Digital Sovereignty and Taking Back Control: From Regulatory Capitalism to Regulatory Mercantilism in EU Cybersecurity

In recent years we have been able to observe the emergence and mainstreaming of a EU discourse on digital sovereignty, which highlights the importance of gaining back control of EU digital infrastructure and technological production, based on the EU’s perceived loss of economic competitiveness, limited capacity to innovate, high degree of dependence on foreign digital infrastructures and service providers, and, related to all these factors, difficulty in providing EU citizens with a high level of cybersecurity. Bearing in mind that a considerable percentage of these infrastructures and service providers are under private sector control, the present article asks how this sovereignty discourse conceptualises the role of the private sector in EU cybersecurity. Drawing from a Regulatory Capitalism theoretical model, this article proposes that the EU has instead entered a Regulatory Mercantilist phase where it seeks to reassert its control over cyberspace, impose digital borders, accumulate data wealth and reduce its dependence on external private sector actors whose values may not reflect those of the EU order. A new approach to cybersecurity is emerging, in which the non-EU private sector can be perceived as much of a threat as foreign powers, and from whom digital sovereignty must be secured.