This article explores the extent to which Covid-19 has impacted the trajectory of EU Cybersecurity Policy. The Covid-19 crisis has led to an unprecedent reliance on digital solutions, ranging from teleworking to virus-tracking systems, resulting in the proliferation of Covid-19 related cybercrime, critical information infrastructure attacks and dissemination of pandemic disinformation. Although the virus has been repeatedly portrayed as life altering and as having considerably increased the cybersecurity risks faced by States, businesses and citizens, the proposed solutions, however, have accelerated existing trends in the field rather than resulting in significant institutional change. In particular, there has been a reinforcement of the role as a coordinating actor, of the introduction of further coherence between sub-areas and instruments, and of the positioning of public-private partnerships at the heart of the policy. However, where the role of social media platforms in facilitating the spread of disinformation is concerned, a changing trust relationship has resulted in a discursive shift in which these platforms require greater oversight, a belief reinforced by the spread of Covid-19 disinformation. The article proposes, through the lenses of historical and discursive institutionalism, that the EU’s response to Covid-19 in the field of cybersecurity can only be understood in light of these pre-existing trends, which are the result of an economic and security path dependence that emerged in the 1980s.