The emergence of EU cybersecurity law: A tale of lemons, angst, turf, surf and grey boxes

Using a series of metaphors, this opinion piece charts patterns, trends and obstacles shaping the development of EU cybersecurity law over the last three decades. It shows that this development is more than simply a function of the EU's increasing regulatory capacity. It argues that, to a large degree, the development has been a reactive, gap-filling process, which is partly due to the piecemeal character of the regulatory areas in which the EU legislates, combined with smouldering ‘turf wars’ over regulatory competence. An overarching point is that EU cybersecurity law is far from reminiscent of a well-kempt forest; rather, it resembles a sprawling jungle of regulatory instruments interacting in complex, confusing and sometimes disjointed ways. Thus, this field of regulation underlines the fact that increased regulatory capacity does not necessarily beget optimal regulatory coherence. Nonetheless, the paper also identifies multiple positive traits in the legislative development—traits that signal Brussels’ ability to learn from weaknesses with previous regulatory instruments.