Why Economic Security Depends on Bureaucracy: The Hidden Side of Derisking

Authors:  M. Di Giulio (Associate Professor, Università di Genova), F. Baraldi (Post-doctoral Research Fellow, Vrije Universiteit Amsterdam), and M. Sguazzini (Post-doctoral Research Fellow, Università di Genova)

Introduction*

We live in a time when globalisation, once considered irreversible, is showing visible signs of strain. Transnational crises — from pandemic disruptions to geopolitical rivalries — have revealed how fragile economic interdependence can be. In this context, governments have started to rethink how they manage exposure to global risks. Rather than seeking complete decoupling, which is neither realistic nor desirable, they are embracing a derisking strategy. This means building new institutions and tools to reconcile openness with national security. At the heart of this shift lies a family of policy instruments that we call screening mechanisms (SMs).

SMs have become the cornerstone of economic security policies. For instance, policymakers have increasingly developed them in the field of investment (Investment Screening Mechanisms (ISMs)), but the same underlying regulation logic is diffusing to areas deemed to pose strategic threats such as research partnerships and technological transfers. The assumption behind these tools is straightforward: by identifying and filtering risks, governments can preserve both prosperity and safety. Yet, we still know very little about whether screening mechanisms work. Much of the debate has focused on the political rationale for derisking — who controls strategic assets, who defines the national interest — but far less attention has been paid to the administrative reality of how these policies are implemented.

From Trade-Off to Policy Failure: The Administrative Blind Spot

The academic literature and the public debate on economic security describe de-risking as a trade-off: governments must navigate a trade-off between the benefits of domestic markets open to the influx of goods, capitals, and people, and the protection from the harms to the national security that those transactions might bring about. However, before considering such a trade-off, policymakers are required to avoid building institutions that fail on both sides. De-risking tools may be designed in such a way that they become ineffective in both detecting potential harm, while at the same time imposing costs on the large majority of economic actors that arguably pose no threat, and that eventually may decide to divert their investment elsewhere. Conversely, the debate on SMs often rests on the assumption that clear legal rules and centralized oversight automatically translate into security. In practice, that confidence is misplaced. Rules matter, but the effectiveness of any screening system depends on administrative capacity — how decisions are made, how information circulates, and how discretion is exercised.

This administrative dimension is not a minor detail and may determine whether derisking strategies, such as ISMs or export controls for dual use products, succeed or fail. An effective use of SMs depends on public authorities' ability to detect, interpret, and act on information in highly uncertain contexts. If the administrative apparatus is poorly designed or lacks the necessary capabilities, these policies may not only fail to protect national security but also harm economic performance. In other words, a badly or underdeveloped screening mechanism can undermine both security and prosperity — the ultimate values it was created to balance.

It is helpful to understand screening mechanisms as compliance regimes. This means evaluating them not just through their legal design but through their operational performance: how effectively authorities monitor transactions, how they ensure compliance among regulated actors, and how they handle the tension between confidentiality and transparency. Seen this way, derisking strategies are not merely a matter of statecraft or geopolitics. Rather, they rely on governance — of how public organizations manage uncertainty and apply judgment.

Applying screening mechanisms means making decisions under uncertainty. Policymakers must evaluate two sets of consequences simultaneously: those concerning security and those related to the potential economic loss that would result from governmental intervention in each transaction. In theory, this seems a simple optimization problem, but information is incomplete, and signals can be ambiguous. Administrative systems must therefore be able to distinguish between genuine and spurious risks. From a policy analysis’ perspective, decision makers concerned with economic security problems can commit three kinds of errors:

- Type I: blocking harmless transactions;

- Type II: approving risky transactions;

- Type III: framing the wrong policy problem altogether.

The first and second types of errors are purely operational. For any given SM, those involved in actual case management may fail to collect enough information about the screened transactions, or to use the available information to make incorrect inferences about the underlying security risks. Conversely, Type III errors – as William Dunn put it: “defining the wrong problem” – calls into question the interaction between the SM’s legal framework and operations. Such interaction is dynamic: it encompasses the incentives and biases that formal rules create for case managers, but also how the latter interpret the framework considering their professional standards and organizational culture. Type III errors are more subtle and difficult to evaluate retrospectively, but also more relevant. Blocking an investment that brings about a remediable risk for the national security instead of allowing it with mitigation measures is an example; accepting a transaction that expose a country’s strategic asset to weaponization by a foreign entity is another. Indeed, given that the security risks are certain, the two alternative coping strategies mirror a significantly different derisking logics – one aiming at avoiding risks, the other at managing them – which may have great impact on the net benefit for the country if wrongly applied to a case.

Sources of Distortion

We identify three interrelated sources of distortion that systematically affect how screening mechanisms operate.

First, cognitive dynamics. Security risks are often rare, slow-moving, and probabilistic — what organization scholars call a "dynamic non-event" — while the economic costs of intervention are immediate and measurable. This asymmetry produces learning problems: the absence of visible incidents can be read as evidence that no threat exists, while episodes of heightened salience can trigger what organizational literature calls threat rigidity, pushing officials toward conservative, familiar responses. There is also a tension between detection (collecting signals) and screening (interpreting them): more information does not automatically lead to better judgments if organizational routines bias how that information is processed.

Second, collective-action dynamics. The distribution of interests around a transaction can tilt administrative decision-making in different ways. When economic benefits are concentrated — for instance, when a small number of firms stand to gain — those actors have the motivation and resources to shape how rules are interpreted. But the reverse situation is also possible: when the economic benefits of openness are broad and diffuse — spread across many firms, consumers, or sectors — they may lack effective representation in the policy process. In such cases, security-driven arguments can prevail by default, even when the underlying risk is low. This asymmetry of organization and voice explains why screening outcomes often swing between over- and under-enforcement.

Third, institutional factors. The design of the screening regime itself can amplify these biases. Principal–agent dynamics, excessive proceduralization, and secrecy-oriented "police-patrol" oversight can stifle learning and professional discretion. Over-formalized rules create incentives for box-ticking, while rigid mandates encourage bureaucratic inertia and strategic adaptation by malicious actors. When institutions prioritize procedural compliance over analytical quality, they risk producing a system that is formally robust but substantively weak — one that satisfies legal correctness while missing real threats or suppressing beneficial activity.

These biases are often embedded in the very debate over investment screening systems. Four pitfalls deserve to be considered:

1. Overly broad scope. Expanding the list of sensitive sectors may appear prudent, but it leads to overcompliance — firms notify even trivial transactions, overwhelming administrative capacity. This broad-scope approach emerged as a preference of the EU Parliament during the revision of the FDI regulation.
2. Excessive formalization. Highly detailed rules limit flexibility, discourage professional judgment, and invite gaming by sophisticated actors.
3. Misinterpreted timeframes. Short deadlines are not always pro-business, nor are long ones protectionist. The real question is whether timing rules align with information needs and incentives for cooperation.
4. Poorly defined authority scope. More agencies involved does not automatically mean better outcomes. Competence, discretion, and learning capacity matter far more than institutional size.

Rethinking How We Design Screening Mechanisms

These arguments point to a simple but powerful insight: good derisking policy is less about control than about compliance. Rather than multiplying rules, governments should focus on how those rules are implemented and learned from. Effective screening mechanisms are those that:

- anticipate opportunistic behavior rather than assuming compliance;

- design incentives that encourage accurate disclosure and cooperation;

- balance confidentiality with selective transparency to mobilize expertise across sectors;

- embed evaluation systems that allow feedback and adjustment over time.

In the first place, SMs should be tailored to country and sector specificities. There is no universal blueprint for screening. Mechanisms that work in defense or energy might fail in academic research or digital innovation. In centralized and highly strategic sectors, a preventive, risk-avoidance approach can be justified. But in more decentralized ecosystems — such as research and innovation — resilience and adaptability are better strategies than rigid control. The key is to calibrate screening to the institutional and economic environment in which it operates.

Another design dimension regards the competence-control dilemma. A recurring mistake in public policy is assuming that more oversight leads to better outcomes. In practice, too much procedural control can suffocate the very administrative competence that makes policies effective. We argue that derisking requires professionalized bureaucracies with analytical and technical expertise — people capable of interpreting complex information, not just applying checklists. Investing in such capacity is a necessity that requires bureaucracies willing to accept and manage risks, rather than detect and avoid them. In many cases, this signals a cultural change.

Lastly, effective derisking also requires institutions to learn. Mistakes are inevitable, but when agencies fear blame, learning stops. We need oversight that focuses on outcomes, not only procedures. Increasing transparency in the FDI Regulation would help building open policy communities — connecting regulators, analysts, firms, and researchers — helps avoid groupthink and enables adaptation. Economic security should be approached as a dynamic process, not a static rulebook.

Conclusion

The debate surrounding the revision of the European Regulation on Foreign Direct Investment has brought to light significant elements of cooperation between Member States and EU institutions. As is often the case, the equilibrium point of a complex political negotiation is crystallized in formal rules or, as in the present case, in their amendment toward a more advanced framework. Making investment screening mechanisms mandatory and defining a common minimal scope are clear examples of such a dynamic.

However, formal rules, while important, are not sufficient. It is crucial to foster a more homogeneous administrative culture aligned with the policy’s substantive objectives. The emphasis on a more uniform definition of filtering criteria is an interesting move in this direction. This is a highly challenging goal, not least because national screening authorities do not enjoy the autonomy typically granted to non-majoritarian institutions. Although governments may not want to lose control, and firms desperately (and rightly) need certainty, both must recognize that greater professionalization of screening authorities can be a win-win situation.

*This blogpost is part of a broader research project titled “Recasting the national interest in Europe. Institutions, politics and policies for the defense of critical infrastructures and supply chains”. Funded by the European Union – Next Generation EU and the Italian Ministry of University ID: P2022YBXC5