Almost two years have passed since the Council of the European Union published the “Revised Implementing Guidelines of the Cyber Diplomacy Toolbox” (CDT) on 8 June 2023 (hereinafter referred to as “R-CDT”). The original CDT had been introduced in 2017. The revision of the CDT complements the previous incident-based strategy with a more strategic, sustained, and long-term approach towards cyber threats facing the Union and its Member States. In Part I of this overall three-part analysis, Sachs, Schmalfeldt, and Zettl-Schabath (2024) investigated measures applied by EU institutions and bodies for the first time within the context of the CDT, covering the period between January 2017 to May 2023. The analysis revealed the following major observations: preventive measures clearly dominate the EU’s application of the CDT, followed by stabilising and cooperative measures, while restrictive instruments, such as sanctions, remain rare. During this observed period, overall use of CDT measures increased over time, which was largely driven by Russia’s aggression against Ukraine. Capacity-building initiatives are the most frequently utilised preventive measures, primarily targeting candidate states for EU accession, as entry barriers for such initiatives are relatively low.

In this second part of the series, we consider possible consistencies and changes due to the R-CDT in order to evaluate progress and/or setbacks in streamlining the revised guidelines. In the upcoming third part of the series, we will expand our coding scheme to individual Member States, namely Estonia, the Netherlands, Portugal, Croatia, Italy, and Germany, thereby providing the first empirical analysis of national measures related to the EU CDT and enabling us to address similarities and differences in responses and measures. In doing so, we contribute to answering the question as to how far common EU diplomatic efforts to counter malicious cyber incidents may differ from national approaches, and furthermore, if this national dimension can at least partially explain deficiencies of the overall CDT application by EU institutions.