The Third Road of EU’s Approach to Cybersecurity

The gradually developing European cybersecurity policy is trying to, and has already established a set of minimum acceptable rules in all its Member States on prevention, resilience and international cooperation in this area. Its aim is to promote national security without undermining democratic principles or unduly infringing on individual freedoms. In the context of peaceful coexistence with other states in cyberspace, while also upholding its core values such as fundamental rights and the rule of law, the EU has adopted a market approach to the delineation and upcoming rule-making in cyberspace (Bendiek & Pander Maat, 2019).

The EU, recognising that it is the largest single market in the world, as well as the attractiveness that it has to foreign companies wishing to operate in its space, has chosen to prioritise its cybersecurity policy. Ensuring this way that it functions better, as it is a component of its existence. Therefore, as with any other product, the EU sets high standards for technological products before they can enter the European single market. This sets the stage, from the outset, for a strengthened cybersecurity policy from ground to top, as technological products entering the EU, both tangible and intangible, adhere to specific standards set by the EU (Bach & Newman, 2008).

The EU, not having exclusive competences in the field of security and, in this case cybersecurity, sets rules through its single market. Therefore, if companies wishing to operate in the European market import products that do not meet the security requirements, both their products and the companies are excluded from entering the European market. A key role in this process is played by ENISA which has a fixed mandate from 2019, with responsibilities including cybersecurity certification, supporting the technical capacity building of EU institutions, supporting and drafting cybersecurity policies. Through this market approach, the EU is strengthening its resilience by enhancing its level of prevention against cyberattacks and, at the same time, strengthening its position as a soft regulatory power at the international political level (Council of the European Union, 2010).

A typical example is the General Data Protection Regulation which safeguards both fundamental values of the Union, such as privacy, and the single market and security, as it excludes technological products that may be considered malicious due to their security vulnerabilities. As a result of the absolute exclusion from the single market, businesses typically adopt European standards for all their commercial activity around the world (Bendiek & Schallbruch, 2019). For instance, an American citizen may benefit without knowing when using an app based in India without storing his/her sensitive personal data. This is due to the fact that the app applies a uniform policy for its activities, in order to be part of, and participate in the European market (Bradford, 2020)

It is therefore clear that the EU’s cybersecurity rules, due to their global reach, make it a soft power in shaping international cybersecurity. This European approach is not accidental. It was understood very early on in the EU that the internet would become a new field of conflict between states, as is the current case between the current superpowers – the US and the People’s Republic of China. It has been also recognised that in cyberspace, due to interconnected information systems, there is interdependence, and as such, cyber shielding boundaries cannot be set in line with national territory where states are free to impose the same rules (Latici, 2020).

For this reason, the adoption of institutional neoliberalism that favours commercial cooperation between states (in order to make their coexistence more peaceful) is considered innovative in terms of international relations, given how it is combined with the EU’s approach to the security of its internal market and promotion of cybersecurity standards. A different approach, such as the one of Realism in international relations, could contribute to a process of constant over-armament of states that may lead, if not to a Cold War era, certainly to constant friction between rival states. If in the future cyber-attacks will be able to activate kinetic means, a scenario like this will certainly have disastrous consequences for the critical infrastructure of a state under cyber-attack.

Furthermore, the EU has laid the foundations for what is acceptable behaviour on the internet at the state level. Although still in its early stages, this effort seems to be well received by states wishing to have trade relations with the EU. It will be interesting to see how this European innovation could be translated into an international code of good cyber conduct that would have universal recognition.  

By Miltiadis Lapatsanis


Bach, D., & Newman, A. L. (2008). The European regulatory state and global public policy: micro-institutions, macro-influence. Journal of European Public Policy, 833.

Bendiek, A., & Pander Maat, E. (2019). The EU’s Regulatory Approach to Cyber-security. SWP Working Papers, 4-6.

Bendiek, A., & Schallbruch, M. (2019). Europe’s third way in cyberspace. Berlin: Stiftung Wissenschaft Und Politik.

Bradford, A. (2020). The Brussels Effect. How the European Union rules the world. New York: Oxford University Press.

Council of the European Union. (2010). Draft Council Conclusions on an Action Plan to Implement the Concerted Strategy to Combat Cyber-crime. Brussels: Council of the European Union.

Latici, T. (2020). Understanding the EU’s approach to cyber diplomacy and cyber defence. EU policies – Insights, 4.