The digital battlefield: EU-China cybersecurity diplomacy in the 21st century – Part I

The global cybersecurity landscape presents a paradox for EU-China relations: mutual vulnerabilities to cybercrime, hybrid threats and supply chain risks demand collaboration, yet divergent governance models pose significant obstacles. This two-part article examines the potential for strategic cooperation, drawing on the European Union’s ‘White Paper for European Defence – Readiness 2030’ and broader diplomatic initiatives. Through an analysis of shared interests, existing multilateral efforts and policy recommendations, it argues that pragmatic collaboration can transform cybersecurity into a stabilising force in EU-China relations, with broader implications for global digital governance.

Technological innovation is reshaping military and civilian domains alike, driving new dynamics in global aerospace development and cybersecurity strategies. Against this backdrop, the EU-China relationship presents a microcosm of global shifts: complex, multifaceted and crucial for stability in cyberspace.

The literature on EU-China cybersecurity relations sits at the intersection of cybersecurity studies, international relations, and technology governance. Scholars have long debated the tension between state sovereignty and global interdependence in cyberspace. China’s concept of ‘internet sovereignty’ emphasises state control over digital borders, while the EU’s General Data Protection Regulation (GDPR) reflects a commitment to individual rights and cross-border data flows. This divergence complicates cooperation, yet shared vulnerabilities – such as the rise of hybrid threats and AI-driven disinformation – underscore the need for dialogue. This two-part article builds on these insights, proposing a framework for cooperation that balances competition with collaboration.

China boasts one of the world’s most stringent cybersecurity governance regimes, encompassing the digital economy, online media content and its IT industry – spanning data protection, critical infrastructure, encryption and internet oversight. The 2017 Cybersecurity Law[1] is just the tip of the iceberg in China’s broader effort to regulate cyberspace and secure its digital infrastructure. Under Xi Jinping’s leadership, IT has become a pillar of economic development, with cybersecurity prioritised as digital threats multiply.

Beijing’s strategy already outstrips the US and Europe in scope and control. While the US excels militarily through Cyber Command’s ‘defend forward’ approach, its broader efforts, like the 2023 National Cyber Strategy,[2] are faulted for vagueness, with agencies like CISA wielding limited authority and much left to private industry, underscoring a struggle for cohesion.

Europe’s cyberspace strategy, less militarised than the US’, emphasises resilience and cooperation. The EU Cybersecurity Strategy, updated in 2020, focuses on protecting critical infrastructure, enhancing cyber resilience, and fostering a single digital market. The Network and Information Systems Directive (NIS2), effective from 2024, mandates cybersecurity across key sectors like energy and health, while the 2019 Cybersecurity Act bolsters ENISA as a central hub. Unlike the US’ military focus, Europe prioritises civilian and economic security through initiatives like the Digital Europe Programme, funding tech and cyber defences. Cooperation is central, with member states aligning via the EU Cyber Diplomacy Toolbox, though varying national capabilities can hinder execution.

Whether major economies like India, Brazil and the ASEAN bloc embrace China’s cyberspace sovereignty model remains uncertain. It is clear that Beijing’s playbook – cemented by the 2017 Cybersecurity Law and 2021 Data Security Law – is all about state muscle, locking down data, ramping up surveillance and bending tech firms to its will under the twin flags of national security and self-reliance.

Should these emerging markets align with China, the US and Europe could see their economic influence erode. The result: a divided digital landscape, with one bloc adhering to Beijing’s regulations and another following Western standards. China’s advanced tech framework – highlighted by the Great Firewall and firms like Huawei – commands global attention, shaping supply chains, 5G/6G standards, and AI governance.

Major economies must confront this reality, choosing to adopt, adapt or oppose Beijing’s vision. The outcome will likely blend competition and compromise rather than a clear-cut split.

Over the past five years, Chinese state-sponsored cyber operations have become more sophisticated and reveal a calculated playbook targeting espionage, economic gain and strategic leverage. Groups like Volt Typhoon have burrowed into US critical infrastructure – think energy grids and water systems – preparing for potential disruption, as seen in their year-long hideout in a Massachusetts utility’s network before the FBI intervened in 2024.[3]

Meanwhile, APT31’s 14-year global hacking spree[4] hit over 10,000 targets, from US officials to tech firms, with malicious emails feeding Beijing’s intelligence and industrial ambitions. Let’s remember that APT41’s Operation CuckooBees[5] siphoned intellectual property from multinationals to juice China’s “Made in China 2025” push. Also, Flax Typhoon’s botnet,[6] dismantled in 2024, exploited old routers worldwide to keep a foothold in critical networks – proof Beijing blends sophisticated tradecraft with low-tech persistence to flex its cyber muscle.

These activities exploit vulnerabilities in public-facing systems, driven by internal military reforms, regulatory changes and external factors like Western reporting. China’s shift from broad intellectual property theft to more focused espionage aligns with its strategic goals, such as the Belt and Road Initiative. This poses significant risks to governments and corporations worldwide. As cyberthreats increasingly target critical infrastructure, a more robust defence strategy is needed beyond traditional vulnerability-centric approaches.

As China continues to enhance its cyber capabilities, its assertive positions in regions like the South China Sea and Taiwan are likely to amplify global cyber espionage activities. This elevates China to a central role in cyber espionage and information warfare, highlighting the pressing need for effective EU-China cybersecurity cooperation. In addition, significant challenges remain:

1. Divergent governance models: China’s focus on political control and information regulation contrasts sharply with the EU’s commitment to openness, privacy and human rights. This difference complicates digital governance discussions, as China prioritises control while the EU supports transparency and democratic frameworks.
2. Trust deficit and cyber espionage concerns: ongoing allegations of state-sponsored espionage and intellectual property theft continue to strain relations between China and the EU. To foster cooperation, both sides must work toward transparency, accountability and stronger cyber diplomacy.
3. Hybrid threats and disinformation: China’s suspected involvement in disinformation campaigns further intensifies tensions with the EU, complicating collaborative efforts to combat hybrid threats. The convergence of cyber espionage and disinformation presents a significant obstacle to joint cybersecurity initiatives.

China’s rise as a technological power has roots in historical events that catalysed its strategic priorities. The accidental bombing of the Chinese embassy in Belgrade in 1999 exemplifies a turning point. This incident underscored vulnerabilities in China’s defence capabilities, prompting investments in space weapons, cyber warfare, and advanced missile systems. Today, these technologies are integral to China’s military and cybersecurity strategies.

China’s dual narrative – simultaneously pursuing economic growth and political stability – manifests in its approach to the internet. The state emphasises unbundling liberal sociotechnical norms to maintain control while fostering innovation. This duality challenges international partners, particularly the EU, to navigate cooperation amid contrasting principles.

Cybersecurity discussions often centre on advanced persistent threats (APTs), a term historically associated with Chinese cyber actors. However, these threats reflect a broader global challenge rather than a one-sided phenomenon.

Brussels has been sounding the alarm on China’s cyber playbook for years, and the noise is getting louder. On 19 July 2021, the EU publicly called out Beijing to rein in malicious cyber activities tied to the APT31 group – a shadowy outfit linked to attacks on government bodies, political groups and key industries across the bloc. The fallout was real: stolen data, compromised networks and a lingering headache for EU security chiefs. Fast forward to 2022, and Belgium doubled down, echoing the demand for action against these Chinese-backed threats. The European Union Agency for Cybersecurity (ENISA) and CERT-EU, the bloc’s cyber response arm, aren’t mincing words: APT31 and its ilk remain a “serious and ongoing risk”, obsessed with pilfering intel and burrowing into critical networks.

Cybersecurity showdown: China vs the EU 

In a world wired tighter every day, cybersecurity isn’t just tech, it’s geopolitics. China, the US and the EU are slugging it out with strategies that mirror their DNA: Beijing doubles down on state control, Washington bets on tech supremacy and Brussels pushes rules and teamwork. The stakes? Who shapes the digital future – autocrats, innovators or regulators.

China’s cyber grip 

China’s cybersecurity isn’t about firewalls – it’s about loyalty to the Communist Party. Since 2014, the Cyberspace Administration of China (CAC), under the State Council’s propaganda arm, has yanked the reins from the technocrats at the Ministry of Industry and Information Technology. The mission: lock down information, not just systems. “Information security” in Beijing’s playbook means policing content, shielding the Party’s narrative and keeping 1.4bn people on message – less about resilient grids, more about ideological steel. Contrast that with the EU’s obsession with bulletproof networks and privacy guardrails.

Cybercrime in China plays a different game, too. It’s mostly homegrown – scammers and fraudsters preying on locals. Enforcement? Spotty. Big crackdowns happen, but politics picks the targets, leaving plenty of digital black markets humming. Then there’s the espionage machine: China’s APT’s (Volt Typhoon or APT31) run industrial-scale hacks, swiping IP, and eyeballing global industries to support China’s economic and military rise.

Beijing’s data hoard is massive but turning it into gold is trickier – processing lags, costs pile up and mimicking Silicon Valley’s innovation mojo remains elusive. So, China leans harder into legit channels: open-source scoops and analysis hubs, blending global tech into its own brew.

The EU’s cyber bet: rules over rulers 

The EU charts a distinct course in cybersecurity, rejecting China’s centralised, top-down model. Instead, Brussels fosters cooperation among its 27 member states, leaning on regulatory frameworks like the General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) Directive to forge a digital bloc that prioritises both security and privacy. This approach seeks to harmonise protections across diverse nations, emphasising citizens’ rights in contrast to Beijing’s Party-centric philosophy, where surveillance doubles as a tool for control. The EU’s strategy – protection through regulation rather than domination – has set influential global standards, though it’s not without challenges, such as enforcement inconsistencies across borders.

As the GDPR approaches its seventh year in 2025, the EU’s flagship data protection law faces growing scrutiny. Hailed for setting global privacy standards, GDPR now is confronted with gaps exposed by rapid technological shifts, uneven enforcement, and geopolitical pressures – particularly as the EU navigates its cybersecurity rivalry with China.

Technological leaps like artificial intelligence (AI), machine learning, and big data analytics have outstripped GDPR’s 2018 framework, raising unresolved questions about consent, automated decisions and biometric data use – issues China sidesteps with its unrestricted data policies. Enforcement remains inconsistent across the EU’s 27 states, with resource-strapped national authorities creating bottlenecks, unlike China’s centralised grip. Geopolitically, GDPR’s extraterritorial reach irks US firms claiming it stifles innovation and leaves the EU less agile against China’s data-driven economic edge, while escalating cyber threats – think 2024’s energy grid attacks – reveal tensions between GDPR’s privacy focus and security needs.

Public and business feedback further fuels the push for change: citizens struggle to exercise rights, and SMEs decry compliance costs that favour tech giants, a burden China’s system avoids entirely. Legal ambiguities, spotlighted by court rulings like Schrems II, complicate data transfers, while the European Commission’s 2024 GDPR report acknowledges these flaws, urging clearer guidance and alignment with new laws like the AI Act. Industry voices, including DIGITALEUROPE, echo this, advocating a review to harmonise rules and boost Europe’s digital market. Without updates, GDPR risks fading as a liability – undermining the EU’s stance against China’s cyber dominance and shaping the global data battleground ahead.

In the EU-China cybersecurity battlefield, GDPR-AI Act alignment strengthens the EU’s position. China’s AI strategy, backed by unrestricted data access and state surveillance, fuels rapid development – think facial recognition across 600 million cameras. The EU, prioritising rights and ethics, risks falling behind unless its regulations are cohesive. Alignment ensures GDPR’s privacy shield complements the AI Act’s innovation framework, enabling trustworthy AI that counters China’s model without sacrificing competitiveness. For instance, a harmonised approach could speed up secure AI deployment in critical sectors (e.g., energy grids), bolstering resilience against cyber threats China exploits.

This regulatory cohesion not only fortifies the EU’s defences but also positions it as a counterweight to contrasting global approaches, including that of its transatlantic ally, the US, which navigates similar tensions with its own technological strategy.

Meanwhile, the US leverages its technological dominance to secure its place in an increasingly digital world, blending the NSA’s expansive surveillance capabilities with Silicon Valley’s cutting-edge innovations. This dual-edged approach strengthens cybersecurity while reinforcing America’s strategic edge amid global tensions. However, it’s a polarising tactic: critics like Edward Snowden, who exposed the NSA’s PRISM programme in 2013,[7] and Senator Ron Wyden, a staunch defender of privacy, argue that such surveillance overreaches, infringing on constitutional rights through broad, often indiscriminate data collection. On the other side, proponents – including former NSA Director General Keith Alexander and cybersecurity expert Bruce Schneier, who offers a measured case for its utility – insist it’s a necessary shield against terrorism, espionage and evolving cyber threats in a post-9/11 era. The NSA remains a pillar of US cybersecurity, navigating a tightrope between technological might and the scrutiny of courts, lawmakers, and groups like the ACLU.

China’s cyber strategy integrates defence and control, embedding extensive state surveillance within a framework that prioritises national security and social stability to consolidate power. Through tools like the Social Credit System, which tracks citizens’ behaviour using data from over 200 million cameras, and the Cybersecurity Law of 2017, which mandates data localisation and government access, China monitors both domestic activity and foreign threats.

Europe’s cyber tightrope: defending against dragons  

Europe’s cybersecurity game faces a dual threat: loud assaults like China’s Great Cannon and the quieter, creeping espionage of groups like the NSA or Beijing’s APTs. The EU can’t just bolt the front door, it needs sharper defences against both the battering ram and the backdoor picklock. That means beefing up resilience to blunt-force attacks on critical systems while sniffing out covert data grabs that could hollow out its economic edge. Diplomatically, Brussels can’t afford to play favourites – pointing fingers at China’s hacks while winking at others risks a credibility flop. Striking that balance isn’t just smart; it’s the glue for global cyber alliances and the shield for Europe’s digital sovereignty.

The EU’s cyber strategy is wired to its core: human rights, privacy and a fierce grip on digital independence. With heavy hitters like a reviewed GDPR and the Cybersecurity Act, Brussels has the regulatory muscle to safeguard data and services. But it’s not going it alone – cooperation is the name of the game, both among its 27 member states and beyond.

• Cybersecurity as Team Europe: the EU treats cyber defence like a bloc-wide relay race. The European Cybersecurity Agency (ENISA) and cross-border rules knit together a united front, hardening critical grids and roping in private players. Threats don’t stop at the border – neither does the EU’s playbook.
• Privacy over power: where China’s cyber chiefs throttle information to guard the Party, the EU puts privacy on a pedestal. GDPR isn’t just red tape – it’s a line in the sand, protecting citizens’ data from abuse while Beijing trades personal rights for ideological lockstep. That clash defines the digital divide.
• Crimebusters without borders: cybercrime – fraud, hacks, breaches – keeps the EU busy, but it’s not playing the lone cop. Europol and the European Cybercrime Centre (EC3) sync up with global law enforcement to chase down crooks, a stark contrast to China’s inward focus on domestic scams. Brussels aims to choke off cybercrime’s oxygen before it goes worldwide.

To counter China’s sophisticated cyber operations – whether it’s Volt Typhoon silently infiltrating critical infrastructure or APT31 stealing corporate secrets – the EU must execute a sharp diplomatic pivot. This means fortifying defences against politically motivated cyberattacks, establishing clearer international norms, and exposing the covert manoeuvres of all players, including China. This isn’t just about protecting servers; it’s about securing Europe’s position in a world where digital supremacy equates to power.

[1] Cybersecurity Law of the People’s Republic of China (Effective June 1, 2017) available at: https://digichina.stanford.edu/work/translation-cybersecurity-law-of-the-peoples-republic-of-china-effective-june-1-2017/

[2] The Biden-⁠Harris Administration released the National Cybersecurity Strategy on March 2, 2023, available at: https://bidenwhitehouse.archives.gov/oncd/national-cybersecurity-strategy/

[3] PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Release Date, February 07, 2024 available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

[4] “Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians”, March 2024, available at: https://www.justice.gov/archives/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived

[5] Jonathan Greig, “Researchers uncover years-long espionage campaign targeting dozens of global companies available”, 2022 available at: https://therecord.media/operation-cuckoobees-apt41-cybereason-winnti-group

[6] Press Release, Treasury Sanctions Technology Company for Support to Malicious Cyber Group, January 3, 2025, available at: https://home.treasury.gov/news/press-releases/jy2769

[7] Patrick Toomey, “The NSA Continues to Violate Americans’ Internet Privacy Rights” available at: https://www.aclu.org/news/national-security/nsa-continues-violate-americans-internet-privacy

The views expressed in this #CriticalThinking article reflect those of the author(s) and not of Friends of Europe.