Cybersecurity Explainer: US and EU Strategy and Policy

Cybersecurity sits at the heart of today’s digital economy. As governments, businesses, and individuals become more dependent on interconnected technologies, protecting the systems that govern everyday life is vital.

Cybersecurity broadly refers to the measures used to protect networks, infrastructure, devices, applications, and data from attacks or unauthorized access. It covers not only technical components such as hardware, software, and networks, but also the institutions and people using them. Their behavior often shapes system vulnerability. In practice, cybersecurity extends beyond technology to support economic and national security by protecting critical infrastructure and helping safeguard consumers.

It is important to distinguish cybersecurity from data security. The two are often conflated but refer to different concepts. Cybersecurity focuses on protecting systems and networks, while data security focuses specifically on protecting data itself and ensuring that sensitive information remains confidential. A data breach is a type of incident in which protected data is exposed or accessed without authorization, often due to a cybersecurity failure. 

Data privacy in the EU is governed by the General Data Protection Regulation (GDPR). This law applies to companies handling the personal data of those physically located in the EU, even if the company is based outside the bloc. The United States does not have a single federal data protection law, but state-level rules may exist. The California Consumer Privacy Act (CCPA), for example, grants residents of that state certain privacy rights and applies to companies doing business in the state, even if they do not have a physical presence there.

Beyond software and networks, growing attention is also on hardware vulnerabilities, including risks linked to reliance on designers and manufacturers of critical components in sectors such as aviation and energy. Semiconductors, which are foundational to technologies spanning consumer electronics, AI, and advanced defense systems, have become a focal point of national and economic security discussions. Recent reports note that cyberattacks targeting the semiconductor industry have surged dramatically, driven by geopolitical competition and the strategic importance of chip supply chains. As semiconductors underpin critical infrastructure, vulnerabilities at the hardware level increasingly raise concerns about supply chain security.

Given these challenges, and in response to an increasingly contested geopolitical landscape and rapid technological change, US and EU cybersecurity policy is evolving. This is reflected in intensifying debates in Washington, DC and Brussels about harnessing powerful new AI tools for cyber defense while guarding against their misuse. OpenAI’s GPT‑5.5‑Cyber and Anthropic’s Claude Mythos promise to help defenders find software vulnerabilities and analyze malware, but they could also be used for hacking.

Updates to US and EU cybersecurity strategies were already underway prior to the release of these models. The White House’s Office of the National Cyber Director announced a new national cyber strategy in March, two months after the European Commission proposed a major revision of its Cybersecurity Act. The timing coincides with the emergence of deepening digital dependencies and technological developments that provide fertile ground for cyberattacks. The 2025 Threat Landscape Report from the EU Agency for Cybersecurity (ENISA) highlights, among other concerning trends, adversarial exploitation of digital supply chains, the increasing overlap among “hacktivism, cybercrime and state-nexus activity”, and AI’s role in social engineering and the creation of realistic phishing attacks. AI’s ability to amplify threats across domains is shifting the notion of cyber resilience, which the US National Institute of Standards and Technology (NIST) defines as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

This explainer outlines the US and EU approaches to cybersecurity. It examines their goals, institutions, policy tools, and areas of convergence and divergence. It also notes the issues and questions that policymakers have yet to address.

The United States: Strategy, Institutions, and Policy Tools

Core goals and principles

The 2026 US National Cyber Strategy strikes an aggressive posture, promising to “act swiftly, deliberately, and proactively to disable cyber threats to America”. It also notes that the United States “will not confine [its] responses to the ‘cyber’ realm”. At four pages, the document is compact compared to the Biden administration’s 38-page 2023 cyber strategy. Some analysts view the new document as a statement of intent rather than a complete strategy. Further implementation measures are expected, including a scheduled but unreleased action plan.

The latest strategy is organized around six pillars:

• deterring and disrupting cyber threats more aggressively by working closely with the private sector and with allies
• streamlining cybersecurity rules while maintaining data protection
• prioritizing the upgrading and securing of government systems with modern technologies and creating competitive procurement processes
• protecting critical infrastructure such as energy grids, financial systems, and hospitals, and moving away from foreign technologies in these areas
• keeping the United States ahead in technologies such as AI, quantum computing, and crypto
• strengthening the cyber workforce through better education, training, and coordination

A consistent theme runs across the pillars: Cybersecurity is a shared national security challenge requiring concerted public-private action.

The strategy emphasizes the private sector’s role in threat detection and disruption. Crucially, its messaging on the use and scope of offensive cyber capabilities by private actors is ambiguous. The strategy indicates only that the United States is prepared to “unleash” the private sector to counter cyber threats proactively, including to disrupt adversaries before they can carry out attacks. At the same time, “hack back” operations remain illegal under US law. The result is a strategy that signals more assertive private-sector involvement without clearly defining its limits. There is also no mention of specific adversaries, a departure from the Biden administration’s 2023 approach, which named China, Iran, North Korea, and Russia as malicious actors in cyberspace.

Key institutions

A decentralized network of federal, state, and sectoral authorities oversees US cybersecurity. The primary federal government agencies are:

At the federal level, the Federal Trade Commission (FTC) plays a leading role in enforcing cybersecurity laws and regulations, mainly through the FTC Act and the Gramm-Leach-Bliley Act. The Department of Homeland Security and the NIST also help shape and support the broader cybersecurity regulatory framework. For public companies, rules set by the Securities and Exchange Commission remain central, as cyber incidents are financial risks, not just technical issues. A major breach can affect operations, reputation, and, ultimately, stock price. Companies must consequently disclose material cybersecurity incidents (i.e., those that could influence investor decisions) and how they manage cyber risk and oversee cybersecurity at board level. The US Secret Service investigates cyber-enabled financial crime, along with the Financial Crimes Enforcement Network at the Treasury Department.

Evolution of US cyber strategy

The United States has a federal cybersecurity strategy, but it is not legally binding. As such, no single, comprehensive federal cybersecurity law exists. Cybersecurity governance instead remains highly distributed and fragmented across federal, state, and sectoral authorities. Overlapping rules often use inconsistent definitions, impose divergent security requirements, and set conflicting or duplicative reporting obligations. 

Congress has sought over time to fill some gaps, most notably through the Cybersecurity Information Sharing Act of 2015 and the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The latter mandates incident reporting by certain critical infrastructure operators to CISA. Sector-specific and state-based regimes (e.g., the Health Insurance Portability and Accountability Act and the New York SHIELD Act) reinforce a patchwork regulatory landscape.

Executive action is subsequently an important driver of cybersecurity policy. The Biden administration’s cybersecurity strategy pushed for stronger regulation of critical sectors and for shifting liability to software providers. Executive orders 14028 (“Improving the Nation’s Cybersecurity”) and 14144 (“Strengthening and Promoting Innovation in the Nation's Cybersecurity”) put this approach into practice. Together, they set out an expansive agenda for moving responsibility away from all firms and toward digital infrastructure providers, while strengthening federal oversight. Measures include secure software attestation requirements for government contractors, and new federal initiatives on digital identity, AI, and post-quantum security. 

President Donald Trump’s June 2025 executive order 14306 (“Sustaining Select Efforts to Strengthen the Nation's Cybersecurity”) illustrates a shift in approach without overturning this framework. Rather than revoking earlier orders, it scales back selected provisions and gives the private sector greater leeway through voluntary adoption of standards. Core tools, such as cyber‑related sanctions, first formalized in the Obama administration’s 2015 executive order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”), remain in place. The result is a recalibration by which the federal government continues to set direction but places greater responsibility for delivering cybersecurity outcomes on industry. 

This trajectory reflects a broader evolution in US cyber policy from a largely voluntary, best‑practice model to more assertive federal involvement in the early 2020s and now to a mixed approach that combines targeted federal tools (e.g., reporting mandates and sanctions) with greater reliance on private‑sector initiative and regulatory streamlining.

At the same time, US cyber policy has increasingly overlapped with federal agencies’ initiatives designed to protect critical hardware. In telecommunications, the Federal Communications Commission (FCC) has designated equipment from firms such as Huawei Technologies Company as “covered”, meaning that it poses an unacceptable national security risk. Such equipment cannot receive FCC authorization and therefore cannot be imported, marketed, or sold in the United States. In the automotive sector, the US Trade Representative raised tariffs on Chinese electric vehicles in 2024, while the Commerce Department’s 2025 connected-vehicles rule prohibits certain China- or Russia-linked vehicle connectivity system hardware and covered software integral to connected vehicles. US lawmakers introduced the following year the Connected Vehicle Security Act, which would prohibit the import, manufacture, and sale of connected vehicles and components linked to China. The proposal reflects growing fears that modern cars, which can collect and transmit sensitive data, could pose security risks if tied to companies subject to Chinese state intelligence laws. In June, the Pentagon expanded its list of Chinese firms with suspected military ties to include Alibaba, Baidu, and BYD, preventing direct contracting with or purchasing from them via third parties starting in 2027. This is another sign of increasing geopolitical tension and mistrust.

The EU: Strategy, Institutions, and Policy Tools

Core goals and principles

The EU’s cybersecurity approach is anchored in the EU Cybersecurity Strategy for the Digital Decade, presented by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy (HRVP) in 2020. The framework is implemented through member-state national cybersecurity strategies, which translate EU-level priorities into concrete measures. All EU countries have adopted at least one such strategy since 2017. ENISA coordinates the national strategies and provides an overview of their scope through tools such as interactive maps. 

The EU’s cyber strategy focuses on three goals: making Europe more resilient, strengthening its ability to respond to cyber threats, and promoting a safer cyberspace. It aims to boost the security of critical sectors (especially through the NIS2 Directive) while investing in skills, innovation, and tools such as AI-powered systems to detect threats early. At the same time, the EU is improving coordination among member states through initiatives such as a Joint Cyber Unit and stronger cyber defense and diplomacy tools. Finally, the bloc seeks to promote global “rules-based, secure, and stable cyberspace” by working with partners, supporting shared standards, and expanding its cyber diplomacy network.

The strategy also aims to update existing EU-level measures and is underpinned by an investment push of up to €4.5 billion in combined EU, national, and industry funding for 2021 through 2027. The financing comes from initiatives including the Digital Europe Program and Horizon Europe (both via the European Cybersecurity Competence Center and National Coordination Centers), and the Recovery and Resilience Facility. Most funds are earmarked for small and medium-sized enterprises. Investment efforts, including those envisaged by the June 2025 Technological Sovereignty Package, also aim to strengthen the EU’s industrial and technological base in areas such as data and cloud, semiconductors, and 6G networks. 

Key institutions

While member states retain primary responsibility for their own national security and law enforcement, the EU coordinates policy, incident response, and certification through a network of specialized bodies. 

The rules of the system at the EU level are shaped by the European Commission’s Directorate-General for Communications Networks, Content and Technology (DG CONNECT), which leads on drafting cybersecurity legislation, and the Directorate-General for Migration and Home Affairs (DG HOME), which covers cybercrime and internal security. The European External Action Service, the EU’s diplomatic arm, leads the bloc’s efforts on cyber diplomacy and strategic communication. 

Evolution of EU cyber strategy

The EU’s approach to cybersecurity has moved from a limited, coordination-based framework anchored in member-state prerogatives to a far more ambitious project that uses internal market powers to shape cybersecurity across the bloc. 

Cybersecurity initially largely fell outside the EU’s core competences. Individual member states retained primary responsibility for national security and defense issues. Early EU initiatives therefore focused on facilitating cooperation, information sharing, and baseline preparedness.

The 2016 Network and Information Security (NIS) Directive reflected this logic. It established minimum risk-management practices, reporting requirements, and coordination mechanisms for essential services operators and digital service providers. However, it ultimately left significant discretion on implementation to member states. Similarly, the 2019 Cybersecurity Act established a voluntary EU cybersecurity certification framework for information and communications technology (ICT) products, services, and processes, but gave ENISA a permanent mandate. 

The 1995 Data Protection Directive and national-level laws, superseded eventually by the GDPR, addressed aspects of cyber risk, particularly data breaches involving personal data, highlighting the overlap between cybersecurity and privacy regulation.

The EU has, over time, systematically redefined cybersecurity as a condition for the functioning and resilience of the single market rather than a purely national security concern. The 2020 Cybersecurity Strategy included provisions for protecting critical infrastructure from large-scale supply chain attacks and geopolitical risk. The conceptual shift is also mirrored in the EU’s move away from reactive, incident-driven policy toward a more structural approach to risk reduction. The result is an increasingly dense regulatory ecosystem that seeks to reduce vulnerabilities before they materialize, rather than merely manage their consequences.

The 2022 revision of the NIS2 Directive also exemplifies the shift. Its expanded scope, stricter supervisory regime, and harmonized obligations signal that cybersecurity is now treated as a systemic economic risk that must be managed collectively. In doing so, the EU elevates cybersecurity from a technical or operational issue to a central economic security concern. 

The Cyber Resilience Act (CRA) represents yet another measure in this direction. It introduces binding requirements for manufacturers to ensure that products with digital elements are secure throughout their lifecycle, from design and development to maintenance and patching. Compliance is required for entry into the EU market. In practice, this shifts responsibility to designers and producers, aligning cybersecurity with the EU’s broader tradition of product safety regulation. The combination of CRA at the product level and NIS2 at the organizational level creates a layered system in which firms and the technologies they deploy are subject to security obligations. 

This regulatory turn is closely tied to wider concerns about economic security and technological dependence. As cyber threats become more complex and intertwined with geopolitical competition, the EU increasingly frames cybersecurity as integral to the resilience of its internal market and the protection of critical infrastructure and supply chains. 

The current trajectory reveals a distinctly European model of cybersecurity governance. The EU is leveraging its regulatory and market-shaping powers to embed cybersecurity across the economy and transform it from a technical issue into a foundational requirement for economic security. The bloc’s ability to respond in real-time to a rapidly changing cyber environment nevertheless remains structurally limited. It does not conduct unified offensive cyber operations, and member states retain primary responsibility for national security and incident response. 

Convergence and Divergence in US and EU Approaches

The United States and the EU view cybersecurity not as a narrow technical domain but as a core pillar of economic and national security. The rapid digitization of critical infrastructure, from energy systems to healthcare, has reinforced their perspective, elevating cyber risk to a systemic concern. Both parties are driven by the growing recognition that cyber tools are reshaping conflict and creating new avenues for physical and digital disruption. 

Many underlying operational challenges are the same across the Atlantic, and many cyber incidents arise from basic, avoidable weaknesses, including vulnerability to phishing attacks, weak passwords, misconfigured systems, and outdated software and hardware. Despite rapid technological advances, individuals and organizations still struggle to patch known vulnerabilities and secure systems at scale. A workforce shortage is one major reason for this. Public and private actors increasingly face difficulties recruiting and retaining skilled cybersecurity professionals, particularly as the threat landscape becomes more complex and AI-driven. 

Emerging technologies are changing the context in which these challenges play out. AI is rapidly reshaping cybersecurity, acting simultaneously as a force multiplier for defenders and attackers. The technology enables faster threat detection and response automation, but it also amplifies the sophistication, speed, and scale of attacks. It shortens the window between vulnerability discovery and exploitation, and lowers barriers to entry for malicious actors. In this sense, AI is not replacing traditional cyber challenges but intensifying them.

American and European cybersecurity approaches also emphasize public-private cooperation, reflecting private actors’ predominant ownership and operation of cyberspace. But each approach also has its limits. The EU model can create compliance burdens and implementation challenges in the different member states. The US approach, in contrast, can lead to fragmentation and gaps in coverage across sectors and states.

Yet beneath the alignment lies a more complex picture of divergence and interdependence. The EU has leaned heavily on its regulatory powers to embed cybersecurity obligations across the single market and supply chains, while the United States has favored a more dispersed, market-driven, and sector-specific approach, with no comprehensive federal cybersecurity legal framework. Due to network effects and Europe’s dependence on American technologies, Europe’s cyber resilience remains deeply intertwined with US capabilities. American firms continue to dominate key markets for cybersecurity tools, cloud infrastructure, and threat intelligence, and Washington provides critical support for vulnerability databases and open-source software. These dependencies extend beyond visible areas such as cloud services to the underlying architecture of cyber defense.

Recent shocks to access have made these dependencies more visible and politically salient. The US government’s recent export controls on Claude Fable 5 and Mythos 5 illustrate the geopolitical stakes of the AI and cyber race. The controls suspended access for foreign nationals and ultimately prompted Anthropic to disable the models. For European policymakers, the possibility that access to critical technologies could be restricted, even temporarily, reinforces concerns about overreliance on external providers.

These dependencies play into a growing strategic debate over technological sovereignty. EU cybersecurity policy is now closely intertwined with efforts to reduce dependence on foreign technology providers and to build domestic capabilities and reduce strategic vulnerabilities across the digital stack. The Technological Sovereignty Package, proposed by the European Commission in early June, outlines a set of measures to strengthen the bloc’s capacity in semiconductors, AI, cloud, and open source. The EU remains heavily reliant on non-European providers for key digital services, particularly cloud infrastructure, where three US firms—AWS, Google, and Microsoft—account for about 70% of the market, a dominance that also impacts access to AI infrastructure. As a response to that, the bloc’s Cloud and AI Development Act, part of the tech sovereignty package, references the forthcoming European Cybersecurity Certification Scheme for Cloud Services as a potential criterion for determining sovereign cloud services. The Chips Act 2.0 proposes cybersecurity risk assessments for public procurement of semiconductors in critical sectors.

These measures raise a set of open and increasingly consequential questions. As European definitions of digital and technological sovereignty become more operationalized, they are drawing clearer lines among vendors, potentially excluding foreign providers from sensitive sectors such as government, healthcare, and critical infrastructure. The EU’s new Cybersecurity Act would impose stricter controls on “high-risk suppliers” to reduce structural dependencies in ICT supply chains. At the same time, it remains unclear how the integration of advanced AI-enabled cyber tools, many of which are developed or operated by non-European firms, will fit within these stricter procurement and sovereignty frameworks. This tension is likely to intensify as AI becomes more deeply embedded in security operations. 

This structural interdependence underlines the enduring importance of transatlantic cooperation on aligning approaches to trusted vendors and avoiding market fragmentation for secure digital products. Further alignment is needed on criteria for vendor trustworthiness; coordination of certification and assurance frameworks; and initiatives to jointly reduce exposure to high-risk suppliers.

Such cooperation would allow both sides to reconcile two competing imperatives: maintaining the efficiencies of an integrated digital economy and mitigating the vulnerabilities associated with concentrated and geopolitically exposed ICT supply chains. A coordinated approach would also acknowledge a central insight emerging from the current debate: that resilience, in a deeply interconnected cyber ecosystem, is less about eliminating dependencies than about managing interdependence with credible mechanisms and standards that preserve trust and continuity.

The views expressed herein are those solely of the author(s). GMF as an institution does not take positions.