Cyberspace offers unique opportunities for communication and commerce, but also a wide range of security threats both to individuals and nation states. These threats create specific security challenges. This paper will examine the impact of the Treaty of Lisbon on the EU's response to those challenges. Prior to the coming into force of the Lisbon Treaty in 2009 EU cybersecurity policy was highly fragmented. Responsibility was split between the three Pillars of the European political system: the Communities, justice and home affairs and the common foreign and security policy (CFSP). By abolishing the Pillar system the Lisbon Treaty enabled the EU to develop a single, unified, strategic approach to cybersecurity issues. The 2013 Cybersecurity Strategy was a direct result of this newly-established capacity for coherence. However, the key area of competence relating to the CFSP was left largely undefined in the Lisbon Treaty, limiting the EU's capacity to respond to external cyber-threats. This paper will evaluate how the new legal personality of the Union and the abolition of the Pillar system affected both internal and external cybersecurity policy by examining one of the Treaty's most significant "loose ends": CFSP. It will argue that cybersecurity and external cyber-defence serve as a microcosm of a much wider problem of unresolved and undefined competences. While the Lisbon Treaty facilitated a coherent internal strategy, clarification of EU competence regarding the CFSP was left largely unresolved, a fact demonstrated by the nature of cybersecurity challenges. By examining the EU's cybersecurity policy and strategy this paper will further argue that the EU's approach can be seen as an exemplar of the successes and challenges of post-Lisbon European politics
