The EU’s legal approach to cybersecurity

eu!radio |

©FlyD sur Unsplash

Every Monday, a member of the international academic association ‘UACES’ will address a current topic linked to their research on euradio.

 

Listen to the podcast on eu!radio.

 

 

 

Hello, Eva Saeva! You are researcher at Newcastle Law School, in the UK, and a specialist in cybersecurity. Tell us about this area of research.

It is a fascinating field of study that I have researched for over 6 years now. Let me focus today on the European Union’s legal approach to cybersecurity.

It’s been 10 years since the EU adopted its first Cybersecurity Strategy in 2013. Since then, the regulatory landscape has been expanding. So has, however, the landscape of threats and dangers. Cyber threats – be they state-sponsored or not – are of ever-so-great concern for both states and companies alike.

 

What prompted the EU to regulate in the first place?

Back in 2007, Estonia was targeted by a state-sponsored cyberattack. Decision-makers and scholar alike quickly came to realise states were not prepared to respond to such major attacks and the regulatory framework was insufficient to tackle the challenging rise of cyber threats.

But the first efforts the EU made towards regulating the field were actually met with hesitation and resistance by the Member States, which had different national security objectives, and different legal, technical and operational preparedness. Some Member States therefore were reluctant to let the supranational body be in the lead and adopt EU-level legally-binding measures – at the time, to no surprise, the UK was among those.

This tension between the EU and its Member States contributed to the way the first EU cybersecurity law – the Network and Information Systems Directive (so-called NIS Directive 2016) – was shaped. The Directive aimed at harmonising the legal preparedness across all Member States. It introduced cybersecurity risk management and incident reporting mechanisms for companies providing services for the critical infrastructure sectors and invited Member States to re-organise their own institutional cybersecurity architectures.

 

Why has cybersecurity become so important?

Because of the profit that malicious actors get from cyberattacks! Cybersecurity has become essential, and it is not by chance that it has been covered in a whole variety of sectorial legislation.

For example, cybersecurity is essential for every company processing or storing personal data under the EU’s general data protection regulation (GDPR). It is essential for the medical devices industry, under the Medical Devices Regulation, it is essential for all connected devices (under the upcoming Cyber Resilience Act), it is essential for highly critical Artificial Intelligence systems (under the upcoming “AI Act”), and it is essential for the financial sector (under the “Digital Operational Resilience Act”, with its nice acronym “DORA”).

The EU’s continuous efforts demonstrate attentiveness to the issues. However, the cost of cybercrime is growing.

Ransomware is threat N1 to all companies – public or private. The WannaCry ransomware of 2017 is estimated to have cost around $4 billion in losses globally. These attacks encrypt the data, and the hackers request a ransom to be paid to decrypt it. Whilst it is never advisable to pay cyber criminals, many companies pay hoping they will get their data back, which might not even be the case.

There has been a rise in supply chain attacks too – cyber criminals target the weakest link. For instance, if hackers want to access large amounts of personal data, they might not target the public administration handling this data, but rather the cloud provider, where this data is stored. The cybersecurity level of the administration might be high, but if the cloud provider’s is weak, the administration would suffer from the attack too. A very recent supply chain incident from summer 2023 was the MOVEIT hack, which exploited a vulnerability in the MOVEIT managed file transfer system, leading to a massive data breach globally, affecting the BBC, British Airways, Sony, Ernst&Young, Shell, banks, hospitals, etc. Its cost has been estimated at around $11 billion.

 

That sounds pretty scary!

It is! And that’s why the EU has tried to address the spectrum of attacks and has passed a number of “horizontal” cybersecurity laws, among which the Cybersecurity Act 2019, the NIS2 Directive 2022, the soon-to-be-adopted Cyber Resilience Act.

The aim is to support both its MS toward their better cybersecurity preparedness, and its companies towards better cybersecurity awareness. The EU has become an important regulator in the field of cybersecurity. However, having a regulatory framework means little if it is not properly enforced. Continuous investments in cybersecurity are needed, both public and private.

 

Many thanks, Eva Saeva, for sharing your insight on a field that not all of us are aware of. I recall you are researcher at Newcastle Law School, and cybersecurity consultant at Cyen.