The regulatory security state as a risk state

ABSTRACT This paper places the arguments about the rise of the regulatory security state in a broader perspective of regulatory governance and regulatory state literatures. It suggests that the regulatory security state is one morph of the regulatory state. It does not replace any other morph and indeed it is only partly new. I clarify the terminology around the ‘old’ and new’ regulatory (security) state and suggests how to think about the concept of the RSS from a perspective of the state as a risk manager. The first part clarifies the idea of the ‘regulatory state’ and its origins. The second part distinguishes between the old regulatory state and the new regulatory state, and therefore also distinguishes between the old and the new RSS. The third part suggests that the regulatory state can be a positive, liberal or illiberal state. The fourth part theorizes the RSS as a risk state. Together these clarifications allow a more theoretically rich framework for the study of security governance from a regulatory governance perspective.

contributions to this special issue extend the reach of the literature on regulatory governance into the domain of securitya domain that is rarely the center of attention of scholars of regulatory governance. The contributors to this issue draw attention to the power and role of regulation in the provision of security, while also extending the security lens beyond its traditional focus on warfare and policing. Questions about the nature of regulation and the form and implication of governance have been, so far, absent from the literature on security governance and policy. As I'll argue later on, this special issue helps us to place risk management as a core function of the state and to see security as important, yet as a sub-terrain of risk governance. The implications, therefore, are well beyond the particularities of security and affect the theory of the state itself. Changes at the micro and meso levels and at the program and the sectoral levels can therefore be understood in a more comprehensive and systematic way.
This paper offers some extensions, insights, and contributions on how to theorize the regulatory state in security. In doing this, I present a theory of the regulatory state that reflects a layered, multifaceted, polymorphic and historically grounded understanding of the 'old' and the 'new' regulatory (security) state. More generally, I suggest how to think about the concept of the regulatory security state from a perspective of the state as a risk manager. All this builds on my previous critique of Giandomenico Majone's transformation argument on the decline of the positive state and its direct and causal connection to the rise of the regulatory state (Levi-Faur, 2005). In the next sections, I follow 'the odyssey' of the concept of the regulatory state (Levi-Faur, 2013), offer an understanding of the regulatory state as a polymorphic state (Levi-Faur, 2014), and reconcile the positive state, the regulatory state, and the rise of private government through the term 'big governance' (Levi-Faur, 2012).
The paper has five parts. The first part clarifies the idea of the 'regulatory state' and its origins. The second part distinguishes between the old regulatory state and the new regulatory state, and therefore also distinguishes between the old and the new RSS. The third part suggests that the regulatory state can be a positive, liberal or illiberal state. The fourth part theorizes the RSS as a risk state. Thereafter, I offer my conclusions. The discussions are aimed, hopefully, toward a more theoretically rich framework for the study of security governance from a regulatory governance perspective. This should help us build a better foundation for further expansion of the study of security via regulation, and to place meso and micro studies within a macro perspective of the capitalist democratic state. In other words, my arguments aim to clarify the concept of the regulatory state, its development across time and its relation to the RSS. At the same time, this paper may allow for better and stronger interactions between the security and regulatory communities in Europe and beyond.
The stepping stones: what is the state, and what is the regulatory state? Kruck and Weiss (2023) ask who governs European security, by which means, and on what grounds of legitimacy? Their answers are grounded in the literature of the regulatory state: namely, on the expansion of the use of regulation by the state, and on the growth in the role of experts in policy-making in general and in regulation in particular. In raising questions involving these developments, Kruck and Weiss challenge the conventional understanding of security as a distinct realm in the Westphalian-Weberian-Positive-Keynesian state (my apologies for so many adjectives; it is not me, it is the literature, or perhaps the multifaceted nature of the state). Kruck and Weiss also suggest a new political and institutional reality. No more (or not solely) hierarchies headed by political appointees, or direct lines of command and control, or dominance of fiscal/budgetary instruments. Instead, they suggest the prominence of networks of experts, and that the mastering and expansion of regulatory capacities allow and represent an institutional facet of the rise of the regulatory state.
The qualified critique of Genschel and Jachtenfuchs (2023) accepts the importance of the observations that Kruck and Weiss make on the RSS, yet they take issue with two of their main claims. Genschel and Jachtenfuchs first argue that the regulatory security state is not an alternative to the positive state, and I concur. But they also add, contentiously, that the regulatory state remains critically dependent on the positive state. The positive security state, they argue, is viable without support from the regulatory security state, but not the other way around. Secondly, Genschel and Jachtenfuchs (2023) suggest that the perceived rise of the regulatory state reflects the fortuitous geopolitics of the post-Cold War decades and the heyday and specific features of the EU polity. A more historically nuanced analysis may bring us back to the old forms of the state, namely the warfare state. More generally, Genschel and Jachtenfuchs explain why regulation is not an alternative to the state's capacity to provide security, and why epistemic authority cannot fully substitute for political authority. The RSS, they suggest, reflects a specific moment in time (the post-post war period), an area or group (Europe/ OECD), and the level of governance (EU). For Genschel and Jachtenfuchs (2023) the apparent rise of the regulatory state reflects the weakness of the geopolitical demands on the positive state during the unusually peaceful decades after the end of the Cold War, rather than the technology-driven demise of the positive state.
My reading of the debate and the arguments advanced in both papers suggests that much can be clarified if we start with the most basic and primary definitions that are hidden in the arguments around the 'rise of the regulatory security state'. I'll start with the concept of the state before I clarify the concept of the regulatory state and how it was understood in different periods and areas of the world. This allows me to refer to the 'rise' in the next part of the paper. But we start with the term 'state' as defined originally by von Ihering, who in the late nineteenth century suggested that a state should be defined as any institution that claims a monopoly on the legitimate use of coercive force within a given territory (Graeber & Wengrow, 2021, p. 359). This definitionwhich nowadays is identified with Max Weberdoes not suggest function, core functions, or rationale, but simply the legitimate use of coercive force. For those of us who define the rationale of the state as the provision of public goods, the legitimate claim is driven by the provision of public good such as domestic and external security, prosperity, and social solidarity.
The term 'regulatory state' had emerged as a 'thin' and marginal term in the US literature in the late 1950s. It only gradually evolved into a central concept later, mainly in the 1990s. Even today, it is largely understood as an American concept, but as I was able to show (Levi-Faur, 2013), while the US scholarship has used it occasionally, it did not deal directly with the concept of the regulatory state (cf. Rose-Ackerman, 1993;Seidman & Gilmour, 1986;Sunstein, 1990). The first and most significant contribution to the concept was made in the field of EU public policy directly through the work of Majone (1994;1997), who understood the regulatory state as a transition from the 'old' and proactive positive state. Perhaps, in the spirit of the end of the history of the 1990s, it had also narrowed the role and function of the regulatory state to that of correcting market failures. Later on, Michael Moran (2000;2003) made the regulatory state a central concept in the study of British political economy and administration. Braithwaite (2000) made it a central concept in the socio-legal literature and beyond. For Majone, the rise of the regulatory state meant the decline of what he calledwithout much elaborationa 'positive state'. For Michael Moran, the regulatory state was a 'formalized state', which was much more democratic, in the sense that it brought rules and regulations as an alternative to the centuries-long tradition of the old boys' network of 'Club Government'.
The plurality of meanings and conceptualizations raise the challenge of how best to define the regulatory state. Do we all speak of the same thing when we speak about it? How should we define it in a way that will capture its 'old' and its 'new' meanings? How do we do all of this in a theory-oriented way? Should we construct a definition that will allow us to add a second adjective to the 'regulatory', for instance, regulatory welfare state (Levi-Faur, 2014), or regulatory security state? Such a definition would allow us to distinguish core features from temporal characteristics, and area specificities (e.g., US particularities) from more comprehensive ones (say, EU regulatory state or the regulatory state of the South). We need a definition that will allow us to look at both China and the US as regulatory states; one that will allow us to treat it as a significant concept both at the EU level and at the national level. Dealing with these challenges, I suggest defining the regulatory state as 'an institution that claims a monopoly on the legitimate use of rule-making, rule-monitoring, and rule-enforcement in a given territory'. This definition, which proposes an instrument-based orientation, allows us to theorize the state in relation to its instruments and its strategy of control.

The old and the new regulatory (security) state
Regulation is an instrument that requires regulatory capacity and that shapes regulatory regimes, often using other instruments. The rise and decline of old and new states can be related to how, when, and to what effect the instruments are applied. For our purpose now, we can define a new regulatory state with regard to the change in the way in which regulation was understood, applied, and institutionalized in the 1980s and 1990s. The old regulatory state was hierarchical, using technologies of command and control and lines of direct accountability. It was centralized to a large extent, and it was governed and allegedly overseen closely by politicians. The idea of a 'new' regulatory security state was more about networks of decision makers, experts, polycentric institutional designs, indirect accountability, and governance by proxies and intermediaries. This aspect was also captured by the RSS framework of Kruck and Weiss (2023).
For Braithwaite, the regulatory state represents a shift from a nineteenth century night watchman state to the twentieth century welfare-Keynesian state. What he called the 'new regulatory state' was based on a neoliberal combination of market competition, privatized institutions, andfrom a distancedecentered forms of state regulation. Majone, Moran, and Braithwaite made significant headways in making the regulatory state a 'thick' concept in the sense that they characterized it, discussed the drivers of change, and placed the regulatory state within a general understanding of the change in the British polity (Moran), the EU mode of governance (Majone), and the transformation of crime control (Braithwaite). The theoretical 'thickening' of the concept of the regulatory state was thereafter advanced by my work on regulatory capitalism (Levi-Faur, 2005). This suggested that the regulatory state reflects similar traditions of control and economic management as in the past, even in the era of neoliberalism (Levi-Faur, 2005), not least pointing to global agencification of administrative governance that emerged in this period (Jordana et al., 2011;Levi-Faur & Jordana, 2005). What we were able to show was a change from an administration that was based on Weberian ministries and control to new, world-wide best practices of independent regulatory agencies. In this way, we were able to point not only to a new dimension of the regulatory state but also to the globalization of the concept. Kruck and Weiss (2023) suggest that these new regulatory states strive for new regulatory capacities and regulatory expertise. The rise of the regulatory state in security is the rise of new capacities, new regimes, and an extension of the state's role in addition to its old roles, functions, and capacities. The old regulatory state met governance, and with it, also the concept and the field of 'regulatory governance' (Levi-Faur, 2011). The source of authority of the regulatory state is its legitimate claim for monopoly over regulation and its (relative) capacity to shape power relations as well as to shape distributive and redistributive outcomes via regulation (Levi-Faur, 2013).
This distinguishes the regulatory state from the Positive-Weberian emphasis on the state's claim for monopoly on the means of violence. But it does not necessarily imply that both claims, and therefore both types of state, cannot co-exist. As Genschel and Jachtenfuchs (2023) argue, the RSS may even be critically dependent on the positive state, rather than being an alternative to it. The field of regulatory governance takes the regulatory capacities of the state seriously in the sense that they are not considered as a given or as direct byproducts of the legitimate monopoly over power. These regulatory capacities are simply the instruments of autonomy of the capitalist, democratic state. Sometimes they fail, sometimes they succeed. Sometimes these capacities reflect public interests and sometimes private interests, and sometimes they reflect liberal governance and sometimes illiberal governance. In essence, the existence of the RSS, and the question of whether it is effective, are two separate discussions. Different means and different goals may define the orientation differently, or they may define the variety of regulatory states differently.
In the same way that the state has pre-modern forms as well as modern forms, and the regulatory state has old and newer forms, so has the RSS. Historically shaped conceptions of the stateand an understanding of its institutional design as hybrid, multifaceted, and polymorphicallow us to still recognize the rise of the RSS without giving up on the 'old' positive state. However, these conceptions also allow us to think about the RSS in its old versions. Can we think of, and theorize, an 'old regulatory security state'? I think we can and we should. Consider, for example, that the possibility of using regulation in securityand moving beyond the narrow understandings of security as the business of police and the militaryis not new. The control of the economy in the name of security needs is one example for regulation that reflects security motives. This is the case of the very (very) old regulatory state in Elizabethan Britain. Thus an act passed in 1565-1566 in Queen Elizabeth's name forbade the export of live sheep. In the case of failure to comply with this act, the penalties were high: the confiscation of property, prison, or the cutting off of the left hand. In cases of repeated offenses, it could also be the death penalty. A century later, during the reign of Charles II, the export of raw wool was also prohibited (Oser & Blanchfield, 1975, p. 10). Leveraging the economy to extend security and then leveraging security to extend economic gains are old strategies; perhaps the oldest state-building strategies of rulers. The way to connect both was often via regulation. This is also the case with the introduction of passports and identity cards that give the state control over the movement of people. These controls had both economic and security motives, and rule-making, rule-monitoring, and rule-enforcement helped to bring them together. The 'new regulatory security state' is just using these instruments in new ways, sometimes more democratically, sometimes more efficiently, and sometimes in new fields such as private policing, military security, cybersecurity, and food security. In other words, the rise of the RSS represents the rise of regulation, of new forms of regulation, and the extension of security to new spheres. The old RSS did not come at the expense of the old positive state, in the same way that the new RSS does not replace the new positive state. By the new positive state, I refer to the state that continue to provide welfare but via proxies and indirect manner (usually via outsourcing). This is also a state that often lessen its commitment to social equality even if not to the supply of basic provisions to the poor.
The regulatory state can be a positive state Kruck and Weiss (2023) suggest that the rise of the regulatory security state is associated both with the decline of the positive state and with the rise of regulatory experts in the sphere of security. Genschel and Jachtenfuchs (2023) disagree, and suggest that the positive state is here to stay. I agree with Genschel and Jachtenfuchs about the viability of the positive state, but not about its primacy. The rise of the regulatory state comes at the expense and the decline of the old regulatory (security) state rather than at the expense of the positive state. Unlike Genschel and Jachtenfuchs, Kruck and Weiss (2023) are followers of Giandomenico Majone (1994;1997). It is not that Majone couldn't see institutional continuity, it was simply that he expected, and Majone seems to normatively advocated, a 'thin' state and economic literal governancethat is, economic governance that deals with EU economic integration and market failures, with little room for industrial policy on the one hand or risk governance on the other. This is hardly the case however, and the regulatory state at the EU and at the national levels may take, and indeed in many cases does take, a highly interventionist approach. In addition, the rise of one thing does not necessarily mean the decline of something else. Things can grow together, or one entity can become less or more central, but changes in centrality are not the same as decline. Change is also not nececarily transformation or decline, and this is, in my words, what Genschel and Jachtenfuchs remind us about. Here, they are not only qualifying Kruck and Weiss, they are also qualifying Majone.
State theory is full of adjectives that are sometimes understood in a monomorphic way. That is, that one form excludes the others: the modern state; postmodern state; welfare state; developmental state; positive state; rentseeking state; predatory state; the tax state; the fiscal state; crony state; administrative state; pluralist state; corporatist state; neoliberal state, and the social-democratic state. Sometimes, in the same manner of Kruck and Weiss, we even add a second adjective: the capitalist democratic state, the advanced democratic state, the regulatory welfare state, and the regulatory developmental state. I suggest here, as elsewhere, that we should think about the state as a pluralist institution with multiple forms, rationales, and, yes, also contradictions. The positive state can live comfortably with the regulatory state if we think about the state as a polymorphic institutional entity (cf. Mann, 1993, Caporaso, 1996, Levi-Faur, 2013. The suggestion that states are polymorphic allows us to think about forms of states, and about changes that are not transformative but aggregative. The polymorphic perspective permits institutional development (or stagnation) that includes continuity of form and purpose, but at the same time allows for changes and choice. This is a theoretical framework that does not see the rise of the regulatory state as necessarily connected to the decline of the Westphalian-Weberian-Positive State: in other words, a framework that can conceive, theoretically at least, of growth (or decline) in both the regulatory and the positive state.
This open approach allows us to understand the expansion of the state in an era of 'big governance' (multilevel and collaborative governance are a reflection of the expansion of governance; see Abbott et al., 2017;Levi-Faur, 2012;Schilde, 2023). States may share sovereignty, they may need to collaborate and share responsibility, but they are gaining autonomy while losing some of their independence. In this special issue, Mügge (2023) exemplifies this point by pointing to the EU, which would be expected to have its hand strengthen by the rise of the RSS, but which in fact is becoming more encumbered by security considerations at times, thus making the securitization of regulation limit its autonomy. The important issue here is that the tradeoffs between independence and interdependency are becoming more tenable in rule-based governance. This is what the regulatory state and regulatory governance are all about. One can trust rules and thus allow more interdependence in order to gain more autonomy. Regulation doesn't necessarily replace brute force, but extends it. On other times, regulation not only extends force, but replaces it and, and may become the main legitimate way of governing. These are often competing. While I think that Genschel and Jachtenfuchs (2023) are correct to point to the resilience of the positive state and the institutional and strategic continuities of the democratic capitalist state, I also think that regulation, rule-making, monitoring, enforcement, and compliance are increasingly becoming the core instruments of the state, and more generally, the core instruments of governance. The regulatory state and the positive state remain critically interdependent. Many of the core functions and roles of the state are advanced through regulation: not regulation alone, but often mainly regulation.
The most important regulation and taxation can expand together in order to create a more interventionist state. Tools of surveillance, aided increasingly by artificial intelligence, demonstrate the appeal of regulation via technology (Gritsenko & Wood, 2022;Kosta, 2022;Ulbricht & Yeung, 2022). This is the regulatory state par excellence. Perhaps the old regulatory state is coming back or never disappeared? (Staples et al., 2022) That question is open, but what is important to see is that regulation can be illiberal, and it is not necessarily neoliberal. So is the RSS; it can be liberal or illiberal; protective and/or aggressive, and focused on mitigation or on prevention. Which brings me to the next part and the relation of security to risks in the current regulatory state.

The regulatory security state as a risk state
Security is a core function of the state. It has been a major and highly exclusive function in the past, and it is still a major core function today. Among the many changes that are relevant to our study of security and regulation is the way in which we understand security. Security nowadays increasingly refers to ever-expanding social, ecological, and safety risks, and not only from human violence in the form of crime and warfare. This expansion in the meaning of the word is reflected in the frequent use of terms such as environmental security; cybersecurity; AI Securitizaton; biological security; climate security; biosecurity; pandemic security; energy security; food security, and financial security. It is not only that the sphere of security discourse is expanding, but what we see in parallel is that new actors, new expertise, new procedures, and new divisions of labor are emerging in order to deal with (and to construct) the sphere of security. Climate change, pandemics, terrorist acts, vulnerabilities from within and from the outside, man-made and 'natural' disasters are redefining the term security, and with it, the role of the state. These challenges add to, rather than replace, the old challenges that are still with us. This is most clearly exemplified by the war on Ukraine in 2022, by the recent move of the EU to encourage joint military procurement by its member states, and by the renewal of NATO as a major security cooperation well beyond the immediate threats in Europe.
But why prefer the term security and its strong connotations with national security armament, wars, and militarization? Perhaps adopting the language of risk and its theories is preferable? Consider the concept of the regulatory risk state (RRS) versus that of the regulatory security state (RSS). Both risk and security are important terms and both are moving in the same direction. Risk analysis is increasingly dealing with human violence in all its formsnational risk assessments, crime risks, children at risk, ecological and climate risks, safety risks etc.while security is expanding to civil, economic, and technological issues. Most important in this regard is the rise of 'new' human-made risks (Beck, 1992;Beck & Grande, 2010;Vogel, 2022) and hazards such as climate change and ecological destruction. However, the nexus of security and risk is mostly conceptual. In the scholarly and policy worlds, the communities are different and, in many cases, isolated from each other. They simply do not speak to each other. Yet, thinking about risk governance and security policies as core functions and roles of the state opens up new frontiers in the theory of the state. As Dunn Cavelty and Smeets (2023) article in this special issue illustrates, cybersecurity threats are simultaneously approached with different forms of security governance. While regulatory instruments are more likely to be applied when considering an issue at the intersection of the public and the private sector, when it is considered as part of a political conflict or as a military affair, the threat is promptly resolved with the build-up and use of state capacity. That is because conceptualizations of what is in need of protection by the state or governing body often overlap.
No one, as far as I could verify, really put risk management as a core function of the state or has strived to offer a theory of its institutional development. At least not until David Moss published his groundbreaking work on the history of the US as a risk-management state (Moss, 2002). To the extent that this had been done before Moss, it had been done with reference to rather partial functions of the state, such as risk-sharing or risk-reduction. Moss, while dealing only with the US, shows that risk management constitutes a potent and pervasive form of public policy. There are no reasons to suggest that the situation differs substantially outside the US. It follows from his analysis that democratic capitalist countries would be unrecognizable in the absence of the risk-management functions of the state. In his words, '[w]ithout limited liability law, bankruptcy law, government-printed money, and unemployment insurance […] it is doubtable that a modern industrial economy could have taken root in America' (Moss, 2002, p. 1). To give a few examples, it is possible to see government as a risk manager in spheres and issues such as health risks (prevention, mitigation); drug and medical risks (registration, certification); occupational risks (prevention, mitigation); children and youth at risk (reporting and treatment); vulnerable populations (elderly, mentally impaired); natural disasters, and man-made risks (radioactivity, genetic engineering).
Risk regulation is the practice, attitude, and regime that something has to be done about potential harm, risk, and uncertainty (Vogel, 2022). Risk governance reflects any policy designed either to prevent, reduce, reallocate, or mitigate risks. As a field of study, risk governance explores the commonalities and differences, compared to crime control, of the prevention, reduction, reallocation and mitigation of risks with regards to national security. It compares the demand for risk management and how it differs with the probability of risk, its consequences, its distributive impact, and its media and public framing.
Risk policies, like regulatory policy more generally, have a subtler effect than, say, going to war or building schools, roads, or water reservoirs. But we are the beneficiaries of risk policies when we buy products and services (via products liability laws); when we drive the roads (via speed limits and safety belt laws); fly the sky (pilot and aircraft certification); sail the seas (marine traffic signals and waterways); deposit money (bank reserves); use health services such as medicines (approval and monitoring); receive professional advice (professional and ethical standards), and medical advice in particular (occupational licensing for physicians and mandatory certification of equipment), or go to work (workplace safety rules). To think about security domains through the lens of risk governance is also to think about the regulatory state as a risk state. This both extends the boundaries of the domain of security governance and gives new coherence to the mission of the state, as well as giving a new coherent language to its analysts and critics. This is a mission that goes beyond the old RSS that focused on old risks (personal and collective violence). The 'new' risk state is a state that also manages systemic risks: financial, ecological, technological, physical, and biological. It does so with an emphasis on both the prevention of harm and on the preparedness for the possibility of harm. The risk state is a regulatory state, but not only that. Its policy instruments are regulatory but also 'positive', for instance, taxation and spending. It can put emphasis on public investment, or not, but in democracies and under the maxim of the rule of law, it should also always emphasize rule-making, rule-monitoring, and rule-enforcement. The regulatory security state speaks directly to the idea of the risk state. I do hope that the risk state will find itself involved in other risks, risks that are much more urgentand no less costly in terms of human life, stresses and illnessesthan the risks of war. Climate risks, financial risk, and risks to liberal democracy should take precedence.

Conclusions: the way forward
Taking the 'regulatory security state' seriously is to take at least three concepts seriously: (a) that of the state, (b) that of the regulatory state, and (c) that of security. It was suggested here that the rise of the regulatory state is not about the decline of the positive state or the welfare state, but about the expansion of regulationsometimes through private regulation across levels and jurisdictions. This would allow us to see the state in a more polymorphic way, not as a single rational actor that represents a constant and monomorphic rationale, but as a historical institution, built with layer upon layer of different political arrangements, instruments, institutions, and compromises. I have also argued that there is an 'old' regulatory state, and that there is therefore also an 'old' regulatory security state. The new states are more about governance than about government. But in the same way that the rise of the regulatory state does not necessarily suggest a decline of the positive/welfare state, the rise of governance is not the decline of government (Levi-Faur, 2005, 2012. We are in an era of multiple expansions in the forms and capacities of (some) states. I have also argued that security and risks are closely connected, and that the walls between the community of risk studies and the community of security studies should be removed. This special issue makes a significant advance in bridging the gaps between security studies and regulatory governance studies. Moving forward, we also need to bring in the risk community, and to do this without giving up on the state. Hence the idea of the risk state and its intimate relations to the regulatory security state.

Disclosure statement
No potential conflict of interest was reported by the author(s).