Risk vs. Threat-based cybersecurity: the case of the EU

In a relatively short time, cybersecurity has risen to become one of the EU’s security priorities. While the institutionalisation of EU-level cybersecurity capacities has been substantial since the first EU cybersecurity strategy was published, previous research has also identified resistance from member states to allow the EU to have more control over their cybersecurity activities. Despite a growing literature on EU cybersecurity governance, there are currently extensive gaps in the understanding of this tension. This study suggests that an explanatory factor can be found in the so-far overlooked dynamic of the relative prevalence of risk vs. threatbased security logics in the EU cybersecurity approach. By distinguishing between risk and threat-based logics in the development of the EU cybersecurity discourse over time, this study highlights a shift towards an increasing threat-based security logic in the EU cybersecurity approach. The identified development highlights securitising moves enacting to a larger extent than before objects and subjects of security traditionally associated with national security. The study identifies specific areas of member state contestation accompanying this shift and concludes with a discussion on the findings in relation to the development of the EU as a security actor in the wider international cybersecurity landscape.