Dr Vassilia Orfanou, PhD, Post Doc, LUDCI.eu
Writes for the Headline Diplomat eMagazine, LUDCI.eu
Introduction
In the corridors of Europe’s legislative chambers, where policy is drafted line by line and compromise is often the currency of governance, a different kind of battle is taking place – one that is invisible, continuous, and increasingly asymmetric. It is the battle between parliamentary institutions and the cyber adversaries who now see them not as ceremonial relics of democracy, but as high-value strategic targets.
A new volume, Cybersecurity for Parliaments, edited by Fotios Fitsilis, Stéphane Gagnon, and Frank de Vrieze, and published by the Westminster Foundation for Democracy, enters this space with unusual urgency. It does not treat cybersecurity as an auxiliary IT function, nor as a technical compliance issue to be delegated to back-office units. Instead, it reframes it as a core constitutional concern: the operational security of democracy itself.
That framing is not rhetorical exaggeration. It is, increasingly, descriptive reality.
Parliaments as high-value, low-defence targets
Modern parliaments are among the most sensitive repositories of political information in a state. Legislative bodies handle among other things draft laws, confidential negotiations, intelligence briefings, constituency communications, and inter-party strategy. A breach does not merely leak data; it distorts governance, reshapes bargaining power, and – at the extreme – can influence national interests.
The book argues that parliamentary cybersecurity has lagged behind executive-branch and private-sector standards, not because of ignorance, but because of institutional design. Parliaments are deliberately open, pluralistic, and decentralised. These are democratic virtues and, in cybersecurity terms, they are also considered vulnerabilities.
The result is a structural mismatch: adversaries increasingly operate with state-grade cyber capability, while many legislatures still rely on fragmented security governance, uneven technical capacity, and legacy systems patched together over time.
Hybrid threats in a fragmented institutional environment
One of the book’s most significant contributions is its rejection of the “single-threat” model. Parliaments are not merely subject to hacking attempts in the narrow sense. They are exposed to hybridised campaigns that can blend intrusion, espionage, psychological manipulation, and physical intimidation.
Nation-state actors pursue strategic intelligence and influence. Criminal networks exploit human error at scale. And increasingly, the boundary between these categories is blurred by subcontracting, proxy actors, and commercially available offensive cyber tools.
The implications are beyond profound. A compromised parliamentary email account can become for instance a vector for disinformation, a trigger for political mistrust, or a lever in diplomatic bargaining.
The AI acceleration problem
The emergence of generative artificial intelligence (AI) adds a further layer of volatility. Deepfakes, synthetic voice cloning, and automated spear-phishing campaigns reduce the cost of deception while increasing its credibility. In this environment, trust – already a fragile commodity in democratic systems – becomes more easily manufactured and more easily destroyed.
The authors highlight a particularly underappreciated risk: electoral transition periods. Following elections, parliaments undergo rapid onboarding and offboarding of members and staff. These moments of institutional flux create predictable gaps in authentication discipline, security training, and access control. For attackers, these are windows of opportunity.
Regulation catches up – unevenly
At the policy level, parliaments in the European Union now operate under an expanding regulatory perimeter, including the NIS2 Directive, evolving AI governance frameworks, and alignment pressures with established standards such as the NIST Cybersecurity Framework.
Yet the book is careful to avoid equating regulation with resilience. Compliance can create structure, but it does not automatically produce adaptive security capacity. Indeed, one of the central tensions identified is between formal compliance regimes and the operational reality of parliamentary autonomy. Unlike conventional administrative bodies, legislatures are politically plural institutions characterized by competing incentives, distributed authority, and strong independence requirements.
Here, the question is not “what should parliaments comply with?” but “how can they remain democratically open while being operationally secure?”
The case for parliamentary-specific security architecture
A key argument advanced is that standard government or private-sector cybersecurity models are insufficient. Ministries can centralise authority; corporations can enforce uniform protocols. Parliaments cannot do either without potentially undermining their constitutional role.
This creates the need for what the book calls institution-specific security thinking: models designed around parliamentary workflows, political pluralism, and the sensitivity of legislative confidentiality.
Among the most compelling proposals is the development of structured inter-parliamentary information-sharing networks. Rather than each legislature defending itself in isolation, the authors advocate cooperative resilience frameworks. These are mechanisms through which parliaments can share threat intelligence, incident patterns, and defensive practices without compromising sovereignty or political independence.
Pros and cons of the emerging approach
The shift toward treating parliamentary cybersecurity as a strategic democratic concern carries clear advantages.
First, it elevates investment priority. Cybersecurity in legislatures is often underfunded relative to its systemic importance. Framing it as constitutional infrastructure changes budgetary calculus.
Second, it encourages institutional learning. Parliaments are uniquely diverse; cross-parliamentary exchange can accelerate maturity for less-resourced legislatures.
Third, it acknowledges reality: adversaries already operate transnationally. Defensive coordination is a logical response to an internationalised threat landscape.
But there are also risks.
Information-sharing frameworks may collide with national security sensitivities, particularly where intelligence exposure is involved. Over-centralisation of security protocols risks clashing with parliamentary autonomy and political independence. And regulatory layering may produce compliance fatigue without necessarily improving operational resilience.
Perhaps most critically, there is a governance risk: cybersecurity expertise could become concentrated in technical bodies detached from elected oversight, subtly shifting accountability away from democratic actors.
Policy recommendations: toward democratic cyber resilience
From a policy perspective, the direction of travel appears to be clear, but its design requires care:
- Parliaments should establish dedicated parliamentary cybersecurity authorities with dual legitimacy: technical independence combined with direct accountability to parliamentary leadership, not executive agencies. This preserves institutional autonomy while enabling coherent strategy.
- Mandatory cyber-readiness protocols should be introduced specifically for electoral transition periods. These should include accelerated credential verification, temporary access restrictions, and heightened monitoring windows during onboarding cycles.
- Inter-parliamentary cyber cooperation should be formalised through trusted networks with tiered information classification, allowing sensitive threat intelligence to be shared without full disclosure of internal vulnerabilities.
- AI-specific threat modelling must become standard practice within parliamentary IT governance. This includes deepfake detection protocols for official communications, authentication reinforcement for leadership identities, and simulation-based training for staff.
- Cybersecurity must be treated as a legislative design issue, not merely an IT function. New digital parliamentary systems should undergo “security-by-design” scrutiny at the same level as procedural or constitutional compliance.
Conclusion: defending the infrastructure of deliberation
Legislatures form the institutional space where political disagreement is deliberated, negotiated, and ultimately encoded into law. If that space is compromised, the consequences do not remain confined to data loss or system downtime. They cascade outward, distorting decision-making, weakening accountability, and eroding the credibility of democratic authority itself.
The book Cybersecurity for Parliaments argues for a fundamental shift in perspective: from viewing cybersecurity as the protection of systems and networks, to understanding it as the safeguarding of the democratic process itself.
In this framing, a breach is a potential institutional shock. A compromised account is a fracture in the chain of trust that underpins representation, scrutiny, and law-making.
In an era where disruption is cheap, scalable, and increasingly automated, this distinction is operational, strategic, and deeply political, and defines the resilience – or fragility – of democratic systems in the digital age.
Further reading:
Center for Security and Emerging Technology (CSET), Georgetown University. Center for Security and Emerging Technology. https://cset.georgetown.edu.
Cooperative Cyber Defence Centre of Excellence (CCDCOE), NATO. Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective. Ottis, R. (2008).
https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf.
Cooperative Cyber Defence Centre of Excellence (CCDCOE), NATO. Parliaments and Cybersecurity. https://ccdcoe.org.
Defense Advanced Research Projects Agency (DARPA). Media Forensics (MediFor) Program. https://www.darpa.mil/program/media-forensics
European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE). European Centre of Excellence for Countering Hybrid Threats. https://www.hybridcoe.fi
European Commission AI Act. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
European External Action Service (EEAS). EU vs Disinfo. https://euvsdisinfo.eu
European Parliament & Council of the European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive).
http://data.europa.eu/eli/dir/2022/2555/2022-12-27.
European Union Agency for Cybersecurity (ENISA). Security by Design and Default Playbook (draft for consultation). https://www.enisa.europa.eu/sites/default/files/2026-03/ENISA_Secure_By_Design_and_Default_Playbook_v0.4_draft_for_consultation.pdf
FIRST (Forum of Incident Response and Security Teams). FIRST – Forum of Incident Response and Security Teams. https://www.first.org.
Fitsilis, F., Gagnon, S., & De Vrieze, F. (Eds.). (2026). Cybersecurity for Parliaments. Westminster Foundation for Democracy, London. https://www.wfd.org/what-we-do/resources/cybersecurity-parliaments.
Fitsilis, F., von Lucke, J., & De Vrieze, F. (Eds.). (2024). Guidelines for AI in Parliaments. Westminster Foundation for Democracy, London. https://www.wfd.org/ai-guidelines-parliaments.
Inter-Parliamentary Union. IPU Publications and Resources. https://www.ipu.org/resources/publications.
Inter-Parliamentary Union. Inter-Parliamentary Union. https://www.ipu.org.
MITRE Corporation. MITRE ATT&CK Framework. https://attack.mitre.org.
National Cyber Security Centre (UK). Identity and Access Management Collection.
https://www.ncsc.gov.uk/collection/10-steps/identity-and-access-management
National Cyber Security Centre (UK). Secure Digital Onboarding. https://www.ncsc.gov.uk/collection/digital-service-security
National Institute of Standards and Technology (NIST). (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). https://doi.org/10.6028/NIST.CSWP.29.
North Atlantic Treaty Organization (NATO). Countering hybrid threats. https://www.nato.int/cps/en/natohq/topics_156338.htm.
Organisation for Economic Co-operation and Development (OECD). OECD AI Principles.
https://www.oecd.org/en/topics/sub-issues/ai-principles.html.
