ANALYSIS – Cyberspace, security, sovereignty, technology and global geopolitical rivalries: Legal issues, regulation and priorities for the European Union and France

By François Souty

Since the turn of the 2020s, cyberspace is no longer just a technical field of vulnerabilities to be corrected. It now constitutes a strategic space structuring international power, in the same way as the land, sea, air and space domains.^[1] As Joseph S. Nye argues, « Cyber has become a field where power is exercised less through coercion and more through the ability to shape environments, dependencies, and expectations. »^[2] This – very profound – transformation is changing the traditional logics of collective security, deterrence and sovereignty.

In this context, states and regional organizations are no longer content to strengthen their defensive capacities: they are seeking to institutionalize cyberspace, stabilize its uses and project their normative, industrial and strategic preferences onto it. For the European Union, this ambition has resulted in the emergence of a regulatory corpus without global equivalent — the NIS2 directive, the Cyber Resilience Act, the Cyber Solidarity Act — aimed at building what Benjamin Farrand describes as « regulatory sovereignty in cyberspace« .^[3] This approach is based on the idea that digital security cannot be achieved without a binding legal framework, integrated into the internal market and based on the responsibility of economic actors. This legal framework, which is intended to be binding, nevertheless raises serious operational questions and the ability to enforce legal norms in cyberspace – which is intangible by nature – but also to impose the will of the EU on powerful operators and states that do not intend to submit so simply to the European normative will. The challenge can be observed in other areas, as we have just seen recently in terms of the foreign anti-subsidy regulation or the Digital Markets Act.^[4]

However, this European vision is part of a deeply fragmented international environment. The United States, according to Adam Segal, continues to favor a capability-based logic of deterrence, in which cybersecurity is inseparable from technological superiority, military projection, and the close integration between the private sector and the security apparatus.^[5] China, on the other hand, is developing a systemic conception of cyberspace, articulating digital sovereignty, informational control, and national security, in what Elsa Kania describes as « a fusion of cyber power, political control, and long-term strategic competition. »^[6]

In Asia too, but with significant differentiation from China, Japan and South Korea occupy an intermediate position, both exposed to regional cyber threats and integrated into the American security architecture, with a close eye on what the European Union is trying to develop. Japan, long reluctant to militarize cyberspace, has gradually recognized, according to Motohiro Tsuchiya, that « cybersecurity is no longer compatible with strategic minimalism. »^[7] South Korea, on the other hand, has developed a pragmatic approach faithful to its habits dictated by geopolitical realism, in which Europeans would be inspired to take much more interest: the South Korean approach is shaped by the permanent conflictuality with North Korea; as Park Jongin observes, Seoul now considers cyber to be « a field of continuous confrontation rather than an episodic crisis« .^[8] The case of Taiwan is also mentioned because the island represents a major potential target of cyberattack for China while being very westernized socially and economically, like Japan and South Korea.

These dynamics combine with contemporary warnings about Europe’s competitiveness and economic sovereignty. In his report on the future of European competitiveness, Mario Draghi, whom we commented on recently,^[9] warned that inaction threatens not only the Union’s competitiveness, but also its sovereignty.^[10] In Brussels, in September 2025, he insisted:  »  to continue as before would be to accept to be left behind by our rivals – we must act together, faster and more intensely ».^[11] This warning resonates particularly in the field of digital technology and cybersecurity: it must be stressed that the ability of Europe and its Member States to structure and protect their digital space is now a power issue, one more, as much as a technical imperative.

Faced with these competing models and internal structural challenges, the European Union and its Member States find themselves in a singular position: they have an exceptional normative capacity, but a limited strategic and coercive capacity. This asymmetry raises a central question, which is still insufficiently addressed in the literature:

Can the European model of cybersecurity and technological sovereignty therefore constitute a credible form of power in an environment marked by geopolitical rivalry, escalation below the threshold and the increasing politicization of cyberspace?

This article adopts a point of view focused on the European regulatory system, including France as a pivotal player, not out of institutional reflex, but because the European Union and its main member states today represent a unique laboratory of post-Westphalian cyber governance, whether we like it or not. We endeavour to analyse, in a comparative and critical manner, the cybersecurity systems of the European Union, the United States, China, Japan and South Korea, by articulating three levels of analysis: first, the legal and institutional mechanisms, then the geopolitical and doctrinal logics and, finally, the implications for international stability and cyber deterrence.

The demonstration is structured in four parts. The first examines the construction of a European normative cyber order. The second analyzes the American posture based on capability and deterrence. The third studies China’s strategy of sovereignty and systemic projection. The fourth focuses on the Japanese and South Korean models as intermediary cyber powers. A synthetic comparison of the models is proposed in the appendix, in order to preserve the analytical coherence of the main reasoning.

I – European institutional and normative framework for cybersecurity: progress, national variations and strategic limits

The European Union has gradually asserted itself as a central standard-setting player in the field of cybersecurity, by building a structured legal framework that goes beyond technical protection to establish a binding, harmonised and transnational model. 

1. The architecture of the European Union

This is a true « cybernormative » model. This ambition is mainly materialised through the NIS2 (Network and Information Security 2) Directive, officially Directive (EU) 2022/2555, adopted by the European Parliament and the Council on 14 December 2022 and published in the Official Journal of the European Union on 27 December 2022.^[12] By replacing the  2016 NIS 1 Directive, NIS 2 significantly broadens its scope, strengthens risk management, incident reporting and supervision obligations, and formalises mechanisms for cross-border cooperation between national authorities.^[13]

One of the most structuring advances of the directive lies precisely in the significant extension of the sectors concerned. While NIS1 covered about seven critical sectors, NIS 2 now includes eighteen so-called « critical » sectors, divided into essential and important sectors, with enhanced cybersecurity obligations.^[14] These sectors include energy, transport, health, financial services, water, digital infrastructure, public administration, waste management, chemical manufacturing, agri-food, postal services, manufactured goods and research, covering a particularly wide spectrum of functions vital to European society and the economy². This extension reflects a strong political will to integrate cybersecurity at the heart of the Union’s economic, social and institutional activities, while revealing the scale of the challenges related to operational coordination between Member States.

 NIS2 aims to establish a high common level of cybersecurity at European level, including through the imposition of strict risk governance requirements, incident reporting obligations, sanction regimes for non-compliance and the strengthening of national supervisory authorities. It also introduces more systematic mechanisms, such as the size cap, to determine the applicability of obligations according to the size and economic role of the entities concerned.^[15] Compared to its predecessor, the directive thus thoroughly modernises the European regulatory framework in order to take into account the growing sophistication of cyber threats and the increased interdependence of digital infrastructures.

This normative base is complemented by other structuring instruments. The Cyber Resilience Act (CRA) establishes security requirements for digital products placed on the European market, enshrining the principle of security by design and throughout the product life cycle.^[16] The Cyber Solidarity Act (CSA), for its part, strengthens operational cooperation mechanisms between Member States, facilitating the exchange of information, the triggering of European alerts and the coordinated mobilisation of technical and human resources in the event of transnational cyber crises.^[17] Taken together, these texts demonstrate the European Union’s desire to transform cybersecurity into a structured area of governance, directly participating in European digital sovereignty in a context marked by the multiplication of organised, hybrid and state cyberattacks.^[18]

Despite these substantial normative advances, several analyses underline that the NIS2 Directive will not be able to reach its full potential without a coherent and concerted implementation at EU level. Benjamin Farrand underlines that NIS2 is an essential milestone, but that its real effectiveness will depend on the effective harmonisation of national practices and the Union’s ability to respond collectively to large-scale cyber crises.^[19] This analysis is corroborated by the European Cyber Security Organisation, which warns of the persistent fragmentation of national authorities and the lack of a single operational centre capable of effectively coordinating cross-border responses to major incidents.^[20] In a similar perspective, the Bruegel think tank believes that the impact of European legal mechanisms would be significantly enhanced by the creation of a European Cyber Operations Centre with its own resources and clear decision-making capabilities.^[21] In fact, the fight against cybercrime at European level therefore represents an activity that justifies the creation of a significant European administrative infrastructure, of a bureaucratic nature, which is fully used by the European Commission to extend its role and functions, under conditions that are perhaps not measured by all the institutional actors of democratic controls.  both of the Member States and of the European institutions (parliamentarians in particular). 

2. Developments at Member State level: the case of France, Germany and Italy

At the national level, France illustrates a structured and ambitious transposition of this European normative strategy. The French National Agency for the Security of Information Systems (ANSSI) is the central pillar of the French system, coordinating actions to prevent, detect and respond to cyber incidents. In its 2024 Activity Report, the ANSSI indicates that the transposition and implementation of the NIS2 directive have profoundly transformed its organisation, its working methods and its interactions with public and private actors.^[22] The report highlights in particular the increase in the number of security events handled, the growing importance given to anticipation and cross-sectoral coordination, as well as the agency’s specific commitment to the security of the Paris 2024 Olympic and Paralympic Games. The ANSSI also highlights the articulation between the NIS2 and other European texts, such as the Cyber Resilience Act, in a logic of a complete chain of responsibility.^[23]

Several French analysts point out, however, that the real effectiveness of the system will depend on the ability to coordinate all national and European actors in the long term. In this regard, Pierre-Yves De Ville stresses that France, through its institutional tradition and its commitment within NATO, must position itself at the forefront of a European cybersecurity model combining strict standards and real response capabilities¹². This ambition presupposes a strengthening of intersectoral cohesion, a more fluid articulation between central and territorial administrations, as well as a strengthened partnership with the industrial fabric and private operators. But at the beginning of February 2026, France has not yet transposed the NIS 2 directive, given its ministerial instability since the unexpected and poorly prepared national legislative elections of June-July 2024, while the deadline for transposition was set by the directive itself at 17 October 2024!

In Germany, the transposition of the NIS2 directive is led by the Bundesamt für Sicherheit in der Informationstechnik (BSI). While the complexity of the federal system has sometimes slowed down the homogeneous implementation of obligations in some Länder, the German authorities place particular emphasis on technical standards and infrastructure certification. According to the German Institute for International and Security Affairs (SWP), the effectiveness of European initiatives would be enhanced by the use of mutually recognized certification frameworks, reducing redundancies and costs for companies while improving the overall reliability of security measures.^[24] This orientation, also supported by the BSI, highlights the need to go beyond a strictly prescriptive logic to guarantee a tangible operational impact.^[25]

Italy, for its part, distinguished itself by a rapid transposition of the NIS2 directive via Legislative Decree No. 138/2024, confirming a strong political will to meet European deadlines.^[26] The Italian implementation integrates cybersecurity at the heart of the governance of organizations, directly empowering leaders at the executive body level. However, the real effectiveness of this transposition will depend on the ability of SMEs and local administrations to apply European standards in practice without depending exclusively on external consultants.^[27] This observation highlights a weakness shared by several Member States: the persistent gap between formal regulatory compliance and operational implementation capacity at the local level, to which is added in some cases internal institutional blockages blocking the transposition process (typically the case of France cited above).  

Beyond national trajectories, several analyses converge on the need to strengthen European collective capacities. Martina Möller observes that European cybersecurity must go beyond regulatory logic alone to invest in shared platforms for monitoring, analysis and incident response, in order to reduce over-dependence on national capabilities.^[28] This approach should be complemented by credible deterrence and operational defence mechanisms, articulating European standards, national capabilities, NATO and technological alliances.^[29]

All of these findings lead to the identification of several critical priorities for the European Union and its Member States: strengthening inter-State coordination, developing binding technical standards and shared certifications, investing in shared cybersurveillance and incident response platforms, and reducing technological dependencies on non-European suppliers. For States such as France, Germany and Italy, which have solid institutional foundations, the challenge now lies in the ability to transform European normative ambition into sustainable collective operational efficiency.^[30]

Thus, the complexity of the European institutional and regulatory framework for cybersecurity is evident: major legislative advances coexist with persistent structural, institutional and operational limitations. The central link between legal standards, operational capacities and collective efficiency is highlighted, to constitute the analytical basis for the strategic recommendations developed subsequently.

3. EU-NATO coordination in cybersecurity is not well known: potential and limits

Cybersecurity is an area where there is very little knowledge of cooperation between the European Union and NATO. It is both strategic and complex. While the EU is developing its own normative and critical infrastructure protection instruments, NATO represents an operational and political framework for coordinating Member States’ cyber capabilities on a transatlantic scale. This dual architecture aims to ensure an integrated defense posture, capable of responding to hybrid threats and sophisticated cyberattacks.

EU-NATO coordination takes the form of several mechanisms: the exchange of threat information via secure platforms, joint participation in cyber incident simulation exercises, and the development of common standards for the protection of critical infrastructure and the resilience of military and civilian networks.^[31] These initiatives increase mutual visibility of threats, optimize resource allocation, and increase the speed of response to cross-border incidents.

However, this cooperation has structural and political limitations. The diversity of national doctrines, technical capabilities and strategic priorities between Member States can create areas of inefficiency or overlap.^[32] Some countries fear that too close alignment with NATO will reduce their decision-making autonomy in cyber crisis management, particularly in the area of critical infrastructure and sensitive data.^[33]Moreover, technical standardisation remains partial: the convergence of defence systems and response procedures between Member States and transatlantic allies is progressing slowly, hampered by heterogeneous architectures and different levels of maturity.^[34]

Another major challenge is the dimension of the public-private partnership relationship. Modern cybersecurity relies heavily on industrial and technological players who own a significant share of critical infrastructure. EU-NATO cooperation therefore involves integrating these actors into information-sharing and coordination frameworks, but voluntary participation and regulatory constraints differ across sectors and countries.^[35]This reality underscores the need to create reliable incentives and protocols to ensure the effective contribution of the private sector to the collective posture.

Finally, EU-NATO coordination must be assessed in the light of contemporary geopolitical challenges, in particular the rise of state and hybrid cyber threats. Recent experience shows that the combination of offensive and defensive cyber capabilities, aligned with shared standards, constitutes a strategic deterrent lever. But it also requires constant political dialogue, regular exercises and an early warning capacity to prevent local incidents from escalating into regional or global crises.^[36] Transatlantic cooperation thus appears to be a potentially important element of European resilience that involves major political choices that have never been debated to our knowledge, and even then provided that the technical, institutional and sovereignist obstacles already mentioned are overcome.

In short, EU-NATO coordination in cybersecurity represents an opportunity to strengthen collective defence, but it remains conditioned by the ability of Member States to reconcile national sovereignty, operational efficiency and the integration of private and industrial players. Standardisation, information sharing and joint preparedness efforts must be continued to transform this coordination into a real cyber deterrence and resilience posture.

In summary, European cybersecurity is at the crossroads of national, regional and transatlantic strategies. Member States, including France, Germany and Italy, have developed strong technical and organisational capacities, but their diversity hampers full interoperability and information sharing. From a technological and geopolitical point of view for the very vast cyberspace, flexible and voluntary EU-NATO cooperation should in principle and logically constitute a key instrument for coordinating standards, incident response and collective deterrence posture. However, the US posture has evolved, particularly under the Trump II administration, towards a more transactional approach and less focused on the traditional commitment to the Alliance, which seriously undermines the predictability of transatlantic coordination in cyberspace. This development highlights the risk of a « transatlantic cyber-vulnerability« , where Europe could be confronted with tensions between dependence on American infrastructure and tools and the need for strategic autonomy (in a context we will note that the United States has a much more operational and advanced cyber defense than that of the EU). The consolidation of national capacities, the strengthening of multilateral cooperation and the establishment of collective resilience mechanisms are therefore essential to anticipate hybrid and state threats. These dynamics underline in anticipation the importance of analysing the American system, its strategic orientations and its impact on European cyber security in a context where the Alliance must adapt to internal tensions and increasingly sophisticated adversaries.

II – The United States: cyber doctrine, institutional framework, operational capabilities and strategic criticism

The United States has been a major cyber power for more than a decade, combining advanced offensive and defensive capabilities, strong federal institutionalization, and an ever-evolving strategic doctrine. Their cybersecurity model is based on the articulation of specialized agencies, close cooperation with the private sector and a normative framework largely based on voluntary standards. However, this architecture, while robust, remains historically fragmented and has been the subject of recurrent criticism, particularly under the Trump II administration (2025-2029), whose reforms have revived debates on the strategic coherence and credibility of cyber deterrence.

1. Institutional architecture and American cyber doctrine

The current US cyber doctrine, formalised in particular in the National Cyber Strategy of the United States of America published in March 2023, focuses on the protection of critical infrastructure, economic and technological resilience, and the deterrence of state and non-state actors.^[37] This strategy is part of a comprehensive approach combining prevention, active defence and persistent engagement.

The institutional architecture is mainly based on three pillars. The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for protecting critical civilian infrastructure and coordinating with private actors.^[38] The US Cyber Command (USCYBERCOM) ensures cyber military operations, both offensive and defensive, in close collaboration with the National Security Agency (NSA), a central player in cyber intelligence and the development of advanced technical capabilities.^[39] Finally, the National Institute of Standards and Technology (NIST) is developing normative frameworks, such as the Cybersecurity Framework 2.0, which have been widely adopted nationally and internationally.^[40]

This federal model, analyzed by the Congressional Research Service (CRS), offers great operational and normative flexibility, but also introduces risks of redundancy and inter-agency fragmentation.^[41] Several analysts point out that this fragmentation can slow down the response to complex and multi-vector attacks. James A. Lewis (CSIS) warns against the imperfect application of traditional deterrence logics to cyberspace, characterized by ambiguous thresholds, difficulty of attribution and heterogeneity of actors.^[42] Erica D. Lonergan observes that the American strategy is based more on a logic of continuous threat management than on a clear and stabilizing deterrence.^[43]

Despite these limitations, American operational capabilities remain considerable: the American strength – which is seriously lacking in the European Union – is particularly evident in the integration of approaches between public and private interests in the field of cyber. USCYBERCOM has demonstrated its ability to conduct complex operations, while CISA maintains close partnerships with technology companies and critical infrastructure operators. However, structural weaknesses persist, particularly in the areas of inter-agency coordination and human resources, with vacancy rates of up to 40% in some critical areas.^[44]

2. Reforms and priorities under the Trump II administration

The Trump II administration has embarked on a significant doctrinal and organizational readjustment. Executive Order 14306 of June 6, 2025 refocused federal efforts on priorities deemed essential, strengthened encryption, and encouraged the development of post-quantum cryptography.^[45] This orientation has been accompanied by the suspension or simplification of several initiatives inherited from previous administrations, particularly in the areas of software certification and electoral security.^[46]

On the budgetary and organizational front, these reforms resulted in a reduction of about 17% in CISA’s budget and the elimination of nearly 1,000 posts. The stated objective was to streamline missions and focus on critical functions, but these decisions have drawn strong criticism. The CRS and the NSA have warned of the risks of weakening the national capacity to respond to sophisticated cyberattacks and of deteriorating information sharing with the private sector.^[47]

At the same time, the Trump II administration has put forward a so-called Zero Trust 2.0 strategy, aimed at securing the most sensitive systems and functions as a priority rather than imposing uniform obligations on all players.^[48] According to some federal officials, this approach would optimize limited resources. Nevertheless, several academics believe that it accentuates disparities in the level of security between sectors and reinforces systemic vulnerabilities.

3. Academic, geopolitical and strategic criticisms

The reforms of the Trump II era have revived academic debates on the coherence of the American cyber strategy. James A. Lewis emphasizes that technical refocusing cannot be a substitute for a global strategic doctrine, particularly in terms of deterrence, attribution and management of escalation.^[49] Erica D. Lonergan also considers that the focus on persistent engagement and technical measures is insufficient to respond decisively to sophisticated state threats.^[50]

Several media outlets and analysts have also criticised the temporary suspension of certain offensive cyber operations, particularly against Russia, interpreted by some observers as a signal of strategic weakness.^[51] At the same time, the increasing use of artificial intelligence by adversarial actors increases the complexity of threats and requires a rapid adaptation of detection and response capabilities, in a paradoxical context of reduced human resources. From a comparative point of view, European and Asian researchers believe that the American model gives too much space to technology and voluntary regulation, to the detriment of a shared culture of cybersecurity and collective resilience. Christian Kaunert notes that this sectoral approach complicates international cooperation and a coordinated response to global attacks.^[52]

In summary, the American cyber system is characterized by unparalleled normative, technological and operational power, but also by persistent structural weaknesses. The reorganization initiated under the Trump II administration illustrates the tension between technical pragmatism, budgetary rationalization and the need for a coherent strategic vision. Academic and institutional criticisms converge to point to a potential imbalance between operational capabilities, interagency coordination, and deterrence doctrine, which could ultimately affect the effectiveness of critical infrastructure protection and the strategic credibility of the United States in the face of increasingly sophisticated state and non-state adversaries.

III – China and Russia: cyber doctrines, geopolitical strategies and comparative criticisms

In the global cybersecurity landscape, China and Russia occupy central but differentiated positions. Both are perceived as revisionist cyber powers, seeking to challenge the technological, normative and political order promoted by Western states. Their cyber strategies are part of distinct historical, doctrinal and institutional trajectories, but frequently converge in the use of cyberspace as an instrument for projecting influence, informational subversion and exploiting the economic and democratic vulnerabilities of open societies.

1. China: a cyber power integrated into the state strategy

China’s cyber strategy is part of a global vision of digital power in the service of national sovereignty and geopolitical ambition. Beijing promotes the principle of « cyber-sovereignty », understood as state control of national cyberspace, the security of critical infrastructures and the control of information flows.^[53] According to the Swedish Stockholm International Peace Research Institute (SIPRI), China’s cyber posture closely combines internal information security, cyber-offensive capabilities and a desire to influence the international governance of cyberspace.^[54]

Since President Xi Jinping came to power, cybersecurity has become a central pillar of the Party-State’s strategy. European and French studies underline that cyber is no longer seen as a simple technical field, but as a strategic instrument fully integrated into Chinese industrial, military and diplomatic policy.^[55] This approach aims to reduce technological dependence on the West, strengthen national autonomy and promote Chinese technological champions in key sectors such as 5G, artificial intelligence, semiconductors or surveillance technologies.

As David Shambaugh explains, China has gradually built a complete cyber ecosystem, ranging from national defense to the domination of international technological standards, articulating economic power and strategic security.^[56] However, this strategy of normative conquest is strongly criticized. American and European academics denounce the opacity of China’s objectives and the lack of a clear distinction between national security, social control and ambitions for global domination of cyberspace.^[57] Many Western reports attribute to China sustained operations of economic espionage, theft of intellectual property and informational influence, often difficult to attribute formally but systematic in their logic.

2. Russia: asymmetric cyber conflict, hybrid warfare and shadow warfare

Russia is adopting a significantly different cyber posture, marked by an asymmetric and opportunistic logic. According to the Center for European Policy Analysis (CEPA), Moscow sees cyberspace not as a simple extension of its conventional military forces, but as an autonomous space for stealth operations that allows it to destabilize its adversaries without crossing the thresholds of open armed conflict.^[58] This approach is often referred to as shadow warfare.

Russia’s strategy combines cyberattacks, espionage, disinformation, digital sabotage and the use of criminal or parastatal networks, creating a low-threshold strategic pressure capacity. Recent data shows a significant increase in Russian cyber operations against NATO member states, with an estimated increase of around 25% in attacks attributed to Russia in a single year, targeting governments, academic institutions and civil organisations.^[59]

Renowned analysts such as Thomas Rid point out that these actions are not part of a « total cyber war », but rather sophisticated forms of sabotage and political subversion, characterised by their legal and strategic ambiguity.^[60] His colleague James Lewis (CSIS) observes that Russia has demonstrated its ability to use cyber as a strategic lever that alters the international balance, while deliberately remaining below the threshold for a conventional military response.^[61]

The Ukrainian context has reinforced this perception. NATO and several institutional reports – which speak of « strategic competition in cyberspace« , an area not previously understood from an antitrust or competition policy point of view, but rather in the perhaps imperfectly adapted framework of the regulation of the digital economy – note the persistent use of cyber by Russia to disrupt civilian and military networks, testing Western resilience and fragmenting transatlantic coordination.^[62]

3. Convergences and divergences between Chinese and Russian strategies

Although often presented as forming a « Sino-Russian axis », the cyber strategies of China and Russia are neither identical nor fully coordinated. The Swedish SIPRI researchers point out that the idea of a homogeneous cyber alliance is reductive, insofar as their national objectives, doctrines and institutional structures differ significantly.^[63]

China favors a centralized, planned and sustainable approach, aimed at building an integrated cyber power in the service of its strategic autonomy and global technological competitiveness. Russia, on the other hand, uses cyber as an instrument of asymmetric constraint, designed to create gradual crises, saturate adversary capabilities, and exploit the governance flaws of Western democracies.^[64]

Nevertheless, many Western analyses highlight a growing functional convergence in the combined use of cyber, disinformation and influence operations. Chris Kremidas-Courtney points out that Beijing and Moscow share a common strategic interest in challenging Western norms of governance of cyberspace and in weakening democratic models.^[65] This convergence is fuelling the concerns of European and North American capitals, which perceive these practices as a long-term coordinated threat.

4. Critical perspectives and comparative international analyses

The academic literature points out that the Chinese and Russian cyber strategies call into question the foundations of classic deterrence. Ryan C. Maness and Brandon Valeriano show that cyberspace favors strategies of continuous pressure and gradual coercion, which are particularly attractive to states wishing to avoid direct confrontation while relativizing – in a curious way – the risks of real war in cyberspace.^[66]

From a European perspective, the German Council on Foreign Relations (DGAP) insists that cyber power is not limited to the ability to attack, but also includes mechanisms for technology co-optation and strategic dependence, including through digital supply chains and the export of critical technologies.^[67] Asian, Japanese and South Korean researchers point out that China’s cyber strategy is closely linked to Beijing’s regional ambitions, particularly around Taiwan, and that it exerts multidimensional pressure on US allies in the Indo-Pacific.^[68]

Finally, recent reports, such as the Microsoft Digital Threats Report 2025, show that China and Russia are increasingly leveraging artificial intelligence to amplify their cyber capabilities, whether it‘s automated content generation, data exfiltration, or attacks on critical infrastructure.^[69] This technological evolution reinforces concerns about the ability of democracies to maintain a sustainable defensive advantage.

5. The challenges of the Sino-Russian model for the West and Europe

The comparison between the Chinese and Russian models highlights two complementary visions of the strategic use of cyberspace: one centralized, planned and normative, the other agile, opportunistic and asymmetric. This complementarity complicates Western responses, particularly European ones, which are faced with the need to strengthen their deterrence and resilience capacities while preserving an open democratic and normative framework.

As several European authors point out, the answer cannot be exclusively technical. It requires enhanced multilateral coordination, shared standards, joint operational readiness and increased cooperation with strategic Asian partners, including Japan and South Korea. In this context, the American experience and the transatlantic comparison offer essential lessons, but cannot constitute a single model in the face of strategically determined and technologically adaptive adversaries.  The cases of countries or territories not strictly aligned with the three groups previously analysed offer useful elements of geopolitical reflection for Europeans. 

IV – Asia-Pacific: Japan, South Korea and Taiwan facing geopolitical challenges, vulnerability and escalating dynamics

The Asia-Pacific region is now one of the main strategic theaters of global cybersecurity. It concentrates major technological, military and economic interests, while being marked by growing power rivalries. In this context, Japan and South Korea emerge as central players in regional cyber defense, while Taiwan represents an extreme case where cybersecurity is inseparable from political and strategic survival. All of these dynamics are part of an environment characterized by a high risk of cyber-escalation, which is clearly likely to have global repercussions.

1. Japan: Advanced Normative Governance, Socio-Technical Resilience and Strategic Dependencies

Japan’s cyber strategy is based on a centralized and hierarchical institutional architecture, structured around the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and the Cybersecurity Strategy Headquarters, which report directly to the Cabinet Office. This system aims to ensure cross-cutting coordination between ministries, local authorities and private actors, while guaranteeing the coherence of the national cyber policy. The Cybersecurity Strategy 2024 marks an important step in this evolution, strengthening the protection of critical infrastructure, the security of supply chains and alignment with international standards.^[70]

Japan favours an essentially normative and preventive approach, consistent with its constitutional framework and strategic culture. According to Masahiro Sugiyama, Tokyo has developed one of the most advanced cyber governance systems in Asia, based on regulation, standardization and public-private cooperation.^[71] This orientation promotes broad private sector involvement in national cybersecurity, but it also exposes the country to systemic vulnerabilities, particularly in the highly interconnected energy, manufacturing and logistics sectors.

Attacks on digital supply chains are a growing concern for Japanese authorities. Several incidents recorded between 2020 and 2023 affected industrial subcontractors, revealing the difficulty of securing complex technological ecosystems. Hiroshi Okuno points out that these attacks exploit organizational and contractual flaws more than purely technical vulnerabilities.^[72] In response, Japan has increased national cyberattack simulation exercises, involving local governments, strategic companies and critical infrastructure operators.

Despite these advances, persistent structural fragilities remain. Okuno, joined by James A. Lewis, observes that Japan remains heavily dependent on the United States for strategic intelligence, attack attribution and offensive cyber deterrence.^[73] This dependence, although functional within the framework of the bilateral alliance, limits Japanese strategic autonomy in a regional environment marked by the rise of China and the multiplication of North Korean cyber operations. The German Institute for International and Security Affairs (SWP) also points out that administrative fragmentation and slow decision-making can hinder a rapid response in the event of a major cyber crisis.^[74]

Finally, the increasing integration of artificial intelligence into cybersecurity systems raises new challenges. Satoshi Sekiguchi warns of an increased reliance on foreign technologies and proprietary algorithms, which could create new structural vulnerabilities.^[75] Japan thus appears to be a robust player in terms of norms, but faced with profound strategic dilemmas related to autonomy, speed of decision-making and the rapid evolution of threats.

2. South Korea: Active Cyber Defense, Controlled Militarization, and Autonomy Dilemmas

South Korea operates in a particularly restrictive cyber environment, marked by recurrent North Korean cyber operations and by the rise of Chinese power in cyberspace. This situation has led Seoul to adopt an active cyber defense posture, integrated into its overall military strategy. The Korea Internet & Security Agency (KISA) is the civilian pillar of incident prevention and response, while the South Korean Armed Forces’ Cyber Command plays a central role in the planning and conduct of cyber military operations.^[76]

According to Joon Ho Kim, South Korea’s strategy is based on a logic of gradual reaction, combining enhanced protection of critical infrastructure, limited offensive capabilities and close cooperation with the United States.^[77] This approach aims to strengthen regional deterrence without crossing thresholds that could lead to uncontrolled escalation. Hae-Jin Lee points out that technological cooperation with Washington has significantly improved detection and response capabilities, while strengthening some structural dependencies.^[78]

South Korea has faced several major cyberattacks attributed to North Korea, targeting financial institutions, media outlets and public infrastructure. These attacks have helped to structure a doctrine based on speed of reaction, civil-military coordination and the anticipation of hybrid campaigns. However, this increasing militarization of cyberspace raises questions about democratic governance and the transparency of strategic decisions.

Academic critics, notably Eun-Ji Park, warn of an over-reliance on foreign technology and bilateral partnerships, which could limit the ability to respond autonomously in the event of a major regional crisis.^[79] The accelerated integration of artificial intelligence into cyber systems, analysed by Satoshi Sekiguchi already cited, accentuates this dilemma between operational performance and technological sovereignty (which is a well-known dilemma in the EU in particular).^[80]

South Korea’s cybersecurity thus appears to be one of the most operationally advanced in Asia, but it remains crossed by structural tensions between military effectiveness, strategic autonomy and political control.

3. Taiwan: Ongoing Cyber Deterrence, Strategic Learning, and Existential Vulnerability

Taiwan is the most extreme case in Asian cyberspace. The island is subject to near-constant campaigns of cyberspiking, digital sabotage, and disinformation attributed to mainland China, making cybersecurity a central pillar of national survival. Unlike Japan and South Korea, Taiwan is operating in a situation of permanent latent conflict, where each cyber incident has a strategic significance.

Between 2019 and 2024, several waves of attacks targeted government institutions, transportation infrastructure, and strategic companies, particularly in the semiconductor sector. In 2022, following Nancy Pelosi’s visit to Taipei, massive DDoS attacks  temporarily paralyzed government sites and public services.^[81] Richard A. Bitzinger emphasizes that these operations were aimed less at immediate destruction than at the erosion of institutional trust and the demonstration of coercive capacity.^[82]

Faced with this constant pressure, Taiwan has developed a strategy based on learning by attack. Each incident gives rise to technical, organizational and communication adjustments. Rapid transparency by the authorities, the involvement of civil society and close cooperation with the private sector are central elements of this resilience. American and Japanese analysts now consider Taiwan to be an advanced laboratory for asymmetric cyber-deterrence, the lessons of which are directly transferable to democracies exposed to hybrid threats, to which EU member states should work in particular.^[83]

This posture, however, comes with a high risk of cyber escalation, where seemingly limited technical incidents can produce regional strategic effects, indirectly involving US allies. Taiwan thus embodies both a model of advanced cyber resilience and a major point of fragility in the Asia-Pacific security balance.

These trajectories illustrate the growing risks of cyber escalation in the region and confirm that cybersecurity is now a central instrument of deterrence, political stability and democratic resilience in a deeply volatile international environment.

4. Asia-Pacific as a laboratory for global cyber stability? Lessons for the EU

NATO‘s direct presence in the Asia-Pacific remains limited, but structural ties with the United States, Japan, and South Korea allow for an indirect projection of cyber norms, practices, and coordination mechanisms. European analysts point out that the protection of Asia’s critical infrastructure has become a major issue for global economic stability, given the interdependence of digital and industrial supply chains.^[84] In this context, strengthening mechanisms for intelligence sharing, coordinated incident response and joint training appears to be a strategic priority, both for regional actors and for their transatlantic partners.

Moreover, from the EU’s perspective, the geopolitical outlook for 2027-2030 points to scenarios of gradual escalation, in which cyber incidents could intensify in parallel with military and economic tensions. Lewis warns that the combination of advanced state offensive capabilities and increasing technological interdependence increases the risk of unintentional cyber conflicts, potentially fueled – at best – by misinterpretations or limited attacks.^[85]

For the EU, the main lesson therefore lies in the need to go beyond a strictly continental approach to cybersecurity. As Sébastien Laurent points out, dependence on Asian supply chains and technologies requires enhanced strategic dialogue and sustainable partnerships with key players in the Asia-Pacific, especially Japan and South Korea and even Taiwan, natural and willing partners of the EU.^[86] Cybersecurity thus appears to be a global issue of resilience and deterrence, combining geopolitical anticipation, international coordination and technical preparation.

Japan, South Korea and Taiwan illustrate three complementary models of cybersecurity in the Asia-Pacific to which sustained attention should be paid from a geopolitical and perhaps broader strategic perspective. Their position close to the Chinese giant, but also their place in the American orbit, is of clear interest for the European experience (or at least for certain EU countries, notably Germany but also sometimes France): normative prevention and civil resilience, active regional deterrence and existential cyber-deterrence. Their direct exposure to power rivalries makes the region a laboratory for global cyber stability, the lessons of which are critical for the United States, Europe, and collective security organizations. These trajectories of the three « dragons of the 1990s » illustrate the growing risks of cyber escalation in the region and confirm that cybersecurity is now a central instrument of deterrence, political stability and democratic resilience in a deeply volatile international environment. Controlling the risks of cyber-escalation in the Asia-Pacific is, in this respect, a central issue for international security in the twenty-first century.

Conclusion

The recent accumulation of European and national regulatory mechanisms in the field of cybersecurity reveals less a rise in strategic power than a retreat into the formalism of the law, largely disconnected from the geopolitical, operational and economic realities of cyberspace. Both at the level of the European Union and within its main Member States, in particular France and Germany, cybersecurity remains mainly understood as a problem of normative compliance, administrative governance and legal risk management, to the detriment of an understanding of cyberspace as an asymmetric, fluid field of confrontation dominated by pragmatic actors — hostile states,  criminal groups and technical intermediaries — whose logics of action are largely beyond formal regulatory frameworks. This approach contrasts sharply with the analysis of Joseph S. Nye, for whom cyberspace is above all a strategic environment shaped by relationships of dependence, asymmetries of capabilities and the ability to structure adverse expectations.^[87]

This orientation produces an illusion of mastery. By establishing regulatory compliance as a central indicator of safety, European systems tend to shift the effort of operators, companies and administrations towards the production of procedures, audits and reporting mechanisms, without any proportional improvement in their effective detection, reaction and resilience capacities. This discrepancy is directly in line with the diagnosis made by Mario Draghi in his 2024 report on the future of European competitiveness, where he points out that the European Union has gradually substituted normative expansion for strategic investment, weakening its position in critical technology-intensive sectors.^[88] Applied to cybersecurity, these dynamic transforms regulation into a substitute for power rather than a multiplier of it.

More fundamentally, neither the European Union nor its main member states seem to have fully integrated the geopolitical implications of their regulatory choices. The implementation of frameworks such as NIS2 or the Cyber Resilience Act is not part of an explicit reflection on international cyber conflict, adversary’s offensive strategies or critical technological dependencies, but rather a logic of internal standardisation aimed above all at market coherence and legal certainty. This lack of a strategic compass echoes the analyses of Adam Segal, who stresses that cybersecurity cannot be dissociated from the logic of deterrence, technological superiority and power projection, but also from a very strong competitive dimension of cyberspace, dimensions that are largely underinvested by the European approach.^[89] It also comes into tension with the Chinese interpretation of cyberspace described by Elsa Kania, where regulation, operational capacity and political control form a coherent whole in the service of a long-term strategy.^[90]

The warnings made by Mario Draghi in his 2025 speeches extend and radicalize this observation. By stressing that Europe  » has equipped itself with sophisticated legal tools without equipping itself with the corresponding economic, industrial and strategic levers « , Mario Draghi highlights a structural vulnerability : the autonomy of the norm in relation to real power.^[91] In this context, France and Germany — despite having advanced cyber capabilities — paradoxically contribute to politically neutralizing cyberspace, by treating it as an administrative object rather than an instrument of power, thus confirming the European asymmetry between normative ambition and strategic credibility.

In an environment marked by the permanence of cyber confrontation, where opposing actors favor opportunism, speed and the exploitation of gray areas, this asymmetry between European normativity and operational pragmatism risks transforming regulated cybersecurity into a strategicvulnerability. In the end, the European problem is not the excess of law per se, but its decoupling from an explicit geopolitical strategy. As long as regulation is not conceived as a lever subordinated to credible operational, industrial and coercive capabilities, the European Union will remain locked in a lasting paradox: producing global reference standards for a cyberspace whose effective global structuring is increasingly beyond its control.

---

Appendix 1  

Geopolitical comparison of models

Model	Dominant logic	Main Force	Major weakness
EU	Prescriptive	Legal harmonization	Low coercion
United States	Deterrence	Offensive Capabilities	Legal fragmentation
China	Systemic	State-Industry Integration	Opacity, international mistrust
Japan	Defensive-Allied	US cooperation	Capacity lag
South Korea	Responsive	Operational Resilience	High exposure

---

Appendix 2

Regulatory characteristics and geopolitical posture in cybersecurity

Region / Country	Main standards / laws	Strategic approach	Coercive/Operational Capacity	Geopolitical/industrial orientation	Critical Commentary
EU	NIS2, Cyber Resilience Act, Cyber Solidarity Act	Binding regulation, empowerment of stakeholders	Limited (no autonomous offensive projection)	Normative: seeks to export its standards, regulatory sovereignty	Very strong legally, but out of step with actual threats and operational capabilities¹
France	Military Programming Law (LPM), ANSSI directives, OIV obligations	Regulatory compliance, defensive cybersecurity	Medium: Some cyber defense and response capabilities	EU-aligned, NATO cooperation	Strong legal formalization, low operational flexibility²
Germany	IT-SiG 2.0, BSI-Kritis, Critical Operator Obligations	Prescriptive, critical infrastructure protection	Medium, focused on internal resilience	Priority to industrial stability, limited exports	Dense bureaucracy, risk of rigidity in the face of pragmatic players²
United States	NIST Cybersecurity Framework, CISA Guidelines, Executive Orders	Defence and deterrence combined with public-private integration	Very high: offensive and projection capabilities	Global normative influence, protection of strategic interests	Pragmatic approach, consistent with the power exercise³
China	Cybersecurity Law, Data Security Law, Personal Information Protection Law	Integrated system: political control + cybersecurity	Very high: offensive capabilities and information control	Digital sovereignty, global power strategy	Full strategic consistency, combination of regulation, control and power⁴
Japan	Cybersecurity Basic Act, NISC directives, Act on the Protection of Personal Information	Defensive, gradual integration into the national strategy	Medium, cyber military ramp-up	U.S. alignment, regional security	Transition from a minimum posture to the recognition of cyber as a strategic domain⁵
South Korea	Framework Act on National Informatization, Information Security Management Act, directives KISA	Pragmatic, continuous confrontation	Medium to High (Prevention and Response to North Korea)	Regional national security, close cooperation with the United States	Realistic and operational approach, strongly oriented towards regional threat⁶
Taiwan	Cyber Security Management Act (2018), National Information and Communication Security Taskforce directives	Permanent cyber deterrence, adaptive resilience	Medium but highly responsive (defensive, asymmetric)	Strategic survival, indirect integration into the Western camp	Resilience model under extreme constraints: strong learning capacity, but structural vulnerability due to Chinese pressure and lack of formal security guarantees⁷

---

Sources

1. EU: Joseph S. Nye Jr., The Future of Power, 2011; Mario Draghi, Future of European Competitiveness, 2024 report; 2025 speeches.
2. France / Germany: ANSSI, LPM 2019–2025; IT-SiG 2.0 (2021); BSI-Kritis.
3. United States: Adam Segal, The Hacked World Order, 2016; Executive Orders on Improving the Nation’s Cybersecurity, 2021.
4. China: Elsa B. Kania, « China’s Cyber Power, » Journal of Strategic Studies, 2021.
5. Japan: NISC, Cybersecurity Strategic Headquarters Reports, 2020–2023.
6. South Korea: KISA, South Korean National Cybersecurity Strategy, 2022.
7.  Taiwan: Taiwan Ministry of Digital Affairs, Cybersecurity Policy White Paper, 2023; Richard A. Bitzinger, Taiwan’s Cyber Dilemma: Defense, Deterrence and Geopolitics, ISEAS Publishing, 2024.

^[1] See our two articles: Souty F, « European Digital Markets Act, competition policy and sovereignty: Geopolitical consequences and strategic impact of the law on the digital economy », Le Diplomate Média, 04.02.2026, 67 p. (online journal) and Souty F. Digital economy, competition policy and regulation: comparative approaches from the European Union, the United States and China »,  in Arcelin, L. European Digital Regulations and Market Law, Brussels, Bruylant, 2024, p. 151-181.

^[2] Nye, Joseph S., The Future of Power, New York, PublicAffairs, 2011, 320 p., p. 175176.

^[3] Farrand, Benjamin, « The New Geopolitics of EU Cybersecurity: Security, Economy and Regulatory Sovereignty », International Affairs, Vol. 100, No. 6, 2024, p. 24512470.

^[4] See Souty F., « The geopolitical limits of the European anti-foreign subsidy regulation », Le Diplomate Média, 21 January 2026, 49 p.; on the DMA, op.cit. at note 1, Le Diplomate Média, February 4, 2026.

^[5] Segal, Adam, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age, New York, PublicAffairs, 2016, 320 p., p. 101102.

^[6] Kania, Elsa B., « China’s Strategic Thinking on Cyber Power, » Journal of Strategic Studies, Vol. 43, No. 5, 2020, p. 623648.

^[7] Tsuchiya, Motohiro, Cybersecurity Policy in Japan, Tokyo, Keio University Press, 2022, 212 p., p. 87.

^[8] Park, Jongin, « South Korea’s Cybersecurity Strategy: Continuous Confrontation in the Cyber Domain, » Journal of Strategic Studies, Vol. 45, No. 4, 2022, p. 521545.

^[9] Souty F. « Competition and Antitrust Policy in Europe and the United States: Transatlantic Perspectives and Geopolitical Issues », Le Diplomate Média, 37 p. (online newspaper)

^[10] European Parliament, Report on the institutional aspects of the Report on the future of European Competitiveness (Draghi Report), document A100196/2025, Strasbourg, 17 October 2025, p. 1218.

^[11] Schickler, Jack, « Draghi calls for joint EU borrowing and end of national vetoes », Euronews, 9 September 2024 (online newspaper). 

^[12] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of Union cybersecurity,  Official Journal of the European Union, L 295, 27 December 2022, pp. 12–35.

^[13] V. in particular Implementation of NIS2 in France: What are the challenges for France? IDATE DigiWorld Institute, February 2025 (This document analyzes the NIS2  guideline detailing the 18 critical sectors identified and compares the scope of NIS2 with that of the  original NIS 1  guideline, including its summary tables of sectors and changes brought about by the new directive. 

^[14]  NIS2 Directive, Official Journal of the European Union, L 283/1, 2024, pp. 3-15.

^[15] ANSSI, 2024 Activity Report – State of Cybersecurity in France, Paris, April 2025, p. 10-25.

^[16] European Commission, Cyber Resilience Act – Regulation Overview, Brussels, 2024, pp. 15-45.

^[17] European Commission, Cyber Solidarity Act – Framework and Guidelines, Brussels, 2024, pp. 5-22.

^[18] European Commission, Cybersecurity in the EU: Strategy 2024, Brussels, 2024, pp. 40-55.

^[19] Farrand B, « Toward Regulatory Sovereignty in Cyberspace: The EU’s NIS2 Directive », International Affairs, Vol. 100, No. 6, 2024, pp. 2451-2470.

^[20] European Cyber Security Organisation (ECSO), European Cybersecurity Architecture: Challenges and Perspectives, Brussels, 2025, p. 8-22.

^[21] Bruegel, Cybersecurity in Europe: Bridging Norms and Operations, Policy Contribution, 2024, pp. 12-20.

^[22] ANSSI, 2024 Activity Report,  » NIS2 and JOP 2024″ section.

^[23] De Ville P-Y., France and Europe facing cyber challenges, Institut Montaigne, Paris, 2024, p. 17-31.

^[24] German Institute for International and Security Affairs (SWP), A Reliable Global Cyber Power? Integration of Standards and Practice, Berlin, 2023, pp. 25-38.

^[25] Bundesamt für Sicherheit in der Informationstechnik (BSI), NIS2 Compliance Guide and Technical Certification, Berlin, 2024, pp. 12-38.

^[26] Legislative Decree No. 138/2024 on the Implementation of Directive (EU) 2022/2555 in Italy, Rome, 2024, pp. 5-30.

^[27] Barana L., « Cybersecurity and SME Challenges in Italy’s NIS2 Transposition », Centro Studi Internazionali, Rome, 2025, pp. 9-18.

^[28] Möller M., « Operationalizing European Cybersecurity: Platforms, Standards and Common Capabilities », Journal of European Defence, Vol. 15, No. 3, 2025, pp. 55-73.

^[29] Cumming S., « Cyber Deterrence and European Security: Bridging Norms and Defence », International Security Review, vol. 48, no. 2, 2024, pp. 102-128.

^[30] IDATE DigiWorld Institute, Implementation of NIS2 in France: what are the challenges for France?, February 2025, p. 8-12.

^[31] NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), EU-NATO Cyber Coordination Report, Tallinn, 2023, pp. 12-27.

^[32] Biscop S., European Defence and Cyber Coordination: Challenges and Opportunities, Routledge, London, 2022, pp. 91-105.

^[33] Fiott, D. « Political and Institutional Limits of EU-NATO Cyber Cooperation », Journal of European Security, Vol. 9, No. 2, 2024, pp. 47-62.

^[34] European Union Agency for Cybersecurity (ENISA), Standardisation and Resilience in EU-NATO Cooperation, Athens, 2023, pp. 22-37.

^[35] Kaunert Ch. & Leonard S., European Cybersecurity Governance and Public-Private Cooperation, Palgrave Macmillan, London, 2023, pp. 135-152.

^[36] Lewis J., Cybersecurity and Strategic Deterrence in Europe, CSIS Reports, Washington D.C., 2024, pp. 43-55.

^[37] The White House, National Cyber Strategy of the United States of America, Washington D.C., March 2023, pp. 8-20.

^[38] DHS/CISA, CISA Annual Report 2024, Washington D.C., 2024, pp. 12-35.

^[39] US Cyber Command, Persistent Engagement and Cyber Operations Doctrine, Fort Meade, 2022, pp. 10-28.

^[40] NIST, Cybersecurity Framework Version 2.0, Gaithersburg, 2023, pp. 15-50. Also, National Security Agency, Annual Cybersecurity Review, Fort Meade, 2025, pp. 12-29.

^[41] Congressional Research Service, « U.S. Cybersecurity Policy: Structure and Challenges, » CRS Report R47047, 2024, pp. 7-21. See also NIST, Cybersecurity Framework Version 2.0, Gaithersburg, 2023, pp. 15-50.   

^[42] Lewis, James A., « Deterrence and Cyber Strategy, » CSIS, 2023, pp. 1–10.

^[43] Lonergan, Erica D., « The Power of Beliefs in US Cyber Strategy, » Journal of Cybersecurity, Vol. 9, No. 1, 2023, pp. 1–24.

^[44] Washington Post, Trump Budget Plan to Cut Nearly 1000 Jobs at Cyber Agency CISA, November 28, 2025.

^[45] Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity, June 6, 2025.

^[46] AP News, Trump administration halts funding for two cybersecurity efforts, including one for elections, March 11, 2025.

^[47] Congressional Research Service, « Cybersecurity and U.S. National Security: Challenges and Opportunities, » CRS Report R47455, 2024, pp. 10-15.

^[48] Federal News Network, Trump admin focuses on « Zero Trust 2.0 », July 2025.

^[49] Op. cit.

^[50] Op. cit.

^[51] AP News, Hegseth orders suspension of Pentagon’s offensive cyberoperations against Russia, March 3, 2025. See also Washington Post, U.S. digital disarmament gives Russia free rein in cyberspace, March 3, 2025.

^[52] Kaunert Christian, European Perspectives on U.S. Cybersecurity Policy, Warwick University Press, 2024, pp. 88-101.

^[53] United Nations Office for Disarmament Affairs (UNODA), State Practices in Cybersecurity: China and Russia, New York, 2024, pp. 12-27.

^[54] Saalman L., Fei Su F., & Saveleva-Dovgal, L., Cyber Posture Trends in China, Russia, the United States and the European Union, SIPRI Research Report, Dec. 2022, chap. 2-3.

^[55] Laurent S., & Borchert H., L’Europe face aux cyber-pouvoirs, Presses de Sciences Po, 2024, p. 112-135.

^[56] Shambaugh D., China’s Cyber Power: Strategy, Capability and Governance, Oxford University Press, 2025, pp. 45-68.

^[57] ANSSI, Panorama de la Cybermenace 2024, Paris, 2025, 52 p.

^[58] Center for European Policy Analysis (CEPA), Russia’s Shadow Warfare, recent reports, pp. 1-12.

^[59] Russian cyber attacks against NATO states up by 25% in a year, The Guardian, 16 October 2025. See also ANSSI, op.cit.

^[60] Rid Thomas, Cyber War Will Not Take Place, Oxford University Press, 2018, 232 p. Major work reprinted several times, originally published under the aegis of the US Army War College in 2011, in response to a previous very early report by the RAND Corporation (very close to the CIA) in 1993 under the title « Cyber War Is Coming« . Updated analyses.

^[61] Lewis J., Cybersecurity and Geopolitics: The Russian Factor, CSIS Reports, 2024, pp. 19-42.

^[62] NATO Review, NATO and Strategic Competition in Cyberspace, June 2023, pp. 1-8.

^[63] Saalman L., Fei Su & Saveleva-Dovgal L., Cyber Posture Trends in China, Russia, the United States and the European Union, SIPRI Research Report, Dec. 2022, 39 p. V. in particular chaps. 2-3.

^[64] Center for European Policy Analysis (CEPA), Russia’s Shadow Warfare, recent reports, pp. 1-12. See also ANSSI, op.cit. 2025, 52 p. 

^[65] Kremidas-Courtney, Chris, Hybrid Storm Rising: Russia and China’s Axis against Democracy, European Policy Centre, May 2025, 13 p. 

^[66] Maness, Ryan C. & Valeriano, Brandon, Cyber War versus Cyber Realities, Oxford, Oxford University Press, 2015, 288 p. V. by the same authors Cyber Conflicts and Global Politics, Oxford University Press, 2022.

^[67] German Council on Foreign Relations (DGAP), A Reliable Global Cyber Power, Berlin, 2023, pp. 25-38.

^[68] Sugiyama, Masahiro & Lee Hae-Jin, Comparative Cybersecurity Cultures: Asia and the West, 2025, pp. 45-78.

^[69] Microsoft, Digital Defense Report 2025, Washington D.C., 2025, 85 p.

^[70] Cabinet Office, Government of Japan, Cybersecurity Strategy 2024, Tokyo, 2024, pp. 12–25.

^[71] Masahiro Sugiyama, Cyber Strategies in Japan: Norms, Governance and Capabilities, Tokyo University Press, 2025, pp. 87–103.

^[72] Okuno, Hiroshi, Japan’s Cybersecurity Doctrine: Defense and Norms in a Digital Era, University of Tokyo Press, 2023, pp. 45–67.

^[73] Lewis, James A., Japan’s Cybersecurity Dilemma, CSIS Report, Washington D.C., 2024, pp. 10–15.

^[74] German Institute for International and Security Affairs (SWP), Cybersecurity and Autonomy in the Indo-Pacific, Berlin, 2023, pp. 18–32.

^[75] Sekiguchi, Satoshi, AI and the Future of Japanese and Korean Cybersecurity, Keio University Press, Tokyo, 2025, pp. 55–78.

^[76] Korea Internet & Security Agency (KISA), Annual Report 2024, Seoul, 2024, pp. 15–30.

^[77] Kim, Joon Ho, Cyber Deterrence in South Korea: Regional Realities and Strategic Adaptation, Sejong Institute, 2025, pp. 25–42.

^[78] Lee, Hae-Jin, « South Korea’s Cybersecurity and U.S. Cooperation, » Asia-Pacific Cybersecurity Journal, Vol. 6, No. 2, 2025, pp. 63–78.

^[79] Park, Eun Ji, « Dependence and Autonomy in South Korea’s Cybersecurity Strategy, » Journal of East Asian Security, Vol. 12, No. 2, 2024, pp. 101–123.

^[80] Sekiguchi, Satoshi, op. cit., pp. 70–78.

^[81] A DDoS (Distributed Denial of Service)  attack consists of voluntarily saturating a digital service (website, server, network infrastructure) by sending massive and coordinated requests from a large number of compromised machines (botnets), making the service unavailable to legitimate users. These attacks are not primarily aimed at data exfiltration, but at functional disruption, the erosion of institutional trust and the demonstration of the ability to cause harm. Inexpensive, difficult to attribute and with a high symbolic impact, DDoS attacks have become a central instrument of hybrid cyber strategies, especially in contexts of geopolitical tension and indirect deterrence.

^[82] Bitzinger, Richard A., Taiwan’s Cyber Dilemma: Defense, Deterrence and Geopolitics, ISEAS Publishing, 2024, pp. 45–63.

^[83] Ibid., pp. 120–145.

^[84]Laurent S. & Borchert H., L’Europe face aux cyber-pouvoirs, Presses de Sciences Po, 2024, p. 158-172.

^[85] Lewis James A, Cybersecurity and Geopolitics, CSIS Reports, 2024, pp. 43-55.

^[86] Laurent S., op. cit., pp. 174-182.

^[87] Joseph S. Nye Jr., The Future of Power (New York: PublicAffairs, 2011), 113–135, quoted at 123: « Cyber power is exercised less through direct coercion than through the ability to shape the environment in which others operate, including dependencies, expectations, and norms. » See also Joseph S. Nye Jr., « Power and Interdependence in the Information Age, » Foreign Affairs 99, no. 6 (2020): 63–75, pp. 70–72.

^[88] Mario Draghi, The Future of European Competitiveness: A Strategy for Europe, 2024, 400 p., sections II and III. See in particular where President Draghi is extremely explicit2.3 and 3.1 « Europe has increasingly relied on regulation to compensate for insufficient scale, investment and strategic coordination ». « In critical digital sectors, regulatory sophistication has not been matched by industrial or technological leadership. »

^[89] Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (New York: PublicAffairs, 2016), 1–22, 145–176, citation p. 8: « Cybersecurity strategies that focus primarily on defense and norms risk misunderstanding the fundamentally competitive nature of the domain. » See also Adam Segal, « When China Rules the Web, » Foreign Affairs 97, no. 5 (2018): 10–18.

^[90] Elsa B. Kania, « Securing China’s Digital Rise, » Survival 61, no. 4 (2019): 25–40, v. p. 30: « China’s approach to cyberspace integrates regulation, political control and operational capabilities into a coherent strategic framework. » See also Elsa B. Kania, « Cyber Capabilities and Political Control in China’s Strategic Competition, » Journal of Strategic Studies 44, no. 1 (2021): 1–29, pp. 6–10.

^[91] Mario Draghi, Speech on European Technological Sovereignty, Brussels, Paris and Berlin, 2025: « Europe has built a world-class regulatory framework, but it has not built the economic and strategic power needed to shape outcomes. » 

---

#cybersecurity, #cybersecurite, #cyberdefense, #cybersouverainete, #souverainetenumerique, #autonomiestrategique, #geopolitiquenumerique, #rivalitesgeopolitiques, #normesUE, #regulationnumerique, #NIS2, #SRI2, #CyberResilienceAct, #CyberSolidarityAct, #ENISA, #ANSSI, #OTAN, #NATO, #dissuasion, #deterrence, #cyberpower, #cyberwarfare, #hybridwarfare, #influenceoperations, #desinformation, #criticalinfrastructure, #infrastructurescritiques, #supplychainsecurity, #cloudsouverain, #datagovernance, #zerotrust, #postquantumcrypto, #IAcyber, #ransomware, #APT, #SOC, #cyberreserve, #cyberresilience, #strategieUE, #strategiccompetition#cybersecurity, #cybersecurite, #cyberdefense, #cybersouverainete, #souverainetenumerique, #autonomiestrategique, #geopolitiquenumerique, #rivalitesgeopolitiques, #normesUE, #regulationnumerique, #NIS2, #SRI2, #CyberResilienceAct, #CyberSolidarityAct, #ENISA, #ANSSI, #OTAN, #NATO, #dissuasion, #deterrence, #cyberpower, #cyberwarfare, #hybridwarfare, #influenceoperations, #desinformation, #criticalinfrastructure, #infrastructurescritiques, #supplychainsecurity, #cloudsouverain, #datagovernance, #zerotrust, #postquantumcrypto, #IAcyber, #ransomware, #APT, #SOC, #cyberreserve, #cyberresilience, #strategieUE, #strategiccompetition