The digital sphere is consistently expanding, and now encompasses more than half of the world’s population with eight billion digital devices (Kemp, 2019). The growth of this sphere is accompanied by the emergence of ‘cybersecurity risks’, defined here as the protection of information and communication technologies from unauthorized access or attempted access (Finnemore and Hollis, 2016). With digital practices increasingly employed across all industrial sectors, and in every dimension of the production process (Bughin et al., 2017), it is hard to exaggerate the social and economic importance of secure digital infrastructures. But the question is how policy outcomes are shaped to deal with this fundamental social problem? Can we rest assure that policy outputs fully address functional problems in securing society’s digital infrastructures? Or do politics and battles over decision-making authorities hamper cybersecurity policies from fully utilizing their potential for the public?

My new article aims to tackle that. Through a process-tracing analysis based on 41 policy documents and 18 interviews, I analyze cybersecurity certification in Europe over the past two decades, up until the recently agreed Cybersecurity Act that created a new framework for European cybersecurity certification. In the age of ‘Internet of Things,’ in which connectivity capacities are applied to ‘everyday’ devices such as meters, refrigerators, toasters, watches, and key cards, consumers seek assurance that their products and devices are sealed and secured. Certification as a tool of governance aims to provide exactly that. It gives products a ‘quality assurance’ based on a successful evaluation process that is conducted according to rigorous standards. But who controls this governance process? How the interests of the industry, member states, and EU institutions shape the way products will be certified for security in the EU?

Surprisingly, the empirical analysis showed that despite promises by EU policymakers to ‘completely replace’ and ‘fundamentally change’ the current fragmented and nationally-oriented ecosystem for certification, the Cybersecurity Act created a regime that is strikingly similar to what is already in place. The paper deconstructs the ‘institution’ of certification governance into four components: (1) standardization, (2) accreditation, (3) certification, and (4) evaluation, and shows how national authorities enjoy significant veto points in each of these regime components. For instance, member states can block the adoption of any EU certificate, and completely control processes of standard setting and certification, just like in the already existing arrangements. Furthermore, after pressure from national authorities, current certification paths remain valid, providing alternatives to the new arrangements and questioning their significance.

I then try to explain this empirical puzzle. I am curious to understand how come a policy regime that aimed to solve functional problems in current certification arrangements suggests only marginal changes to the governance process? How can we explain an EU policymaking process that, in practice, has not really changed previous policy arrangements? I derive three research hypotheses from classical EU integration theories – neofunctionalism and intergovernmentalism. The first hypothesis examines whether a limited regime best serves current functional problems in certification. This includes the lack of mutually recognized certificates across the Union, different regulatory burdens to certify in each member state, and the lack of voluntary adoption of certification mechanisms by manufacturers. The second hypothesis investigates whether Eurocrats were the agents of further integration, and to what extent the EU Commission’s interests to become more influential in the cybersecurity policy space can explain the marginal change from current practices. The third hypothesis tests whether the interests of member states are served by further integration of cybersecurity certification and how can they explain a regime that mostly maintains the status quo. For each research hypothesis, a causal mechanism was introduced, and the stream of evidence was assessed based on the certainty and the uniqueness of each piece of evidence for the hypothesized causal mechanism (Van Evera, 1997).

I found that it was in the best interests of almost all parties involved to diverge only slightly from existing arrangements and create nationally-controlled certification arrangements on top (not instead) of existing ones. The first hypothesis explains some of the functional solutions in the emerging regime, but only partially explains the chosen design for the new regime, as most of the stated functional problems would have been better served by a harmonized, ‘fully European,’ certification regime.

The second hypothesis highlights how the Commission was acting instrumentally to get the new certification framework approved, despite significant veto points for national actors in the new framework, and as long as some of the long-term interests of the Commission could be potentially secured: The European Union Agency for Cybersecurity (previously known as ‘ENISA’) has become central to the certification process; European certificates would gradually replace national ones; private certifiers have been elevated to certify on behalf of the EU. These arrangements are likely to increase the influence of the Commission in this policy space over time, if member states would allow.

The third hypothesis sheds light on the ability of powerful member states – France, Germany, and the UK – that also enjoy significant certification capacities, to effectively incorporate significant control points throughout the components of the emerging regime, and by that further legitimize their central role in this space.

Thus, the design of a limited Europeanized regime for certification, despite clear functional problems in current arrangements, served the goals of stakeholders involved. I label this form of EU policy development as ‘Europeanization on Demand,’ since it allows integration to occur based on a case-by-case demand and interests of national authorities. The Commission was able to draw on its internal market powers, alongside member states’ ability to invoke their competences over national security.

Theoretically, I view this integration case as challenging for the dichotomous understanding of EU integration as either market or core state powers integration (e.g. Genschel and Jachtenfuchs, 2018). Integrating cybersecurity certification is an attempt to create a market for certified products, while mobilizing core state capacities of certifying sensitive infrastructures. Dynamics from both types of integration applied, and friction in the policymaking process remains significant. An attempt to follow market integration practices in a sensitive national security topic led to a questionable level of Europeanization.

This is also an important turning point in EU cybersecurity integration attempts, as it aims to mobilize, for the first time, national cybersecurity capacities to decision making levels ‘beyond the state,’ at the supranational/intergovernmental levels. Initially, in cybersecurity governance, the EU was influential through ‘soft’ tools and took the role of a facilitator. The Network and Information Security (NIS) Directive and the Cybersecurity Act signal a potential change, despite significant reluctance of member states.

In an age of emerging risks from digital technologies, that challenge both market and state actors, this observed intersection of economic and sovereignty-related policy issues is likely to shape future policy regimes in this space. For cybersecurity, a unique policy issue that cuts across a variety of policy arenas and institutional settings (Sivan-Sevilla 2018, 2019), governance efforts face a wide variety of regulatory ideologies and interests to consider, and we should pay attention to the political compromises that emerge, to ensure whether the balance of power among those who aim to shape cybersecurity policies adequately serve the public interest.

– Ido Sivan-Sevilla, Cornell Tech

– The author’s latest article for the Journal of Public Policy is currently free access until the end of October 2020