ABSTRACTEffective cyber incident response and crisis management increasingly relies on the coordination of relevant actors at supranational levels. A polycentric governance structure is one of the institutional arrangements that can promote active participation of involved actors, an aspect decisive for the rapid and effective response to cyber incidents and crises. This research aims to dissect whether, and to what extent, a polycentric structure is manifested within the cyber crisis management framework of the European Union (EU) and assesses the extent to which these policies signal a balance between centralization and decentralization. By employing Institutional Grammar 2.0, we examine the roles and interactions among actors delineated within four key policies to identify the structural characteristics, institutional essentials, and prerequisites indicative of a polycentric governance system. Additionally, we apply network analysis to evaluate dyadic relationships of actors, further assessing the balance between centralization and decentralization in the EU's cyber crisis management framework. Our analysis reveals that the EU has adopted a polycentric governance model for cyber crisis management, characterized by a nuanced distribution of responsibilities and authorities. The findings highlight a tendency toward centralization, especially in the roles of Member States and the European Union Agency for Cybersecurity (ENISA), while maintaining a polycentric structure that blends centralization and decentralization. This balance can ensure structural integrity and coherence of the system, while theoretically providing the flexibility and resilience needed to adapt to the dynamic cyber threat landscape. The study contributes methodologically, offering a framework that can be applied to other domains, and provides insights into the effective coordination of cyber incident response and crisis management at supranational levels.
Read full abstract