Hannah-Sophie Weber is a DPhil in International Relations Candidate at the Department of Politics and International Relations (DPIR), University of Oxford. Her doctoral research focuses on public-private relationships in the governance of digital infrastructure and cybersecurity. She has recently published on democratic legitimacy in cybersecurity governance and is interested in informal (cyber)security alliances and the role of private companies in global security governance more broadly. She has a professional background in cybersecurity and digital policy, having worked on the topic as a fellow at think tanks, German federal ministries, and international organisations. She is currently completing a Carlo-Schmid Fellowship at the United Nations (UN-ODET) in New York.

Two contrary paradigms pervade international cybersecurity governance: co-regulatory ideas of multistakeholderism and state-centric visions of digital sovereignty. They convey clashing ideas of how and by whom cyberspace should be governed. Paradoxically, public-private interaction underpins and nurtures both paradigms — despite their ideological clash. Renewed commitments of US hyperscalers to European digital sovereignty and the EU’s funding directed towards multistakeholder initiatives illustrate this. But what explains puzzling alignment of public and private actors behind these contrary paradigms, especially amidst heated geopolitical times?

My paper makes the case that emerging cybersecurity communities (ECCs) play an underexplored, cushioning role. They shape how cybersecurity governance ecosystems adapt and re-order when challenged by geopolitical turmoil. Existing accounts neglect the everyday practices of the individuals working in cybersecurity governance. To better understand how contrary governance paradigms continue to coexist, my paper makes a practice-theoretical intervention. I introduce the analytical framework of emerging cybersecurity community (ECC). Building on security community theorising and critical scholarship on cybersecurity and technology politics, ECCs are conceptualised as informal and cross-sectoral constellations of actors that emerge through: (1) a routinised exchange of cyber expertise, (2) shared perceptions of external threat, and (3) nascent cross-sectoral trust. ECCs enable public and private actors to coordinate in ways that neither require nor are constrained by formal institutional alignment or regulatory policy commitments.

Empirically, I zoom in on the regional case of EU cybersecurity governance and its Brussels ecosystem. Drawing on extensive fieldwork and elite interviews, I trace patterns of interaction between public (EU) institutions and private (US) technology companies. While the key alternative accounts of norm entrepreneurship and the Brussels effect both offer valuable insights, they remain fatally confined to capturing either public or private influence – instead of their relational interplay. My complementary framework of emerging cybersecurity community enables a better understanding of how increasingly autonomous tech companies and state actors navigate cybersecurity governance amidst - and despite - rising disorder in international politics.