The phenomenon of cyberattacks and data breaches in the EU has led to the implementation of the General Data Protection Regulation (GDPR) in 2018. However, this regulation could turn the supranational institution into a sovereign-based decision-making body and shift people's behavior toward enforcing data protection rules. This study investigates how the European Union implemented its strategy to enforce cybersecurity mechanisms between its member states through data protection regulations. This study employs a qualitative case study approach and collects data from 285 enforcement reports, five binding reports from the EDPB, and two unstructured interviews. We used reflexive thematic analysis to obtain the meaning of each report and each interview. The results reveal that supervisory authorities exercise power and create national and regional preferences that follow individuals and companies in the enforcement of data protection mechanisms in the EU. The study finds that Germany and France share the power to require multinational companies and public entities to comply with data protection rules across the EU. According to the thematic analysis, three themes emerge from the data collected in France and Germany: harmonization of Data Protection and cybersecurity, blending of enforcement, balancing Sovereignty and integration, and protecting national values through EU mechanisms. It shows that the EU’s cybersecurity strategy aligns with the principles of Liberal Intergovernmentalism, in which each member state negotiates its preferences through the EDPB and between member states, rather than with the principles of functionalism, in which institutions cooperate voluntarily through spillover mechanisms.
A Thu, study studied this question.