To save content items to your account,
please confirm that you agree to abide by our usage policies.
If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account.
Find out more about saving content to .
To save content items to your Kindle, first ensure no-reply@cambridge.org
is added to your Approved Personal Document E-mail List under your Personal Document Settings
on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part
of your Kindle email address below.
Find out more about saving to your Kindle.
Note you can select to save to either the @free.kindle.com or @kindle.com variations.
‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi.
‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.
Digital policymaking in the European Union (EU), once seen as an internal market concern, is increasingly shaped by non-economic aims, such as the pursuit of security and the protection of fundamental rights. Recent pieces of legislation, such as the AI Act or the Cyber Resilience Act, have nominally acknowledged the relevance of such factors, but serious concerns have been raised about security considerations de facto trumping all others. In this article, we argue that, despite its predominance, security does not displace fundamental rights or the internal market as the foundations of EU digital law. Instead, we propose a framework to explain how the interaction among rationales for security promotion, rights protection, and market-making goes beyond mere opposition. Applying this framework to three case studies of post-GDPR regulation, we show that the deepening of fundamental rights safeguards in digital regulatory instruments offers, at most, a limited check to creeping securitisation – and sometimes even allows the EU legislator to extend the reach of security measures in the name of protecting certain rights. Understanding the logics and actors that shape the triple helix of markets, rights, and security is therefore crucial for properly understanding – and responding to – security overreach in cyberspace.
‘The Show Must Go On(line)’ explores how the Brussels Bubble adapted to the COVID-19 pandemic, transforming crisis into an opportunity to redefine the boundaries of EU governance. As the virus disrupted face-to-face diplomacy in early 2020, the European Union’s institutions faced an unprecedented test: could the ‘compromise machine’ function without its traditional rituals of physical presence? This chapter traces the rapid shift to virtual formats, revealing how digital tools became both lifelines and sources of friction. COREPER ambassadors, deemed essential, continued in-person meetings, consolidating their influence, while others navigated the challenges of online negotiations – from ‘death by PowerPoint’ to the loss of informal corridor chats. Through the experiences of diplomats, interpreters and civil servants, the chapter illuminates the emotional and professional toll of ‘synthetic situations’, where screens replaced handshakes and digital skills became diplomatic currency.
The pandemic exposed and reinforced hierarchies, as access to physical spaces signaled status and power. Yet, it also spurred innovation, with virtual pre-meetings and new protocols becoming permanent fixtures. By 2025, the Bubble had embraced a hybrid model, reserving in-person gatherings for sensitive negotiations and using digital platforms for routine coordination. Ultimately, the crisis demonstrated that while the EU’s show could go on(line), the tension between digital efficiency and the irreplaceable value of face-to-face interaction remains at the heart of Brussels’ diplomatic culture.
We step inside a closed-door customs committee meeting in Brussels, following Louise and her colleagues his chapter offers a rare, immersive account of a customs committee working group, where twenty-seven member states, interpreters and Commission officials grapple with the minutiae of classifying consumer goods – from vacuum cleaner parts to decorative balloons – amidst a whirlwind of digital tools, linguistic compromises and political maneuvering.
Through vivid ethnographic detail, we reveal how EU law is crafted. Here, the classical diplomat – negotiator, mediator, generalist – confronts the realities of digital mediation. Through Louise’s eyes, and in rare ethnographic detail, we witness the labour of multilingual lawmaking: interpreters juggling languages and distractions, delegates scrolling for images to clarify a product’s classification and the relentless clicking of keyboards as twenty-seven member states haggle over every word, comma and image in a three-column Word document.
This chapter reveals how digital technologies, while promising efficiency and speed, also fragment attention and introduce new layers of complexity. The negotiation room becomes a microcosm of the EU’s ‘Brussels effect’ – its power to set global standards – where the mundane (classifying vacuum cleaner parts or decorative balloons) intersects with the monumental (shaping trade, safety, and environmental rules for 500 million citizens). As interpreters and diplomats alike rely on digital tools to bridge linguistic and political divides, the chapter asks: How is the craft of diplomacy transformed when screens and algorithms mediate human judgement? And what does this mean for the future of EU governance, as AI begins to reshape the invisible labor that keeps the Union running?
Cybersecurity remains one of the most technically complex domains of contemporary risk management, yet much of its vulnerability stems not from systems themselves but from the behavioural patterns of their users and adversaries. This chapter introduces a Behavioural Data Science perspective on cybersecurity – an approach that foregrounds the cognitive, social and affective processes underlying digital decision-making and threat response. Moving beyond the dominant paradigm of technological hardening, this chapter explores how insights from behavioural science, combined with computational modelling, can illuminate the conditions under which individuals make secure or insecure choices. It develops the concept of behavioural cyber-risk modelling, investigates the role of human–machine asymmetries and critiques static compliance-based regimes in favour of adaptive, context-aware systems. By synthesising empirical research and theoretical developments, the chapter proposes a new agenda for cybersecurity rooted in the nuanced realities of human behaviour, data-driven learning and interdisciplinary engagement.
This chapter is about trust. It is the only chapter in the book that considers the opinions of professionals who had not used machine translation at work. Most of these professionals were prepared to use machine translation if needed. Some were enthusiastic about it. Others had reservations which they would want to see addressed before deciding to use a machine translation tool. These reservations included: (1) concerns about accuracy; (2) concerns about privacy and confidentiality; (3) perceptions of social and professional norms and whether their use of machine translation would be accepted by others; and (4) concerns about how machine translation may lack ‘the human touch’ in sensitive interactions. The chapter examines human communication in relation to the concept of empathy and AI’s ability to mimic it. It ends with a discussion of workplace training by exploring what machine translation users would like to see covered in initiatives aimed at enhancing their trust judgment abilities.
This chapter analyses security exceptions in international trade law, focusing on their interpretation and application within the World Trade Organization (WTO) and preferential trade agreements (PTAs). It examines the evolving nature of national security concerns, particularly in cybersecurity, and how these concerns intersect with trade regulations. The chapter discusses the justiciability of security exceptions, the level of deference accorded to states in defining their security interests, and the challenges posed by the expansion of security concerns beyond traditional military domains. It also evaluates the adequacy of existing WTO and PTA frameworks in addressing contemporary security issues, suggesting that further innovations may be necessary to balance trade liberalisation with national security imperatives in the digital age.
Hybrid threats represent a continued challenge to the European Union, combining disinformation campaigns with cyber-attacks as a means of destabilising the Union and its Member States, undermining legitimacy and public trust. With social media platforms at the centre of disinformation efforts, as well as potential sites for cyber-attack disruption, the ability to control narratives and disseminate content are essential to hybrid threat actors. Fake Activity Markets (FAMs) are websites offering services that can be used to generate fake engagement, in turn allowing for coordinated inauthentic behaviour online. These websites also constitute a cybersecurity threat in themselves, involved in distributing malware, harvesting user data or comprising information systems. This article seeks to explore the EU approach to hybrid threats and coordinated inauthentic behaviour using FAMs as a case study, highlighting the potential threats to the EU’s social and cyber resilience posed by these actors, the potential regulatory responses, and the ways in which the von der Leyen II Commission’s renewed emphasis on hybrid threats could provide for a more robust ecosystem for countering coordinated inauthentic behaviour.
Abstract: In this chapter, the authors delve into the context of cybersecurity and explore the concept of security mindset in relation to cyber education and John Dewey’s “democratic ideal.” The chapter proposes John Dewey’s robust theory of habit in Human Nature and Conduct (1922) as a grounding foundation for conceptualizing a core component of security mindset, namely the human capacity for intelligent adaptation and growth within ever-changing environments. In submitting this linkage between Dewey’s conception of habit and security mindset, the author’s purpose is more than to advance Deweyan habit as an intelligible enrichment to current cybersecurity ideas for how to manage threats. Going further, they forward the connection between Deweyan habit and security mindset to extend the kind of foundation necessary for advancing cybersecurity’s ability to meet diverse and evolving cybersecurity threats through cyber education. With this, a process of disruption that leads to the subsequent reorganization of habit can bring into view simultaneously the threats to democracy as well as the process of democracy itself.
Chapter 4 covers the policy agenda of the von der Leyen Commission as it relates to technology, identifying the concerns over ensuring digital sovereignty and maintaining strategic autonomy as central rationales for Commission action. Chapter 4 focuses on ‘technological systems’ in which the EU has sought to increase its control and regulatory oversight through regulatory mercantilist means. Analysing the Commission’s actions in technical standards for technologies such as digital communications, life-cycle cybersecurity for internet-enabled products, and the fostering of an EU industrial policy for semiconductors and microchips, this chapter highlights how concerns over foreign manipulation and excessive strategic dependencies has resulted in the Commission proposing legislative interventions in order to guarantee sovereignty and strategic autonomy through increased Commission and regulatory body oversight, the explicit linkage of economic and security concerns, and active promotion of technology industrial policy internally, and exporting of norms and values through ensuring a positive regulatory balance of trade externally.
In Chapter 9, we argue that cybersecurity professionals embody the ideal of the careful, systematic upgrading that Move Slow and Upgrade has been advocating for. Unlike the flashy innovations that we’ve criticized in earlier chapters, cybersecurity professionals focus on making small, proven improvements through such practices as privacy by design and zero-trust architecture. Recognizing that no single change can solve complex problems, they layer multiple safeguards while acknowledging that human behavior – from falling for scams to knowingly taking risks – is often the main vulnerability. By discussing how cybersecurity teams do quality work, we aim to offer important lessons about how other industries might benefit from adopting an upgrading mindset.
Threats to the ability of democratically elected governments to drive and preserve their citizens’ economic development and thus promote their human rights are threats to the confidence of their citizens in democracy itself. Threats to the cyber resilience of critical infrastructure assets — that enable and preserve economic development — are threats to that very confidence. This chapter positions the technical backbones for digital public infrastructure (DPI), which delivers digitally native essential services, as critical infrastructure assets. This chapter uses the approach to DPI of the world’s largest democracy as a case study. It explores how India’s DPI — built per an open standards-based paradigm, implemented by protocols and Application Programming Interfaces (APIs) that comprise the ‘India Stack’ – operates at the scale of the world’s largest population. It finds the cyber resilience of the technical backbones for India’s DPI vital to India’s democratic resilience. This chapter thus calls on India to prosecute systemic cyber risks to these backbones that stem from the critical software running on them. India must incentivise vendors of that software to invest in the security of their software development life cycles and mitigate software supply chain risks. India must also manage open source software risks to its DPI appropriately. This chapter concludes by putting forward how India can export its approach and the India Stack. Other democracies, especially India’s Global South partners, stand to gain from its experience, including by strengthening the trust and confidence of their citizens in democracy itself, as well as by implementing norms for responsible state conduct in cyberspace that were approved by the United Nations General Assembly. Such benefits will be reinforced by Indian advice on how to deploy DPI in a cyber-resilient manner, informed by the multilateral consensus on DPI, software security and cyber resilience, which India forged as G20 President in 2023.
How does law travel in Inter-Asia? This chapter focuses on traveling law as an empirical event and does so to reflect on prevailing theories in comparative law that explain how law moves from one jurisdiction to another. The dominant paradigm in comparative law for traveling law is legal transplants, a concept that has generated a sprawling literature. The point of this chapter is not to say that Inter-Asia is aberrational regarding legal transplants; instead, the perspective is to use the Inter-Asian Law material, and specifically the fraught movements of Chinese law in Inter-Asia, to critically reflect on comparative law conventions. Whereas Inter-Asia is embedded within global trade and migration routes, it has also been populated by outsiders – pirates or jihadis – whose participation within those circuits creates contrast and distance, elements that are prerequisites to critical reflection. Chinese law may also be such an outsider that permits reflecting on taken-for-granted paths.
The establishment of artificial intelligence regulatory sandboxes (AIRSs) poses both policy and technical challenges, especially in how to reconcile support for innovation with regulatory oversight. AIRSs are based on dynamic regulatory feedback mechanisms that allow for a deeper examination of legal norms with a view to their future evolution. These structures facilitate engagement between regulators and innovators, enabling business learning and regulatory adaptation. However, their proliferation across the European Union under the Artificial Intelligence Act (AI Act) may raise issues of coordination between competent authorities, cross-border regulatory alignment and consistency with overlapping (sectoral) rules. In view of these potential complexities, this paper makes two distinct recommendations. First, AIRSs would benefit from cross-border cooperation – efforts should therefore be made to pursue the establishment of joint AIRSs among different Member States in order to reduce regulatory fragmentation, lower the risk of forum shopping, and optimise administrative resources. Second, integrating AI and cybersecurity compliance within the same sandbox environment would be beneficial in terms of providing clearer and more structured compliance pathways. A well-designed regulatory sandbox regime would make regulation more effective, encourage responsible AI development and secure Europe’s leadership in digital regulation.
Cybersecurity and cyberwar writ large are interconnected subjects that create serious challenges for policy makers. On an individual level we are far more likely to be the victims of cybercrime than of cyberwar. But the cyber challenge spans the entire gamut of security. From state-authorized attacks against another state, such as the deployment of Stuxnet against Iran, to the targeting of private industry like North Korea’s assault on Sony Pictures Entertainment, down through to the proliferation of cybercrime that impacts the everyday security of citizens sent a phishing scam via email, any way you cut it the cybersphere has a big impact on security. Indeed, if you live in a Western democracy, the chances are that you have also been at the individual level, as well as the societal level, at best an unwilling participant and at worse a victim of cyberwar via social media.
Sabotage is ubiquitous but little understood in international relations. Sabotage, especially in terms of attacks on infrastructure and property, has increased in recent years and has taken a more central role in national security discourse across Europe. Unfortunately, scholarship is underdeveloped and fragmented across disciplinary silos, leading to conceptual confusion about the nature and scope of sabotage as a form of statecraft. This article seeks to provide conceptual clarity, and in doing so, lay the foundations to better understand and respond to such activity. It does so first by synthesizing ideas from disjointed literatures on conflict, intelligence, terrorism, public administration, and cybersecurity, before distilling key characteristics of sabotage and offering a novel definition. The article finds that sabotage is the weaponization of friction to degrade the performance of systems from within. Sabotage has a strategic logic distinct from related concepts of covert action and subversion: corrosively turning friction into advantage. This logic limits its impact as stand-alone tool but makes it particularly well-placed to enhance and enable other policy instruments. By placing sabotage on the research agenda and theoretically advancing scholarship on ‘secret statecraft’ more widely, this article has significant implications for understanding and responding to contemporary security challenges.
Recent years have witnessed an extraordinarily swift advancement in the fields of artificial intelligence (AI) and the Internet of Things (IoT). AI applications like ChatGTP are gaining significant influence on various aspects of life and even ordinary households are nowadays highly digitalised, a trend that will only intensify with the growing proliferation of the Internet of Things.
This article conducts a theoretical exploration of how the materiality of ‘the digital’, and, more specifically, the immaterial nature of ‘the digital’, imposes on the securitisation of cyber. Starting from the observation that the implementation of new, draconian cybersecurity policy – illustrated with the Norwegian bulk interception controversy – is legitimised with reference to the immateriality of digital threats and digital transformations, I ask how we may we understand the material agency of immaterial matter in the context of cybersecurity. To address this problem, I turn to existing constructivist and new materialist accounts of the immateriality of cyber (in)security, and build on these to offer my own account of digital immateriality. In particular, I mobilise Yuk Hui’s reading of Jean-Francois Lyotard’s notion of im/materials to suggest that ‘the digital’ can be seen as a material force which concretises imperceptible relations by keeping the invisible invisible, and hence by abstracting and obscuring cyber threats and digital insecurities. In this way, ‘the digital’ engenders a new logic of cyber securitisation which I label ‘exceptionality without urgency’, where cybersecurity policy is aimed at countering fundamental, long-term, and rather vague transformations of politics and society rather than immediate, concrete threats.
After an introduction to the notions of cybersecurity and cybersecurity-related risks, this preface introduces four collected contributions on challenges and perspectives of EU cybersecurity policies in cyber-physical ecosystem.
This paper provides practical guidance to UK-based financial institutions (UKFIs) that are subject to the “operational resilience” guideline requirements of the Bank of England (BoE), Prudential Regulatory Authority and Financial Conduct Authority, issued in 2021, and fully effective for 31 March 2025. It contains practical suggestions and recommendations to assist UKFIs in implementing the guidelines. The scope of the paper covers issues related to (a) overviewing the latest equivalent operational resilience guidance in other countries and internationally (b) identifying key issues related to risk culture, risk appetite, information technology, tolerance setting, risk modelling, scenario planning and customer oriented operational resilience (c) identifying a framework for operational resilience based on a thorough understanding of these parameters and (d) designing and implementing an operational resilience maturity dashboard based on a sample of large UKIFs. The study also contains recommendations for further action, including enhanced controls and operational risk management frameworks. It concludes by identifying imperative policy actions to ensure that the implementation of the guidelines is more effective.
This paper presents the first empirical analysis demonstrating how international security influences global data flows. Firms exchange data traffic to achieve fast, stable, and affordable access to digital infrastructure, driving digital interdependence. While international security shapes economic interdependence, the mechanisms linking the two – sanctions, tariffs, boycotts, and contracts – create little risk for Internet interconnection, which is commonly exempted from sanction and tariff regimes, not directly consumed by the public, and not enabled through traditional contracts. I theorize that international conflict generates cybersecurity externalities as state and non-state actors directly weaponize digital interdependence. Firms and their networks sit directly in the path of future conflicts. Leveraging network topographical measurements from computer engineering, I test whether conflict expectations increase states’ mutual reliance to move data. I find robust evidence that power politics shapes digital interdependence and use additional analyses to argue that externalities, rather than state preferences, drive this process.