Institutional Friction in Transboundary Cyber Crisis Management in the European Union: Data-Protection Divergence and Incident Information-Sharing

Abstract

N/A

Cybersecurity incidents increasingly transcend national borders, yet the European Union's capacity for cross-border crisis coordination remains uneven in practice. This thesis argues that a significant and underexamined source of this unevenness lies in the divergent national interpretation and enforcement of EU data-protection rules, specifically the General Data Protection Regulation (GDPR), which generates institutional friction that impedes the timely, complete and actionable exchange of incident information among Member States. Adopting a qualitative, mechanism-focused design combining document analysis and process tracing, the thesis examines three empirical episodes: the 2021 cyberattack on the European Banking Authority, the January 2022 Lapsus$ attack on Portugal's Impresa Group, and the July 2021 ransomware attack on the German district administration of Landkreis Anhalt-Bitterfeld. Germany and Portugal serve as the primary comparative cases, chosen for their contrasting data-protection cultures and institutional capacities within the same EU-level coordination architecture. The analysis reconstructs incident response timelines and identifies the causal points at which legal uncertainty and compliance risk translate into observable delays, omissions and reductions in the quality of cross-border information exchange. Key findings show that legal friction operates multiplicatively rather than additively, is most consequential when incident data directly intersects with personal data and when formal channels are the primary sharing pathway, and disproportionately disadvantages smaller Member States where capacity constraints compound legal uncertainty. The thesis concludes with theoretical contributions to the crisis management and legal fragmentation literatures, and with concrete policy recommendations for interpretive harmonisation, Single Entry Point governance and capacity support for smaller Member States.