(Series Information) European Papers - A Journal on Law and Integration, 2022 7(1), 413-438 | Article | (Table of Contents) I. Introduction. - II. Cybersecurity as internal market resilience. - III. Cybersecurity as an issue of internal security under the AFSJ. - IV. Mainstreaming cybersecurity into CFSP. - IV.1. The emergence of cyber cooperation under PESCO. - IV.2. Cyber Diplomacy Toolbox: between sanctions and a lawful response to cyber-attacks. - V. The externalisation of the EU's cybersecurity and its limitations under the CFSP. - V.1.The attribution of responsibility for cyber-attacks. - V.2. Evidence collection as a limitation for the EU Cyber Diplomacy Toolbox. - VI. Concluding remarks. | (Abstract) It is often claimed that there is a blurring line between external and internal security in the EU with both being increasingly intertwined. Apart from providing the state of affairs in EU cybersecurity law and policy, the argument of this contribution is that these internal-external links are also visible in a growing tendency towards the externalisation of the EU's cybersecurity policy. Typical interior policy fields in that area that were tackled through the internal market and the Area of Freedom Security and Justice (AFSJ) legal bases, are now penetrating the field of action of the Common Foreign and Security Policy (CFSP). This tendency towards a growing externalisation of the EU cybersecurity will be demonstrated by analysing the emblematic EU's Cyber Diplomacy Toolbox and its deterrence instrument: restrictive measures in response to cyber-attacks. Our analysis pinpoints a number of limitations for the EU's common action under the CFSP, including problems of attribution and evidence collection. Our Article questions whether the CFSP is fit for the digital age and what repercussions cyber threats may have for the future of the EU CFSP and its Cyber Diplomacy Toolbox.