Abstract

The article aims at contributing to advance the study of cybersecurity policies by investigating one of the primary and most consequential processes in the cybersecurity policy field, i.e. the establishment of national cybersecurity agencies. Particularly, an empirical comparative analysis on two cases, i.e. the German and the Italian national agencies for cybersecurity, is carried out by deploying Ostrom’s rule typologies categorization on the legal texts that establish and discipline the two agencies. The evidence arising from the analysis is functional to the evaluation of and the comparison between the institutional design of the two cybersecurity agencies, and, more broadly, to the elaboration of considerations concerning general trends brought about by digitalization in the public sector.