EU Cyber Research Articles

The European experience of legislative support for strengthening cyber resilience

The concept and content of cyber resilience are considered. characterizing features of cyber resilience are defined. The relationship between the concepts of cyber security and cyber resilience is detailed. Cyber resilience infrastructure and its components are defined. The current EU legislation on strengthening cyber resilience is analyzed. The positive aspects of strengthening cyber resilience in EU legislation have been identified. Special attention is paid to the review of the NIS2 Directive and the EU Cyber Resilience Act. The constituent components of a comprehensive cyber resilience strategy at the local level have been determined. The directions of the European Central Bank (ECB) aimed at strengthening the cyber resilience of the EU banking system are described. Based on the generalization of positive European experience, prospects for improving and strengthening cyber resilience in Ukraine are outlined.

Reporting cybersecurity to stakeholders: A review of CSRD and the EU cyber legal framework

The purpose of this article is to explain, through a doctrinal review of the EU sustainability and cybersecurity legal framework, how the cybersecurity obligations contribute to the cybersecurity content and quality of the sustainability reporting. Previous studies are limited to voluntary cybersecurity disclosure in annual reports because they date back to before the adoption of CSRD. The CSRD harmonized sustainability reporting in the EU and introduced the ESRS, the standards for sustainability disclosure. As stated in the ESRS S4, the sustainability reporting should now address how the company manages the risks linked to data usage and data collection. Therefore, cybersecurity measures must be included in the sustainability report. This information can be used by stakeholders to assess the risk appetite and the potential long-term profitability of the company. The cybersecurity measures adopted by companies must comply with the cybersecurity obligations of the EU legal framework. While it is out of the scope of these cybersecurity obligations to inform ex ante the stakeholders of a company of how the company is managing cyber risks, these same obligations can improve the quality and content of the sustainability discourse.

European cybersecurity standardisation: a tale of two solitudes in view of Europe’s cyber resilience

Cybersecurity resilience as a concept and EU policy approach encompasses, in broad terms, the preparedness of organisations against and the ability to recover from cyber-attacks. Policy and law makers in the European Union have started endorsing strategies moving both towards reactive measures mitigating the consequences of cybersecurity incidents and proactive measures geared towards prevention. Recently, a political agreement was reached on a new horizontal Regulation addressing cyber resilience of products with digital elements. An essential aspect of the Cyber Resilience Act is technical standardisation to support its goals. How appropriate is however the European Standardisation system for such a role in EU cybersecurity law? The paper argues that for European standards to be conceptualised as a building block of cyber resilience in the European Union, their development process must be inclusive and open, and a prerequisite for that is that the ESOs jointly work towards the common goal of developing and adopting European standards in support of the EU cyber resilience policy and law. This collaborative approach is mandated both by the nature of cyber resilience and cybersecurity as regulated fields, but also the changing nature of standardisation aspiring to contribute to areas pertaining to societal interests and fundamental rights.

Implications of GDPR and NIS2 for Cyber Threat Intelligence Exchange in Hospitals

The DYNAMO Horizon Europe Project aims to support critical sector (healthcare, energy production, marine transport) stakeholders in enhancing resilience and minimizing the effects of cyber-attacks. DYNAMO's objective is to use artificial intelligence to integrate cyber threat intelligence (CTI) and business continuity management (BCM) to support decision-making. The goal is joint preparation for EU cyber threats, necessitating timely global situational awareness and effective communication to address threats before they escalate. This paper focuses on the intelligence sharing and trust needs of the DYNAMO use cases while also meeting regulatory requirements. Analyzing DYNAMO’s internal materials and aligning them with authorities' requirements, particularly NIS2 and GDPR, reveals that healthcare organizations need to prepare for more effective data protection, incident response, and cyber-attack mitigation. While NIS2 doesn't specify technical requirements for healthcare, it offers a broader framework for organizations to make informed decisions about equipment suppliers and security applications. After the general review, this study examines a specific healthcare use case: a hospital infected by phishing, emphasizing that CTI exchanges may contain sensitive data falling under GDPR and NIS2 regulations. This includes technical details, health-related information, patient data, insurance details, and employee information. Concerning the AI-based approaches used, DYNAMO must handle this CTI exchange in compliance with the law. The case study compares the DYNAMO project's CTI exchange use case with GDPR and NIS2 requirements, highlighting challenges such as the difficulty in separating sensitive data under GDPR and differences in language and terms between the two regulations. Despite these challenges, the study discusses the impact of GDPR and NIS2 on CTI exchange in the healthcare sector, providing key implementation points and guidelines.

Unveiling EU Cybersecurity Law Turf Battles: The Case of the EU Cyber Solidarity Act Proposal

Unveiling EU Cybersecurity Law Turf Battles: The Case of the EU Cyber Solidarity Act Proposal

PRAVNI OKVIR ZAŠTITE OD VISOKOTEHNOLOŠKOG KRIMINALA U BOSNI I HERCEGOVINI – analiza strateških ciljeva i mogućnost usklađivanja sa evropskom strategijom sajber bezbednosti

The topic of this paper is the legal framework for protection against high-tech crime in Bosnia and Herzegovina, with an analysis of strategic goals and the possibility of alignment with the EU Cyber Security Strategy for the Digital Decade, which was adopted the year before last. The paper provides a conceptual definition of high-tech crime and cyber security, as well as their basic characteristics. Then, in brief, the legal framework of protection against high-tech crime in Bosnia and Herzegovina was analyzed. When it comes to the EU Cyber Security Strategy for the Digital Decade, the most significant parts of it are interpreted in the continuation of the work, especially those that could have application significance for Bosnia and Herzegovina. Based on the above, appropriate recommendations were given in the final deliberations for the improvement of the legal and strategic framework of cyber security in BiH.

The EU Cyber Resilience Act – An appraisal and contextualization

The article discusses the Commission’s Cyber Resilience Act proposal of 15 September 2022 and provides an overview of its provisions as well as a critical assessment of the most pertinent aspects related in particular to its risk-based approach, varying regulatory burden across actors and products, and its scope of application. The article further seeks to contextualize the CRA by identifying the drivers of its adoption against the broader picture of EU’s role and aspirations in the area of cybersecurity and its proactive legislative efforts in the broader digital domain.

Cyber Security and Cyber Defense: Challenges and Building of Cyber Resilience Conceptual Model

Cyber security encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cyber security is distinctive in its inclusion of the offensive use of information technology to attack adversaries. Use of the term cyber security as a key challenge and a synonym for information security or IT security misleads customers and security practitioners and obscures critical differences between these disciplines. Recommendation for security leaders is that they should use the term cyber security to designate only security practices related to the defensive actions involving or relying upon information technology and/or operational technology environments and systems. Cyber defense is a computer network defense mechanism which includes response to actions and critical infrastructure protection and information assurance for organizations, government entities and other possible networks [3]. In this paper, we investigate how cyber security and cyber defense may lead to cyber resilience with the novel model of cyber resilience designed and presented. Furthermore, within the same model authors investigate actions for cyber security and cyber defense in conditions of increasing challenge of cyber-attacks and the limited capabilities to respond to this threat describing the process of creation, performance and future of EU Cyber Rapid Response Teams (abbr. CRRT) and Mutual Assistance in Cyber Security, introducing novel approach to cyber security and cyber defense at the EU level.

The Rationale and the Perils of Failing to Invoke State Responsibility for Cyber-Attacks: The Case of the EU Cyber Sanctions

The Rationale and the Perils of Failing to Invoke State Responsibility for Cyber-Attacks: The Case of the EU Cyber Sanctions

Legal Status of European Union Bodies and Institutions in the Field of Cybersecurity

The relevance of the reasearch topic stems from the fact that different state bodies are involved in addressing cybersecurity services. While each of the state bodies has their own goals and objectives, the successful resolution of the issues entirely depends on their effective cooperation. The existing resources and expertise available in the EU member states and corresponding EU institutions, bodies and agencies provide a solid basis for a collective response to cybersecurity threats. As a result, the EU has established a system of cyber security risk management bodies. The purpose of this article is to investigate the activities of key EU cyber security authorities. To achieve this goal and analyse the activities of the main EU bodies in the field of cybersecurity , the author has used several methods, such as the systematic approach, the formal-legal method, the comparative-legal method and the historical method. The author has come to the conclusion that cooperation and information exchange are essential elements in addressing cyber security issues. At the same time, to achieve coherence among cyber security bodies, the EU is taking measures to strengthen their joint work. In addition, it has been concluded that the EU, as a regional integration organization where member states act on the basis of mutual trust, is a reliable platform for addressing cyber security issues.

The European Union as an international actor in cybersecurity

This article analyzes the role of the European Union as an international actor in Cybersecurity. For these purposes, the article assesses, first, the evolution of the external dimension of the European Union Cybersecurity policy, with particularly reference to the 2013 Cybersecurity strategy. Second, the paper studies the emergence and development of the EU Cyber diplomacy. Third, the article examines the novelties related to the role of the EU as an international actor introduced by the 2020 Cybersecurity strategy and subsequent documents such as the 2022 Strategic Compass and Cyber posture. Finally, a number of conclusions are drawned in the last section.

Artificial intelligence and EU security: the false promise of digital sovereignty?

ABSTRACT EU Digital Sovereignty has emerged as a priority for the EU Cyber Agenda to build free and safe, yet resilient cyberspace. In a traditional regulatory fashion, the EU has therefore sought to gain more control over third country-based digital intermediaries through legislative solutions regulating its internal market. Although potentially effective in shielding EU citizens from data exploitation by internet giants, this protectionist strategy tells us little about the EU’s ability to develop Digital Sovereignty, beyond its capacity to react to the external tech industry. Given the growing hybridisation of warfare, building on the increasing integration of artificial intelligence (AI) in the security domain, leadership in advancing AI-related technology has a significant impact on countries’ defence capacity. By framing AI as the intrinsic functioning of algorithms, data mining and computational capacity, we question what tools the EU could rely on to gain sovereignty in each of these dimensions of AI. By focusing on AI from an EU Foreign Policy perspective, we conclude that contrary to the growing narrative, given the absence of a leading AI industry and a coherent defence strategy, the EU has few tools to become a global leader in advancing standards of AI beyond its regulatory capacity.

EU Cyber Initiatives and International Cybersecurity Standards — An Overview

EU Cyber Initiatives and International Cybersecurity Standards — An Overview

Reflection of the Act on Cybersecurity in aviation education

1. Joint Communication to the European Parliament and the Council „Resilience, deterrence and defense: building a strong EU cyber security“, Brusel 13.9.2017, JOIN (2017) 450 final. Google Scholar

European experience of strengthening cyber security capacities in modern conditions

The novelties of the European legislation in the sphere of cybersecurity are reviewed. Prospects for digitalization in the EU are summarized. The provisions of the EU Cyber Security Strategy for 2021 – 2027 and the Digital Compass Roadmap are considered. Basic principles and priorities of a common European digital policy are defined. The strategy targets and avenues for a successful digital transformation of Europe by 2030 are detailed. The organizational and legal mechanism for introducing the cyber sanctions regime in the EU has been revealed. The directions of the cooperation between Ukraine and EU in the sphere of cybersecurity are identified.

The EEAS as a Navigator of EU Defence Aspects in Cyberspace

What is the principal role of the European External Action Service (EEAS) in EU cybersecurity and how does its influence in this crossover area of EU policies unfold? To answer these questions, the major cybersecurity documents, its actors and the EU competence in the field of cybersecurity will be reviewed. The article will then examine the role of the EEAS in the specific sub-area of EU cyber defence. It argues that the principal role of the EEAS is to bring more coherence and coordination to cybersecurity, especially in the area of cyber defence. Due to wellestablished procedures and strong institutional involvement supported by other bodies, the EEAS has entrenched its role in cybersecurity policies, even if it still remains a solely supportive one. EU cybersecurity, Cyber defence, Cybersecurity strategy, EU institutional actors, EU competence

Features of cyber security policy formation of the European Union: legal aspects

The article deals with the current legal and organizational principles of the European Union`s cybersecurity, the problems and prospects for the development of the relevant EU mechanism in the context of modern cyber threats. The evolution and qualitative dynamics of the EU cyber policy from the adoption of the first legal acts in the early 2000s to the publication of the second EU Security Strategy draft in December 2020 are analyzed. The study found that the European Union has the potential to achieve strategic autonomy in cyberpolitics. However, it needs a more coherent policy of coordination, further increase of funding and building of institutional capacity of the EU, equalization of member states possibilities. The conclusions state that Europe is interested in the comprehensive development of EU cybersecurity policy. The cross-border nature of cyber threats means that the EU's resilience in this matter directly affects its security. The current direction of the EU's capacity building and especially close cooperation with NATO provide a chance to avoid difficult political dilemmas. Official data from the European Union's Cyber Security Agency show that the number of violations of privacy is growing among the types of cyber attacks. This puts on the agenda the activities of EU structures and Member States the need to develop a system of human rights protection in the field of cybersecurity. One of its basic elements should be updated legislation, in particular, the new EU Cyber Security Strategy. The European Union does not stop there and constantly strives to develop opportunities to counter and prevent cyber threats in order to achieve strategic autonomy of the organization. The EU needs to overcome its excessive bureaucratization and imbalance in the funding of cyber policy management programs and the practical development of cyber attack protection, prevention and repulsion systems. The EU’s place in the future global cybersecurity system will depend on the real strengthening of this second segment of programs.

Institutionalising EU Cyber Law: Can the EU Institutionalise Its Many Subjects and Objects?

The EU as a cyber-actor appears to institutionalise cyber-matters increasingly yet is also subject to an increasingly wide variety of subjects and objects that it cannot institutionalise. This will inevitably affect the ‘unitary’ ideal of EU action in this field. Major developments in EU cyber action internally and externally increasingly focus upon both institutionalisation and also the co-opting of private actors into governance which are argued here not to be consistent. Until recently, there had long been a lack of a unitary or central figure in EU cyber law-making with overarching responsibility for policy development. This paper shows that the EU as a cyber-actor constitutes a significant example of EU institutionalisation taking place in practice, caught between complex global challenges and contested taxonomies. The EU harbours multiple conflicting definitions of cybercrime between actors and entities and multiple working definitions of cybersecurity. Some key terms also lack common definition in the EU context e.g. cyber defence, albeit as a key competence of the EU Member States, where it fails to draw from commonalities sufficiently. The EU lacks sufficiently robust institutions, agencies or actors and risks conflicts and impingement upon many fundamental rights through its partial institutionalisation of a field. It also appears afflicted by paradoxically both over- legalisation and under-legalisation of cyber law-making. As a result, the EU as a Global cyber actor risks becoming an inadequate international partner through its own weak institutionalisation.

Restrictive Measures: A Deterrence Tool of the EU Cyber Diplomacy?

According to the 2016 EU Global Strategy (EUGS), today’s world is characterised by an increased strategic competition and rising threats to multilateralism and a rules-based order. In this fast evolving environment, the EU has shifted from its traditional “values-based” approach in foreign policy to a “principled pragmatism”. This holds that the EU should solidify relations with countries with shared values, while also engaging strategically with rivals. The EU’s goal is to protect its strategic interests in the world marked by the US-China rivalry, a confrontational relationship with the Trump administration, and Russia’s growing ambitions in their shared neighbourhood. The present chapter examines some aspects of the EU’s efforts to secure its autonomy in an emergent terrain for international competition: cyberspace. The analysis will begin with an explanation of the broader context for the EU’s approach to cybersecurity, which should be understood as part of the Union’s longstanding pursuit of “strategic autonomy” in an increasingly competitive geopolitical environment. It then offers a description of deterrence theory and its application to cyberspace, before turning to the development of the EU Cyber Diplomacy toolbox and targeted restrictive measures in response to cyberattacks. It will then seek to assess the deterrence potential of restrictive measures on the basis of some generic attributes of the concept of deterrence identified in rich theoretic contributions on deterrence theory and cyberspace. It concludes that while sanctions might appear to be ineffective and non-aligned with the operational characteristics of the cyber domain, their potential for establishing good practices should not be discarded. They should instead be used as a vehicle for promoting and informing the international discourse on the norms of responsible state behaviour in cyberspace.

A Governance Model for an EU Cyber Security Collaborative Network – ECSCON

A Governance Model for an EU Cyber Security Collaborative Network – ECSCON