Whose Responsibility is Cybersecurity? : A Comparative Qualitative Content Analysis of Discourses in the EU’s Cybersecurity Strategies 2013-2020

Abstract: Cybersecurity is an increasingly important topic to all actors from the private individuals to international institutions. The borderless nature of the internet has however made it more difficult for nation states to take care of their own security and institutions like the EU are also coping with the difficulties of defending themselves from attacks that can affect practically any part of the system and cause wide-spread damage. The EU has tried to address these issues by publishing strategies to improve the cybersecurity of the Union and its Member States. This thesis studies the discourse that is used by the Union in its strategies from 2013 and 2020. This is done to determine how the EU portrays each level, the national, institutional, or private and how responsible they are for the cybersecurity in the Union and to see how this discourse has changed in the previous few years. The theoretical framework of the thesis consists of neofunctionalism and historical institutionalism which are used to explain the direction of the development of the EU’s discourse. The study is conducted using critical discourse analysis and qualitative content analysis. The findings of the analysis suggest that there is noticeable shift to the EU taking more responsibility and actions to ensure its cybersecurity. Similarly it seems remarkable how the importance of the private sector seems to have diminished in the newer discourse.