Institutionalising EU Cyber Law: Can the EU Institutionalise Its Many Subjects and Objects?

Abstract

The EU as a cyber-actor appears to institutionalise cyber-matters increasingly yet is also subject to an increasingly wide variety of subjects and objects that it cannot institutionalise. This will inevitably affect the ‘unitary’ ideal of EU action in this field. Major developments in EU cyber action internally and externally increasingly focus upon both institutionalisation and also the co-opting of private actors into governance which are argued here not to be consistent. Until recently, there had long been a lack of a unitary or central figure in EU cyber law-making with overarching responsibility for policy development. This paper shows that the EU as a cyber-actor constitutes a significant example of EU institutionalisation taking place in practice, caught between complex global challenges and contested taxonomies. The EU harbours multiple conflicting definitions of cybercrime between actors and entities and multiple working definitions of cybersecurity. Some key terms also lack common definition in the EU context e.g. cyber defence, albeit as a key competence of the EU Member States, where it fails to draw from commonalities sufficiently. The EU lacks sufficiently robust institutions, agencies or actors and risks conflicts and impingement upon many fundamental rights through its partial institutionalisation of a field. It also appears afflicted by paradoxically both over- legalisation and under-legalisation of cyber law-making. As a result, the EU as a Global cyber actor risks becoming an inadequate international partner through its own weak institutionalisation.