This paper is the first to closely examine the actual application of the EU´s Cyber Diplomacy Toolbox (CDT) measures by EU institutions/actors over the last six years, which culminated in the revised version of its implementing guidelines in June 2023. In doing so, we shed light on the question as to how far the EU has used the CDT as a vehicle to push for a strengthened Europeanisation of cybersecurity policies, or rather, if it presents a pragmatic approach to reach a stronger balance between internal and external coordination, as well as to reach the preservation of national prerogatives for security-sensitive actions.

This analysis’ structure follows as such: first, we outline the CDT and its measures in detail before explaining our methodological approach to investigate its usage over the last six years. We then proceed to analyse the concrete application of the CDT by EU institutions/actors up to 31 May 2023, based on a dataset (“CDT dataset”) in conjunction with various other qualitative sources. We argue that – in line with the EU’s overall role as a “soft power regulator” – the CDT’s history reflects the EU’s role as a preventive “civilian cyber power,” in contrast to a “coercive/restrictive cyber power.” Finally, we discuss our findings in light of the revised implementing guidelines and propose an outlook on the future of the CDT in the years to come.