Skip to main content

A typology of cybersecurity and public-private partnerships in the context of the EU

This is a preview of subscription content, access via your institution.


  1. One should, however, that there are alternative framings of technical IT security and problems with the general label of “cyber”, which will be briefly taken up below.

  2. In contrast to informal working arrangements for security and intelligence agencies

  3. For instance, or

  4. At the time of writing, the legislative proposal had gained political agreement from all EU institutions, but was not formally concluded yet. See:

  5. Information and computer scientist tend to prefer other more technical and precise concepts, such as information security, which is composed of definable attributes of integrity, availability and confidentiality. Security scholars, in contrast, have highlighted the dangers of “securitizing” the digital communications or simply just ‘cyber’ and merging distinct issues of cybercrime, cyber-assisted crime with more state-centred notion of security, which can legitimate “offensive” methods and the involvement of the military.

  6. Again, we cannot go into the question whether cyberspace is a suitably precise analytical concept. For a widely cited official definition, see

  7. For instance, See also Farrand and Carrapico in this issue for a more detailed discussion on the historical development from public to private management of critical infrastructures.

  8. An especially controversial response to this challenge has been to create separate market incentives through programs such as ‘bug bounties.’

  9. Such as “hate” speech, weapons instructions, child sexual abuse material, etc.

  10. These functionally differentiated tasks or processes have been inductively derived by the authors from the diverse social science literature on cybersecurity referred above. For reasons of space this differentiation cannot be systematically related to wider theories of public (economic) regulation and security governance here, but this may prove a worthwhile research agenda for the future. On the one hand, one could test whether the proposed tasks are truly exhaustive and comprehensive in the area of cybersecurity. On the other hand, more elaborate formal reasoning on collective action dynamics, such as with regard to the public good qualities of information or reliable access, could be explored beyond the cursory remarks made below.

  11. If one applies a broad or multi-level understanding of cybersecurity, this can range from questions of rights management, privacy and data protection to secure communication protocol standards or product safety and security.



  14. This point can be unlined by the fact that PPPs for a more secure internet provision at the infrastructural level have not yet been funded in Europe, as illustrated by the failed idea of a “Schengen-net” for secure data transfers in Europe.

  15. The typological fields are referred to in the respective subheadings of the different sections

  16. ENISA has organised several annual major ICT incident exercises for EU member states that were triggered official EU conclusions in the aftermath of the 2009 Estonian cyber-attacks. Assessments of these exercises are limited to official document, where the large number of participants (500+) and positive resonance had highlighted

  17. See

  18. See also Art. 3 of the EU regulation establishing ENISA (revised 526/2013)






  24. This has been modelled on a corresponding US Forum with global reach.



  27. ENISA, 2012a. European Public + Private Partnership for Resilience. Activity Report 2012. Available at:

  28. Compare also for an incomplete survey of information-sharing platforms across EU member states

  29. This would hitherto be limited to some cases that are covered by the 2009 EU telecommunications regulation (Directive 2009/140/EC). See

  30. Public authorities from 18 member state are taking part, while the rest is constituted by academic institutions or experts See full list of members

  31. See Especially the second working group provide the most detailed recommendations on how to differentiate, improve and link up the variety of information-sharing initiatives for CIIP, see


  33. Or computer security incident response teams in alternative European parlance (CSIRT), see


  35. For instance, one could point to frameworks for data sharing or best practice collection, see




  39. p-15







  46. Barclays, ING Group, Citibank, the European Banking Federation, and the association for ATM Security (EAST). See and and










    See on the joint EUROPOL INTERPOL MoU

    And conference





  60. This particular action even seems to have involved the British signals intelligence service GCHQ

  61. Austria, France, Germany, Italy, Spain, the Netherlands and the UK



  64. EU DOC 6785/16, p. 35









  1. Eriksson, J., & Giacomello, G. (2009). Who controls the internet? Beyond the obstinacy or obsolescence of the State. International Studies Review, 11(1), 205–230.

    Article  Google Scholar 

  2. Radu, Roxana, Jean-Marie Chenou, and Rolf H Weber. 2014. The evolution of global internet governance: principles and policies in the making. Vol. 56: Springer Science & Business Media.

  3. Mueller, M., Schmidt, A., & Kuerbis, B. (2013). Internet security and networked governance in international relations. International Studies Review, 15(1), 86–104.

    Article  Google Scholar 

  4. Von Solms Rossouw, and Johan Van Niekerk. 2013. "From information security to cyber security." Computers & Security 38:97–102.

  5. Tropina, Tatiana. 2015. "Public–Private Collaboration: Cybercrime, Cybersecurity and National Security." In Self-and Co-regulation in Cybercrime, Cybersecurity and National Security, 1–41. Springer.

  6. Min, K.-S., Chai, S.-W., & Han, M. (2015). An International Comparative Study on Cyber Security Strategy. International Journal of Security and Its Applications, 9(2), 13–20.

    Article  Google Scholar 

  7. Carr, M. (2016). Public–private partnerships in national cyber-security strategies. International Affairs, 92(1), 43–62.

    Article  Google Scholar 

  8. Dunn-Cavelty, M., & Suter, M. (2009). Public–Private Partnerships are no silver bullet: An expanded governance model for Critical Infrastructure Protection. International Journal of Critical Infrastructure Protection, 2(4), 179–187.

    Article  Google Scholar 

  9. van Dijck, J. (2014). Datafication, dataism and dataveillance: Big Data between scientific paradigm and ideology. Surveillance & Society, 12(2), 197–208.

    Google Scholar 

  10. Bevir, M. (2014). The Rise of Security Governance. In M. Bevir, O. Daddow, & I. Hall (Eds.), Interpreting Global Security, (pp. 17–34). London: Routledge.

    Google Scholar 

  11. Hameiri, Shahar, and Lee Jones. 2015. Governing Borderless Threats: Non-traditional Security and the Politics of State Transformation: Cambridge University Press.

    Book  Google Scholar 

  12. Nance, M., & Cottrell, P. (2014). A turn toward experimentalism? Rethinking security and governance in the twenty-first century. Review of International Studies, 40(02), 277–301. doi:10.1017/S026021051300017X.

    Article  Google Scholar 

  13. Crawford, A. (2006). Networked governance and the post-regulatory state? Steering, rowing and anchoring the provision of policing and security. Theoretical Criminology, 10(4), 449–479.

    Article  Google Scholar 

  14. Ehrhart, H.-G., Hegemann, H., & Kahl, M. (2014). Putting security governance to the test: conceptual, empirical, and normative challenges. European Security, 23(2), 119–125.

    Article  Google Scholar 

  15. Kennedy, David. 2016. A World of Struggle: How Power, Law, and Expertise Shape Global Political Economy: Princeton University Press.

  16. Christou, G., & Simpson, S. (2006). The Internet and public–private governance in the European Union. Journal of Public Policy, 26(01), 43–61.

    Article  Google Scholar 

  17. Procedda, M. (2014). Public-Private Partnerships: A soft approach to cybersecurity? Views from the European Union. In G. Giacomello (Ed.), Security in Cyberspace: Targeting Nations, Infrastructures, Individual. New York, London: Bloomsbury Academic.

    Google Scholar 

  18. Fahey, Elaine. 2014. "EU's Cybercrime and Cyber-Security Rulemaking: Mapping the Internal and External Dimensions of EU Security, The." Eur. J. Risk Reg.:46.

  19. EU. 2013. "Joint Communication on the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace " JOIN(2013) 1 final

  20. European Commission (2015). The European Agenda on Security. COM, 2015, 185 .

    Google Scholar 

  21. Grimsey, Darrin, and Mervyn Lewis. 2007. Public private partnerships: The worldwide revolution in infrastructure provision and project finance: Edward Elgar Publishing.

    Google Scholar 

  22. Schneider, A. L. (1999). Public-private partnerships in the US prison system. American Behavioral Scientist, 43(1), 192–208.

    Article  Google Scholar 

  23. Bovaird, T. (2004). Public–Private Partnerships: from Contested Concepts to Prevalent Practice. International Review of Administrative Sciences, 70(2), 199–215. doi:10.1177/0020852304044250.

    Article  Google Scholar 

  24. Hodge, G. A., & Greve, C. (2007). Public–private partnerships: an international performance review. Public Administration Review, 67(3), 545–558.

    Article  Google Scholar 

  25. Reynaers, A.-M., & De Graaf, G. (2014). Public Values in Public–Private Partnerships. International Journal of Public Administration, 37(2), 120–128.

    Article  Google Scholar 

  26. Forrer, J., Kee, J. E., Newcomer, K. E., & Boyer, E. (2010). Public–private partnerships and the public accountability question. Public Administration Review, 70(3), 475–484.

    Article  Google Scholar 

  27. Willems, T., & Van Dooren, W. (2011). Lost in diffusion? How collaborative arrangements lead to an accountability paradox. International Review of Administrative Sciences, 77(3), 505–530.

    Article  Google Scholar 

  28. Hodge, Graeme A, and Carsten Greve. 2005. The challenge of public-private partnerships: Learning from international experience: Edward Elgar Publishing.

  29. European Commission. 2004. "Green paper on public-private partnerships and community law on public contracts and concessions." COM (2004) 327 final.

  30. United Nations Economic Commission for Europe. 2008. "Guidebook on promoting good governance in public private partnerships." ECE/CECI/4.

  31. Van, d. H., Martijn, L. B., Lember, V., Petersen, O. H., & Witz, P. (2015). National varieties of Public–Private Partnerships (PPPs): A comparative analysis of PPP-supporting units in 19 European countries (pp. 1–20). Research and Practice: Journal of Comparative Policy Analysis.

    Google Scholar 

  32. Roumboutsos, Athena. 2015. Public Private Partnerships in Transport: Trends and Theory: Routledge.

  33. Linder, S. H. (1999). Coming to terms with the public-private partnership a grammar of multiple meanings. American Behavioral Scientist, 43(1), 35–51.

    Article  Google Scholar 

  34. Bovis, C. H. (2015). Risk in Public-Private Partnerships and Critical Infrastructure. European Journal of Risk Regulation, 6(2).

  35. Hans, V. D., Sarmento, J. M., & Renneboog, L. (2016). Anatomy of public-private partnerships: their creation, financing and renegotiations. International Journal of Managing Projects in Business, 9(1), 94–122.

    Article  Google Scholar 

  36. Van, D. H., Martijn, & Verhoest, K. (2016). The challenge of using standard contracts in public–private partnerships. Public Management Review, 18(2), 278–299.

    Article  Google Scholar 

  37. Brinkerhoff, D. W., & Brinkerhoff, J. M. (2011). Public–private partnerships: perspectives on purposes, publicness, and good governance. Public Administration and Development, 31(1), 2–14.

    Article  Google Scholar 

  38. Bovis, Christopher. 2013. Public-private Partnerships in the European Union: Routledge.

    Google Scholar 

  39. Gómez-Barroso, J. L., & Feijóo, C. (2010). A conceptual framework for public-private interplay in the telecommunications sector. Telecommunications Policy, 34(9), 487–495.

    Article  Google Scholar 

  40. Braman, S. (2011). The Framing Years: Policy Fundamentals in the Internet Design Process, 1969–1979. The Information Society, 27, 295–310.

    Article  Google Scholar 

  41. Townes, M. (2012). The spread of TCP/IP: How the Internet became the Internet. Millennium-Journal of International Studies, 41(1), 43–64.

    Article  Google Scholar 

  42. LaRose, R., Bauer, J. M., DeMaagd, K., Chew, H. E., Ma, W., & Jung, Y. (2014). Public broadband investment priorities in the United States: an analysis of the broadband technology opportunities program. Government Information Quarterly, 31(1), 53–64. doi:10.1016/j.giq.2012.11.004.

    Article  Google Scholar 

  43. Narayanan, A., Jain, A., & Bowonder, B. (2005). Providing rural connectivity infrastructure: ICT diffusion through private sector participation. International Journal of Services, Technology and Management, 6(3–5), 416–436.

    Article  Google Scholar 

  44. ENISA. 2011a. "Cooperative Models for Effective Public Private Partnerships."

  45. Héritier, A. (2001). Market integration and social cohesion: the politics of public services in European regulation. Journal of European Public Policy, 8(5), 825–852. doi:10.1080/13501760110083536.

    Article  Google Scholar 

  46. Graz, Jean-Christophe, and Andreas Nölke. 2007. Transnational private governance and its limits: Routledge.

    Google Scholar 

  47. Harcourt, A. (2013). Participatory Gains and Policy Effectiveness: The Open Method of Co-ordination Information Society. JCMS: Journal of Common Market Studies, 51(4), 667–683. doi:10.1111/jcms.12022.

    Google Scholar 

  48. Börzel, T. (2010). European governance: negotiation and competition in the shadow of hierarchy. JCMS: Journal of Common Market Studies, 48(2), 191–219.

    Google Scholar 

  49. Wagner, B. (2014). The politics of internet filtering: The United Kingdom and Germany in a comparative perspective. Politics, 34(1), 58–71.

    Article  Google Scholar 

  50. Wiater, P. (2015). On the notion of" Partnership" in Critical Infrastructure Protection. European Journal of Risk Regulation, 6(2), 255–262.

    Article  Google Scholar 

  51. Bauer, J. M. (2010). Changing roles of the state in telecommunications. International Telecommunications Policy Review, 17(1).

  52. European Commission. 2013. "Proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union." COM(2013) 48 final

  53. Marsden, Christopher T. 2011. Internet co-regulation: European law, regulatory governance and legitimacy in cyberspace: Cambridge University Press.

  54. Tropina, T., & Callanan, C. (2015). Self-and Co-regulation in Cybercrime, Cybersecurity and National Security. Heidelberg: Springer.

    Book  Google Scholar 

  55. Bendiek, A., & Porter, A. L. (2013). European Cyber Security Policy within a Global Multistakeholder Structure. European Foreign Affairs Review, 18(2), 155–180.

    Google Scholar 

  56. Carr, M. (2015). Power Plays in Global Internet Governance. Millennium - Journal of International Studies, 43(2), 640–659. doi:10.1177/0305829814562655.

    Article  Google Scholar 

  57. Chenou, J.-M. (2014). From Cyber-Libertarianism to Neoliberalism: Internet Exceptionalism, Multi-stakeholderism, and the Institutionalisation of Internet Governance in the 1990s. Globalizations, 11(2), 205–223.

    Article  Google Scholar 

  58. Cavelty, D., & Myriam (2013). From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse. International Studies Review, 15(1), 105–122.

    Article  Google Scholar 

  59. Hansen, L., & Nissenbaum, H. (2009). Digital disaster, cyber security, and the Copenhagen School. International Studies Quarterly, 53(4), 1155–1175.

    Article  Google Scholar 

  60. Wagner, Ben. forthcoming. "Constructed "Cyber" Realities & International Relations Theory. ." In Technology and International Relations Theory, edited by R Marlin-Bennett and J. P. Singh. Cambridge: CUP.

  61. Schmidt, A. (2014). Open Security. Contributions of Networked Approaches to the Challenge of Democratic Internet Security Governance. In R. Radu, J.-M. Chenou, & R. H. Weber (Eds.), The Evolution of Global Internet Governance (pp. 169–187). Berlin Heidelberg: Springer.

    Chapter  Google Scholar 

  62. Choucri, N., & Clark, D. D. (2012). Integrating Cyberspace and International Relations: The Co-Evolution Dilemma. In Explorations in Cyber-International Relations: Who Controls Cyberspace? Cambridge, MA: MIT.

    Google Scholar 

  63. DeNardis, L. (2012). Hidden levers of Internet control: An infrastructure-based theory of Internet governance. Information, Communication & Society, 15(5), 720–738.

    Article  Google Scholar 

  64. Mathew, Ashwin Jacob. 2014. Where in the World is the Internet? Locating Political Power in Internet Infrastructure. University of California, Berkeley.

  65. DeNardis, Laura. 2014. The global war for internet governance: Yale University Press.

  66. Ruiz, Jeanette B, and George A Barnett. 2014. "Who owns the international Internet networks?" Journal of International Communication 21 (1):38–57.

  67. Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610–613.

    Article  Google Scholar 

  68. August, T., & Tunca, T. I. (2011). Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Science, 57(5), 934–959.

    Article  Google Scholar 

  69. Brown, Ian, and Christopher T Marsden. 2013. Regulating code: Good governance and better regulation in the Information Age: MIT Press.

  70. Edwards, Benjamin, Michael Locasto, and Jeremy Epstein. 2014. "Panel Summary: The Future of Software Regulation." Proceedings of the 2014 workshop on New Security Paradigms Workshop,

  71. Kleinschmidt, Broder. 2010. "An International Comparison of ISP's Liabilities for Unlawful Third Party Content." International Journal of Law and Information Technology:eaq009.

  72. Rowe, Brent, and Dallas Wood. 2013. "Are Home Internet Users Willing to Pay ISPs for Improvements in Cyber Security?" In Economics of Information Security and Privacy III, 193–212. Springer.

  73. Usman, S. H. (2013). A review of responsibilities of internet service providers towards their customer network security. Journal of Theoretical and Applied Information Technology, 49(1), 70–78.

    Google Scholar 

  74. Van Eijk Nico. 2013. "Duties of care on the Internet." In The Secure Information Society, 57–81. Springer.

  75. Clark, David, Thomas Berson, and Herbert S Lin. 2014. At the Nexus of Cybersecurity and Public Policy:: Some Basic Concepts and Issues: National Academies Press.

  76. Cohen-Almagor, R. (2015). Internet architecture, freedom of expression and social responsibility: critical realism and proposals for a better future. Innovation: The European Journal of Social Science Research, 28(2), 147–166.

    Google Scholar 

  77. Horten, Monica. 2015. "The Policy Challenge of Content Restrictions: How Private Actors Engage the Duties of States." Media@LSE Working Paper 34 (

  78. Parti, K., & Marin, L. (2013). Ensuring freedoms and protecting rights in the governance of the Internet: a comparative analysis of blocking measures of illegal Internet content and the liability of ISPs. Journal of Contemporary European Research, 9(1), 138–159.

    Google Scholar 

  79. August, T., August, R., & Shin, H. (2014). Designing user incentives for cybersecurity. Communications of the ACM, 57(11), 43–46.

    Article  Google Scholar 

  80. Camp, L. J. (2011). Reconceptualizing the role of security user. Daedalus, 140(4), 93–107.

    Article  Google Scholar 

  81. Hare, Forest. 2010. "The interdependent nature of national cyber security: motivating public action for a private good." PhD, George Mason University (

    Google Scholar 

  82. Kaijankoski, Eric A. 2015. Cybersecurity Information Sharing Between Public Private Sector Agencies. DTIC Document.

  83. Suter, M. (2007). Improving information security in companies: How to meet the need for threat information. In M. D. Cavelty, V. Mauer, & S. F. Krishna-Hensel (Eds.), Power and Security in the Information Age: Investigating the Role of the State in Cyberspace, Aldershot: Ashgate (pp. 129–150). Aldershot: Ashgate.

    Google Scholar 

  84. Bauer, J. M., JG, M., & Eeten, V. (2009). Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommunications Policy, 33(10), 706–719.

    Article  Google Scholar 

  85. Dourado, E., & Castillo, A. (2015). "Information Sharing”: No panacea for American cybersecurity challenges. Mercatus Center Policy Paper: George Mason University

    Google Scholar 

  86. Nolan, A. (2015). Cybersecurity and Information Sharing: Legal Challenges and Solutions. Congressional Research Service, 7–5700

  87. Kesan, J. P., & Hayes, C. M. (2015). Creating a “Circle of Trust” to Further Digital Privacy and Cybersecurity Goals. Michigan State Law Review, 2014(5), 1475.

    Google Scholar 

  88. Rosenzweig, Paul. 2011. Cybersecurity and Public goods. The Public/Private “Partnership”. In Emerging Threats in National Security and Law, edited by Peter Berkowitz. Stanford: Hoover institution, Stanford University.

  89. Prince, Daniel, and Nick King. 2013. "Small business cyber security workshop 2013: towards digitally secure business growth."

  90. Lagazio, M., Sherif, N., & Cushman, M. (2014). A multi-level approach to understanding the impact of cyber crime on the financial sector. Computers & Security, 45, 58–74.

    Article  Google Scholar 

  91. Brown, I., & Cowls, J. (2015). Check the web: assessing the ethics of politics of policing the internet for extremist material. Voxpol: Report

    Google Scholar 

  92. European Union (2013). Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 Text with EEA relevance. OJ L, 165, 41–58.

    Google Scholar 

  93. ENISA. 2011b. Cooperative Models for Effective Public Private Partnerships. Desktop Research Report. ENISA.

  94. Commission of the European Communities. 2009. Communication from the Commission..on Critical Information Infrastructure Protection. "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience". COM(2009) 149 final.

  95. Irion, K. (2013). The Governance of Network and Information Security in the European Union: The European Public-Private Partnership for Resilience (EP3R). In J. Krüger, B. Nickolay, & S. Gaycken (Eds.), The Secure Information Society (pp. 83–116). London: Springer.

    Chapter  Google Scholar 

  96. ENISA. 2015. "EP3R 2009–2013 Future of NIS Public Private Cooperation." (

  97. Morgus, Robert, Isabel Skierka, Mirko Hohmann, and Tim Maurer. 2015. "National CSIRTs and Their Role in Computer Security Incident."

    Google Scholar 

  98. RAND Europe. 2012. "Feasibility Study for a European Cybercrime Centre." .

  99. Reitano, T., Oerting, T., & Hunter, M. (2015). Innovations in International Cooperation to Counter Cybercrime: The Joint Cybercrime Action Taskforce. The European Review of Organised Crime, 2(2), 142–154.

    Google Scholar 

  100. General Secretariat of the Council. 2015. "Friends of the Presidency Group on Cyber Issues." 15059/15.

  101. Council of the European Union. 2015. "EU Internet Referral Unit at Europol - Concept note." 7266/15.

  102. European Commission. 2012. "Internet Policy and Governance Europe's role in shaping the future of Internet Governance." COM/2014/072 final

  103. Wagner, Ben, Kirsten Gollatz, and Andrea Calderaro. 2014. "Internet & Human Rights in Foreign Policy: comparing narratives in the US and EU Internet Governance agenda." Robert Schuman Centre for Advanced Studies Research Paper No. RSCAS 86.

  104. Walker, C., & Conway, M. (2015). Online terrorism and online laws. Dynamics of Asymmetric Conflict, 8(2), 156–175. doi:10.1080/17467586.2015.1065078.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Raphael Bossong.

Rights and permissions

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bossong, R., Wagner, B. A typology of cybersecurity and public-private partnerships in the context of the EU. Crime Law Soc Change 67, 265–288 (2017).

Download citation

  • Published:

  • Issue Date:

  • DOI: