(Re)structuring power in cyberspace. An analysis of the cybersecurity policy design space of the EU member states

This dissertation investigates how cybersecurity policies are formulated and implemented across EU Member States, with particular attention to the range of instruments public authorities can deploy—their policy design space. Integrating perspectives from international relations, public policy analysis, and cybersecurity studies, the research explores the interplay between domestic constraints and supranational frameworks in shaping policy responses to cyber threats. The work is structured in five chapters. The first defines cyberspace across its physical, syntactic, and semantic layers, illustrating how each is associated with different vulnerabilities and stakeholders. It highlights the multi-actor and multi-level nature of cybersecurity governance, focusing on four EU sub-policy areas: cybercrime, cyber defence, cyber diplomacy, and cyber resilience. The second chapter develops the theoretical framework, linking the exercise of political power to the strategic selection of policy instruments. It introduces a typology of core political functions—protection, regulation, jurisdiction, allocation, and facilitation—and shows how these translate into specific instruments, from legislation to public–private partnerships. A structured matrix is used to assess how instrument combinations shape and constrain the policy design space at both national and international levels. The third chapter details the methodological approach. The empirical analysis draws on over 800 documents—including national strategies, EU legislation, and international agreements—collected from sources such as UNIDIR, ENISA, and ITU. Using machine learning–enhanced text analysis, the study identifies the types of instruments used across Member States and examines their correlation with explanatory variables such as institutional capacity, threat perception, and internet connectivity. Analytical tools include correlation tests, clustering, and multinomial regression. Chapter four provides a chronological analysis of EU-level cybersecurity policy. It traces the evolution from the initial focus on network security and data protection (1999–2006), through consolidation with the 2013 EU Cybersecurity Strategy and the 2016 NIS Directive, to recent developments including the 2019 Cybersecurity Act and increased collaboration among CSIRTs. It also examines policy convergence across domains such as Home Affairs, Defence, the Single Market, and Diplomacy. The final chapter offers a comparative analysis of Member States’ domestic cybersecurity policies. It identifies patterns in the use of instruments and clusters countries with similar strategic preferences. Multinomial models show that policy choices are influenced by structural features such as threat severity, political stability, governance standards, and the scale of domestic cybercrime. States with higher internet penetration and cyber incident frequency tend to adopt comprehensive strategies that blend regulatory measures with operational capacities like national CERTs/CSIRTs and stakeholder partnerships. In conclusion, the dissertation shows how the EU’s legal-institutional framework both enables and shapes national cybersecurity efforts, while domestic factors explain significant variations in policy design. By clarifying how political production interacts with institutional constraints and capacities, the study enhances our understanding of cyber governance and offers replicable tools for further research.