Sarah Backman is a PhD Candidate at Stockholm University, Department of Economic History and International Relations. Sarah’s research interest focuses on the phenomenon of large-scale cyber crises and national/international cybersecurity governance. Her doctoral thesis explores how cyber crises are conceptualized and acted upon collectively. She holds a Bachelor’s degree in National Security Policy Studies and a Master’s degree in Security Studies from the Swedish Defence University. Beyond the academic realm, Sarah has extensive experience as a consultant within the field of national cyber security and crisis management.

Twitter: @SarahBackman4

LinkedIn: Sarah Backman

In a relatively short time, cybersecurity has risen to become one of the EU’s security priorities. While the institutionalization of EU-level cybersecurity capacities has been swift and substantial since the first EU cybersecurity strategy was published in 2013, previous research has also identified resistance from Member States to allow the EU to have more stringent control over their cyber activities. Despite a growing literature on EU cybersecurity governance, there are currently extensive gaps in the understanding of this tension. This study suggests that an overlooked explanatory factor can be found in the so far overlooked dynamic consisting of the relative prevalence of risk vs. threat-based security logics in the cybersecurity approach of the EU. Through a comparative analysis of the first and second cybersecurity strategies of the European Union (2013 and 2020), and drawing upon content analysis, qualitative text analysis, and in-depth interviews with senior EU cybersecurity experts, this study highlights a shift from a primarily risk-based security logic towards an increasingly threat-based security logic in the EU’s cybersecurity policy and governance ambitions. Supported by interview data, it also identifies corresponding governance challenges in terms of resistance from Member States to allow the EU increased responsibility in operational and reactive cybersecurity activities. Results are discussed in terms of the development and prospects of the EU as a cybersecurity actor.