Author: Nafisatu Wiafe Ansah, LLB University of Padova, 2015-2016
Legal Editor: Bader Kabbani, LLM International Commercial and Economic Law, SOAS, University of London, 2020-2021
With the use, evolution and, sometimes, over-reliance on technology, more people, and businesses (even governmental institutions) are making heavy use of technology and cyberspace, not only to conduct their businesses but also to store their private data. This widespread use makes it increasingly necessary for a union comprehensive policy intended to safeguard users.
What is Cybersecurity?
Cybersecurity is the process that seeks to protect and defend computers, systems, servers, and networks from cyberattacks, by ensuring their integrity. There is a rising need for cybersecurity due to the ever-increasing number of devices, users and the growing amount individuals and organizations that rely on cyberspace not only to conduct their business but also to store and protect their sensitive data. There is also a rise in interconnectivity and the use of cloud services which are susceptible to hacking. Thus, the development of a cybersecurity strategy is of extreme importance to maintain sanity in the space, especially when sensitive information is involved, by safeguarding protected health information, intellectual property, personally identifiable information, and sensitive industry, and governmental information. The lack of an effective cybersecurity strategy gives way for cybercriminals to wreak havoc not only in the business marketplace (especially small and medium businesses whose, unlike big multinationals, size may make it difficult for them to survive the effects of such attacks) but also in personal lives of attacked individuals. The caveat, though, is that just as technology evolves so do the methods used in committing cybercrimes; indeed, attackers have, in recent years, been making use of artificial intelligence and social engineering to evade established security systems. Cybercrimes have a non-negligible cost that makes it imperative for preventive measures to be put into place. Such costs arising from these sorts of crimes are reputational costs (the loss of customer trust due to the bad media coverage as a result of the breach), economic costs (cyberattacks may result in disruption of the normal course of business, especially when considering the amount of money necessary to repair the damage) and regulatory cost (these attacks can cause the victims to be subjected to sanctions, on the other hand, they increase the obligations of businesses who then have to spend resources to train their staff). These risks are the motivators behind the European Union’s decision to develop a cohesive cybersecurity strategy intended to build “resilience to cyber threats and ensure citizens and businesses benefit from trustworthy digital technologies”. This aim is achieved through the enactment of legislation applicable throughout all member states, due to the cross-border nature of these attacks.
The EU cybersecurity strategy
The EU cybersecurity strategy sets out to put into place measures to strengthen its technological resources to combat cyberattacks. The main security areas covered by the strategy are the essential security services i.e., hospitals, energy grids, the railways’ transport system and other digitized transport. The strategy is focused on building the resilience of the union to ensure that it is able to respond to such attacks, and by so doing sanitise cyberspace. The way through which the strategy intends to achieve its aim is by intensifying cooperation with international bodies to advance the formation of a global cyberspace. Throughout the years EU has ratified some key legislations in the pursuit of its cyberattack strategy. Some of which are the Network and Information Security, Digital Operational Resilience Act, the European Cybersecurity Act, Resilience of Critical Entities and the Cyber Resilience Act.
The Network and Information Security
The Network and Information Security (Directive 2016/1148, NIS) was approved in 2016 and is aimed at establishing the measures for the creation of a secure and reliable digital environment in Europe. The Directive requires that Member States of the European Union adopt a series of common and adequate safety measures, at the same time requiring the alerting of accidents to the national authority set up for this purpose. Member States will also have to promote the creation of national CSIRTs (Computer Security Incident Response Teams), to create a European network that deals with the security of critical networks. The objectives of the directive are the management of security risks; protection against cyberattacks; identification of cyber security incidents and reducing the impact of cyber security incidents.
NIS 2
In 2022 the European Union presented plans for a reform of the NIS Directive in order to strengthen European security, particularly in sensitive sectors such as banking, public administrations, energy, telecommunications and transport. The new directive requires for critical businesses and organizations to set up and test cybersecurity response plans, report cybersecurity incidents to authorities within 24 hours, and use state-of-the-art cybersecurity technologies to prevent cyber-attacks.
The Critical Entities Resilience Directive
The Directive (Directive 2022/2557) was approved in 2022 and shall be applied from 18 October 2024. The Directive is meant to be a replacement for the European Critical Infrastructure Directive of 2008 and will focus on the resilience of critical infrastructure against natural hazards, sabotage, terrorist attacks and insider threats. Under the directive, Member States are required to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or essential for society and the economy.
The Digital and Operational Resilience Act
The Digital Operational Resilience Act’s (DORA) intended scope is to establish a definite baseline for Regulators and Supervisory Authorities for end-to-end ICT and Cybersecurity management, including incident management. The directive also harmonizes obligations for Member States and also raises the EU standard in the monitoring of risks deriving from technologies and digitization, integrating the European strategy in the field of Cybersecurity (which had been initiated by the NIS).
The European Cybersecurity Act
The European Cybersecurity Act, which became effective in 2019, has established certification requirements for critical infrastructure, including energy networks, water and banking systems, as well as products, processes and services, and ensures that they meet cybersecurity standards. The directive also aims to strengthen the role of ENISA (European Union Agency for Cybersecurity) by guaranteeing it a permanent mandate and allowing it to carry out not only technical consultancy tasks but also support activities for the operational management of cyber incidents by the Member States, so that ENISA will be able to provide more concrete support, especially with regards to the implementation of the NIS Directive.
The Cyber Resilience Act
In the latter part of last year, the European Commission presented the Cyber Resilience Act, a new regulation proposal which aims to define a broad regulatory framework for the IT security of digital products connected to the network (“Internet of Things”) and placed on the EU market, providing for obligations more stringent on the relative producers. The main objectives of the Act are to create a common European framework for cybersecurity in the EU; ensure that manufacturers improve the cybersecurity of products, starting from the design phase and throughout the entire life cycle; increase the transparency of information security practices and technical properties of products. Conclusion In Conclusion, the EU has taken major steps to strengthen the Union’s response to cyberattacks. However, the Union must put in better check-up measures to make sure that Member States adhere to the content of the directives adopted by the EU and that it does not only remain on paper.
Bibliography
- Sharon Shea, Alexander S. Gillis, Casey Clark, The ultimate guide to cybersecurity planning for businesses,2022
- C Kumar, New dangers in the new world: cyberattacks in the healthcare industry, 2017
- Jibran Saleem, Bamidele Adebisi, Ruth Ande, Mohammad Hammoudeh, A state-of-the-art survey – Impact of Cyberattacks on SMEs,2017
- Y Li, Q Liu, A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments,2021
- Giacomo Delinavelli, Cybersecurity for Europe without a legal? 2023
- Kenneth Propp, European Cybersecurity Regulation Takes a Sovereign Turn,2022
- Joao Vidal Carvalho, Sandro Carvalho, Alvaro Rocha, European strategy and legislation for cybersecurity: implications for Portugal,2020
- Commission, E.: Europeans attitudes towards cyber security. Special Eurobarometer 464a (2017)
- Commission, E.: Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (2013)
This article is written within the Academic Essay Project (AEP) organised by LAWELS. AEP aims to increase the number of quality academic writings on legal topics, encourage young lawyers to participate in academic writing, and lay the foundation of an online database on legal science. The team of legal editors and legal writers share their knowledge through high-end essays that we are publishing on our website and social media accounts for the world to read and learn from.
The articles on the LAWELS platform are not, nor are they intended to be legal advice. You should consult a lawyer for individual advice or assessment regarding your own situation. The article only reflects the views of the author.