Cybersecurity in the European Union

Abstract

Because of the asymmetric nature of cyber threats and the dynamics of their evolution, there is a tendency for a growing role of security cooperation activities in cyberspace through joint efforts of states and non-state actors in international relations. New challenges and threats caused by the global pandemic are linked with an increased internet activity. The recent spread of fake news related to COVID-19 illness caused by SARS-CoV-2 coronavirus might be seen as part of sharp power disinformation strategy applied by state actors. International organisations serve as a forum for discussion to disseminate and analyse knowledge about cybersecurity and the effects of cyber threats, they are at the same time creators of common principles of prevention, legal and institutional solutions, and are complementary to the activities of states in this field. By adopting the regional level of analysis as its methodological perspective, the article shows a natural evolution of cybersecurity means from the time of the 1990s and early 2000s when the focus was set on computer and cyberspace as a tool of serious and organised crime, through the stage when computer crime was endangering cyberspace of the EU Member States, to the period when finally the EU objectives were to achieve an open, safe and secure cyberspace keeping in mind the importance of raising awareness and acquiring skills and knowledge how to avoid or face cyber threats. At the early stages of establishing the EU cybersecurity policy, the documents focused on definitions and identifications of threats and trends. Later stages included organising institutional and legal framework, and setting up specialised institutions, centres and teams. Not only did the understanding of cyber-related issues changed but also the response of the EU to cyber threats. The transition is from the soft law instruments (recommendations) such as guidelines, communications, declarations, roadmaps, actions plans, and strategies towards more hard law instruments (obligations) such as directives and other legislative acts. The character of directives has also changed – from directives on cyber-related issues to those characterised as cyber-oriented, each being more ambitious than the previous one. The complete appraisal of the effectiveness of the EU cyber security policy is impeded by a specific nature of cyberspace and its security, as well as problems with gathering appropriate data.