Regulatory cybersecurity governance in the making: the formation of ENISA and its struggle for epistemic authority

Over the last decades, cybersecurity has become a top priority for the European Union (EU). As a contribution to scholarship on the 'regulatory security state', we analyze how the European Union Agency for Cybersecurity (ENISA), emerged and stabilized as the EU's key agency for cybersecurity. We use data from policy documents, secondary sources, and semi-structured interviews to show how ENISA struggled to become a relevant actor by carving out a specific role for itself. In particular, we show how challenging it was for the agency to acquire epistemic authority. Although the trajectory of ENISA supports attempts to govern through regulation, it also shows that its role was never a given, only functions as part of a larger whole, and continues to be subject to change. Our article indicates that the study of security governance must remain ontologically flexible to capture hybrid forms and political struggles.