This paper observes the evolution of cyber security institutions recently established in the European Union. These institutions are based on older national, regional, and international Internet governance networks for voluntary transnational coordination of cyber security. The entry of the European Union in the cyber security domain caused a visible institutional change in the operational and regulatory status of the European networks, but the change was neither abrupt nor revolutionary. Rather, a new coordination hub was installed in the existing European networks, while later regulations were implemented with small incremental changes to the status of the deployed institutional hub. Building on a theoretical model of gradual institutional change from the field of political economy, the paper not only elaborates the evolution within the European Union, but also provides a political situation analysis of the contemporary technical, economic, and political challenges facing the European Union cyber security domain. Although the cyber security institution-building activities have halted or slowed down, many pressing policy issues still exist.