18 NOVEMBER 2019
Mapping EU cybersecurity law and its future challenges
Summary by Lina Jasmontaitė-Zaniewicz, LSTS, VUB
On 11 October 2019 the Cyber and Data Security Lab(CDSL) and the Brussels Privacy Hub (BPH) hosted the first joint workshop on the EU cybersecurity law. The event was part of the European CyberSecurity Month and it focused on the recent achievements and milestones, as well as future policy options concerning cybersecurity regulation.
After a word of welcome by Professor Vagelis Papakonstantinou, Michal Czerniawski, Digital Attaché at the Permanent Representation of Poland to the European Union (EU), shared an overview of the state of the art of cybersecurity regulation in the EU. He pointed out that the reach of cybersecurity policy and numerous legislative instruments in the EU is confined by Member States initiatives and that in this regard the European Commission and the European Union Agency for Network and Information Security (ENISA) act in their supportive competences. A particularly illustrative example of this could be the attempt to regulate the fifth generation of telecommunication systems (i.e., 5G), which are supposed to boost the EU digital economy and society in the next decade. National strategies and plans about 5G development, future coverage and quality are adopted by Member States individually and the European Commission only takes on a task of monitoring the developments among Member States. Czerniawski acknowledged that given the horizontal nature of cybersecurity regulation, it is becoming more difficult to delineate strict lines of EU cybersecurity policies. This being said, he noted that while the European Commission plays an important role as a facilitator of discussions and policy initiatives, cybersecurity remains predominately addressed at domestic level, since it includes a national security element.
Maria Grazia Porcedda, Assistant Professor at Trinity College Dublin, contributed to the debate by discussing different instruments that have a bearing on cybersecurity regulation. In particular, she focused on the regulation of ‘breaches of security’ across the following legislative instruments: e-Privacy Directive, the Framework Directive, the Electronic Identification and Assurance Services (eIDAS) Regulation; the Payment Services Directive (PSD2), the Network and Information Security (NIS) Directive laying down rules on security incidents operators of essential services and for digital service providers and the General Data Protection Regulation (GDPR). These internal market instruments can be conceptually grouped into two regimes. The e-Privacy Directive and the GDPR concern breaches affecting personal data, ‘data breaches’ for short; the remaining instruments concern ‘incidents’ or ‘breaches of security’ or ‘loss of integrity’ or ‘security incidents’ which do not necessarily affect personal data. While the definitions across these hectically developed legislative measures vary, the final objective of all of them is the same – the protection of information and its confidentiality, integrity and availability. Provided this overarching objective, Porceddasuggested that a unified law would be best placed to address the issue information security and encourage the development of a mutual learning mechanism. The detailed study of Porceddais published in the article titled ‘Patching the Patchwork: Appraising the EU Regulatory Framework on Cyber Security Breaches’ and it is available here.
Zenzi De Graeve, Attorney in Technology, Data Protection, Intellectual Property & Media Law practice at Timelex then discussed how information security requirements stipulated by the NIS Directive and the GDPR play out in the healthcare industry. While examining the Belgian transposition of the NIS Directive, she questioned whether double administrative sanctions could be issued for the same incident and whether security measures adopted under one regulatory tool (e.g., the GDPR) are suffice to comply with the requirements stemming from the other one (e.g., NIS Directive transposed into a domestic law).
Ludmila Georgieva, Public Policy and Government Relations Manager at Google in her contribution focused on company practices addressing cybersecurity concerns across a range of services provided by the company. She highlighted that cybersecurity is a continuous process and that one of the most efficient ways to ensure scalable cybersecurity is providing automated updates that are installed to all users by default. She then briefly introduced Project Zero – Google vulnerability reward programme – that reports bugs and vulnerabilities to the manufacturer and publishes them publicly once a patch has been released.
Following up on the contributions discussed above, the speakers and the participants at the event further contemplated about ways to tackle vulnerabilities in security of software and to attribute liability for hardware and software flaws. The closing remarks were given by Paul de Hert, Professor at Vrije Universiteit Brussel, who emphasized that in the interconnected environment information security is no longer a concern only of providers of critical infrastructure or essential services. It is a concern of everyone as after-effects of data breaches are wide-spread and often are unpredictable.
The event was partially supported by CANVAS project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700540.
Keep up to date of our activities and developments. Sign up to our newsletter:
Copyright © Brussels Privacy Hub