Abstract

This article examines the evolution of EU cybersecurity governance since the early 2000s, contextualising the response to heightened security concerns from the COVID- 19 pandemic and the Russian invasion of Ukraine. Focusing on European Commission- led policymaking, it analyses the interplay of exogenous and endogenous drivers in shaping the regulatory framework of cybersecurity. We scrutinise historical policy dynamics, focusing on the transformative potential of incremental changes and exploring the circumstances that enable policymakers to leverage past adjustments to influence EU cybersecurity governance. The article discusses the Positive vs. Regulatory State debate. It critically evaluates recent framings of EU cybersecurity governance as a Regulatory State, proposing the Catalytic State as a more fitting model, and develops criteria to assess the transformative power in changing EU cybersecurity policy