybersecurity: the politics and materiality of technical malware reports and the case of Stuxnet’, Contemporary Security Policy 41: 1, 2020, pp. 129–52, https://doi.org/10.1080/13523260.2019.1675258; Myriam Dunn Cavelty, ‘The materiality of cyberthreats: securitization logics in popular visual culture’, Critical Studies on Security 7: 2, 2019, pp. 138–51, https://doi.org/10.1080/21624887.2019.1666632.
First conceptualized in Benjamin Farrand and Helena Carrapico, ‘Digital sovereignty and taking back control: from regulatory capitalism to regulatory mercantilism in EU cybersecurity’, European Security 31: 3, 2022, pp. 435–53, https://doi.org/10.1080/09662839.2022.2102896.
Best understood in terms of regulatory capitalism, as devised and expanded upon in David Levi-Faur, ‘The global diffusion of regulatory capitalism’, The ANNALS of the American Academy of Political and Social Science 598: 1, 2005, pp. 12–32, https://doi.org/10.1177/0002716204272371; David Levi-Faur, ‘Regulatory capitalism’, in Peter Drahos, ed., Regulatory theory: foundations and applications (Acton, ACT: Australian National University Press, 2017).
Helena Carrapico and Benjamin Farrand, ‘“Dialogue, partnership and empowerment for network and information security”: the changing role of the private sector from objects of regulation to regulation shapers’, Crime, Law and Social Change, vol. 67, 2017, pp. 245–63, https://doi.org/10.1007/s10611-016-9652-4.
Benjamin Farrand, ‘Regulating misleading political advertising on online platforms: an example of regulatory mercantilism in digital policy’, Policy Studies 45: 5, 2024, pp. 730–49, https://doi.org/10.1080/01442872.2023.2258810.
Farrand and Carrapico, ‘Digital sovereignty and taking back control’.
Elisabeth Braw, Goodbye globalization: the return of a divided world (New Haven, CT: Yale University Press 2024).
Dennis Broeders, Fabio Cristiano and Monica Kaminska, ‘In search of digital sovereignty and strategic autonomy: normative power Europe to the test of its geopolitical ambitions’, Journal of Common Market Studies 61: 5, 2023, pp. 1261–80, https://doi.org/10.1111/jcms.13462.
See for example Jacob Viner, ‘Power versus plenty as objectives of foreign policy in the seventeenth and eighteenth centuries’, World Politics 1: 1, 1948, pp: 1–29, https://doi.org/10.2307/2009156; Charles Wilson, Mercantilism (London: Historical Association/Routledge and Kegan Paul, 1958); and the original writings of mercantilist thinkers such as Thomas Mun, England's treasure by forraign trade, or the ballance of our forraign trade is the rule of our treasure [sic] (London: JG for Thomas Clark, 1664); Josiah Child, A new discourse of trade wherein is recommended several weighty points relating to companies of merchants (London: John Everingham, 1693).
On this, the excellent works of Eli F. Heckscher, Mercantilism [1931] (Abingdon and New York: Routledge, 1994) and Lars Magnusson, The political economy of mercantilism (Abingdon and New York: Routledge, 2015) are highly valuable.
Farrand, ‘Regulating misleading political advertising on online platforms’.
Farrand and Carrapico, ‘Digital sovereignty and taking back control’.
Samuel MacIsaac and Buck C. Duclos, ‘Trade and conflict: trends in economic nationalism, unilateralism and protectionism’, Canadian Foreign Policy Journal 26: 1, 2020, pp. 1–7, https://doi.org/10.1080/11926422.2020.1714682.
Gustav Schmoller, The mercantile system and its historical significance, transl. by William James Ashley (London: Macmillan, 1897); Friedrich List, The national system of political economy, transl. by G. A. Matile (Philadelphia, PA: J. B. Lippincott, 1856).
Farrand and Carrapico, ‘Digital sovereignty and taking back control’.
As typified in European Commission, Shaping Europe's digital future (Luxembourg: Publications Office of the EU, 2020).
Ursula von der Leyen, A Europe that strives for more: my agenda for Europe (Brussels: European Commission: 2019), p. 13.
European Commission, Shaping Europe's digital future, p. 3.
European Commission, Shaping Europe's digital future; see also Farrand and Carrapico. ‘Digital sovereignty and taking back control’, pp. 445–6.
European Commission and High Representative of the European Union for Foreign Affairs and Security Policy, Cyber security strategy of the European Union: an open, safe and secure cyberspace, 2013, JOIN(2013), p. 1.
Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection, Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience, 2009, COM(2009) 149 final.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, Joint framework on countering hybrid threats, 2016, JOIN(2016) 18 final.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, The EU's cybersecurity strategy for the digital decade, 2020, JOIN(2020) 18, p. 1.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, The EU's cybersecurity strategy for the digital decade.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, The EU's cybersecurity strategy for the digital decade, p. 4.
European Commission, 2020 Strategic foresight report: charting the course towards a more resilient Europe, 2020, COM(2020) 493, pp. 30–31.
In the Cybersecurity Strategy, the Commission refers to this as ‘thinking global, acting European’, as stated in European Commission and High Representative of the Union for Foreign Affairs and Security Policy, The EU's cybersecurity strategy for the digital decade, p. 4.
Bennis Wai Yip So, ‘Reassessment of the state role in the development of high-tech industry: a case study of Taiwan's Hsinchu Science Park’, East Asia, vol. 23, 2006, pp. 61–86, https://doi.org/10.1007/s12140-006-0023-0.
Yongshin Kim and Sungho Rho, ‘The US–China chip war, economy–security nexus, and Asia’, Journal of Chinese Political Science, vol. 29, 2024, pp. 433–60, https://doi.org/10.1007/s11366-024-09881-7.
Matthias Matthijs and Sophie Meunier, ‘Europe's geoeconomic revolution: how the EU learned to wield its real power’, Foreign Affairs 102: 5, 2023, pp. 168–79 at p. 168, https://www.foreignaffairs.com/europe/european-union-geoeconomic-revolution.
Chad P. Bown, ‘How the United States marched the semiconductor industry into its trade war with China’, East Asian Economic Review 24: 4, 2020, pp. 349–88, https://doi.org/10.11644/KIEP.EAER.2020.24.4.384.
Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs and Directorate-General for the Joint Research Centre, European chips survey report (Brussels: European Commission, 2022).
Regulation 2023/1781 establishing a framework of measures for strengthening Europe's semiconductor ecosystem and amending Regulation 2021/694 (Chips Act).
Regulation 2024/1252 establishing a framework for ensuring a secure and sustainable supply of critical raw materials and amending Regulations 168/2013, 2018/858, 2018/1724 and 2019/1020.
Henry Farrell and Abraham Newman, ‘The new economic security state: how de-risking will remake geopolitics’, Foreign Affairs, 19 Oct. 2023, https://www.foreignaffairs.com/united-states/economic-security-state-farrell-newman.
Ursula von der Leyen, ‘Strengthening the soul of our Union’, 2021 State of the Union address by President von der Leyen, 15 Sept. 2021, https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_21_4701.
von der Leyen, ‘Strengthening the soul of our Union’.
European Commission, A Chips Act for Europe, 2022, COM(2022) 45 final.
European Commission, A Chips Act for Europe.
European Commission, A Chips Act for Europe.
European Commission, A Chips Act for Europe.
European Commission, A Chips Act for Europe.
European Commission, A Chips Act for Europe, p. 4.
European Commission, Proposal for a regulation establishing a framework of measures for strengthening Europe's semiconductor ecosystem (Chips Act), 2022, COM(2022) 46.
Regulation 2023/1781, art. 13.
Regulation 2023/1781, art. 14.
European Commission, The European Green Deal, 2019, COM(2019) 640, p. 8.
Ursula von der Leyen, ‘A union that stands strong together’, 2022 State of the Union Address by President von der Leyen, 14 Sept. 2022, https://ec.europa.eu/commission/presscorner/detail/en/speech_22_5493.
European Commission, A secure and sustainable supply of critical raw materials in support of the twin transition, 2023, COM(2023) 165 final, p. 1.
European Commission, A secure and sustainable supply of critical raw materials in support of the twin transition, pp. 1–2.
European Commission, A secure and sustainable supply of critical raw materials in support of the twin transition, pp. 10–12.
European Commission, Proposal for a regulation establishing a framework for ensuring a secure and sustainable supply of critical raw materials, 2023, COM(2023) 160, p. 2.
European Commission, Proposal for a regulation establishing a framework for ensuring a secure and sustainable supply of critical raw materials, p. 7.
European Commission, Proposal for a regulation establishing a framework for ensuring a secure and sustainable supply of critical raw materials, p. 5.
Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and free movement of such data, and repealing Directive 95/46/EC.
See, generally, Anu Bradford, The Brussels effect: how the European Union rules the world (Oxford: Oxford University Press, 2021); and Moritz Laurer and Timo Seidl, ‘Regulating the European data-driven economy: a case study on the General Data Protection Regulation’, Policy & Internet 13: 2, 2021, pp. 257–77, https://doi.org/10.1002/poi3.246.
See Martin Brodin, ‘A framework for GDPR compliance for small- and medium-sized enterprises’, European Journal for Security Research 4: 2, 2019, pp. 243–64, https://doi.org/10.1007/s41125-019-00042-z; it is worth mentioning that adequacy decisions are not a given, even with states such as the US; the Court of Justice of the European Union declared the EU–US Privacy Shield invalid on the basis that it was not seen as safeguarding citizens' rights, under Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd & Maximillian Schrems, EU:C:2020:559.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, The EU's cybersecurity strategy for the digital decade, p. 11.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, The EU's cybersecurity strategy for the digital decade, p. 20.
Jorge Liboreiro and Natalie Huet, ‘European Commission bans staff from using TikTok over security fears’, euronews, 23 Feb. 2023, https://www.euronews.com/next/2023/02/23/european-commission-bans-its-staff-from-using-tiktok-over-china-cybersecurity-concerns.
European Commission, A European strategy for data, 2020, COM(2020) 66 final, p. 3.
European Commission, A European strategy for data, p. 9.
European Commission, A European strategy for data, p. 14.
European Commission, A European strategy for data, p. 17.
European Commission, A European strategy for data, p. 22.
European Commission, A European strategy for data, p. 4.
European Commission, Impact assessment accompanying the proposal for a regulation on European data governance (Data Governance Act), 2020, SWD(2020) 295 final.
European Commission, Proposal for a regulation on European data governance, 2020, COM(2020) 767, p. 3.
European Commission, Proposal for a regulation on harmonised rules on fair access to and use of data (Data Act), 2022, COM(2022) 68, pp. 2–3.
European Commission, Impact assessment accompanying the proposal for a regulation on harmonised rules on fair access to and use of data (Data Act), 2022, SWD(2022) 34 final, p. 14.
Regulation 2023/2854 on harmonised rules on fair access to and use of data and amending Regulation 2017/2394 and Directive 2020/1828.
Regulation 2022/868 on European data governance and amending Regulation 2018/1724.
European Commission, Commission staff working document on common European data spaces, 2024, SWD(2024) 21 final, p. 5.
European Commission, Commission staff working document on common European data spaces, p. 4.
European Commission, Commission staff working document on common European data spaces, p. 14.
See for example Gerda Falkner, Sebastian Heidebrecht, Anke Obendiek and Timo Seidl, ‘Digital sovereignty—rhetoric and reality’, Journal of European Public Policy 31: 8, 2024, pp. 2099–120, https://doi.org/10.1080/13501763.2024.2358984.
Julia Rone, ‘“The sovereign cloud” in Europe: diverging nation state preferences and disputed institutional competences in the context of limited technological capabilities’, Journal of European Public Policy 31: 8, 2024, pp. 2343–69, https://doi.org/10.1080/13501763.2024.2348618.
Directive 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation 901/2014 and Directive 2018/1972, and repealing Directive 2016/1148.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, The EU's cybersecurity strategy for the digital decade, p. 11.
Roxana Radu and Cedric Amon, ‘The governance of 5G infrastructure: between path dependency and risk-based approaches’, Journal of Cybersecurity 7: 1, 2021, https://doi.org/10.1093/cybsec/tyab017; Keman Huang, Stuart Madnick, Fang Zhang and Michael Siegel, ‘Varieties of public–private co-governance on cybersecurity within the digital trade: implications from Huawei's 5G’, Journal of Chinese Governance 7: 1, 2022, pp. 81–110, https://doi.org/10.1080/23812346.2021.1923230.
Kadri Kaska, Henrik Beckvard and Tomáš Minárik, Huawei, 5G and China as a security threat (Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2019).
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, EU–China: a strategic outlook, 2019, JOIN(2019) 5 final, p. 9.
European Commission and High Representative of the Union for Foreign Affairs and Security Policy, EU–China: a strategic outlook, pp. 9–10.
European Commission, Proposal for a directive on measures for a high level of cybersecurity across the Union, repealing Directive 2016/1148, 2020, COM(2020) 823, p. 1.
European Commission, Proposal for a regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, 2023, COM(2023) 209.
European Commission, Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements and amending regulation 2019/1020, 2022, COM(2022) 454.
European Commission, Proposal for a regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, p. 1.
European Commission, Proposal for a regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, p. 2.
European Commission, Proposal for a regulation laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cybersecurity threats and incidents, p. 3.
European Commission, Proposal for a regulation laying down measures to strengthen solidarity and capacities in the union to detect, prepare for and respond to cybersecurity threats and incidents, p. 7.
European Commission, Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements and amending regulation 2019/1020, p. 1.
European Commission, Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements and amending regulation 2019/1020.
Pol Bargués, Jonathan Joseph and Ana E. Juncos, ‘Rescuing the liberal international order: crisis, resilience and EU security policy’, International Affairs 99: 6, 2023, pp. 2281–99, https://doi.org/10.1093/ia/iiad222; Agnes Kasper and Anna-Maria Osula, ‘“Spill over” and “fail forward” in the EU's cybersecurity regulations’, in David Ramiro Troitiño, Tanel Kerikmäe and Ondrej Hamuľák, eds, Digital development of the European Union: an interdisciplinary perspective (Cham, Switzerland: Springer International Publishing, 2023).
Author notes
This article is part of a special section in the November 2024 issue of International Affairs on ‘Cybersecurity and International Relations: developing thinking tools for digital world politics’, guest-edited by Tobias Liebetrau and Linda Monsees. We would like to thank the editors of the special issue, Linda and Tobias, for their unwavering support throughout this article's journey. We would also like to offer our special thanks to the editor of International Affairs, Andrew Dorman, for pushing us to think beyond the boundaries of our original case-study. We would also like to thank a large number of colleagues who took the time to read drafts, listen to our presentations, and provide comments, as well as encouragement. These include Andre Barrinha, Ben Martill, George Christou, Tim Stevens, Xuechen Chen, Xinchuchu Gao, Jeppe Jacobsen, Nitasha Kaul, the colleagues present at the special issue workshop in October 2023, and the colleagues from the BISA Working Group on international Studies and Emerging Technologies who were present at the Annual Conference Panel in June 2024.
