Mapping EU cybersecurity law and its future challenges
by Lina Jasmontaitė-Zaniewicz, LSTS, VUB
On 11 October 2019 the Cyber and Data Security Lab (CDSL) and the Brussels Privacy Hub (BPH) hosted the first joint workshop on the EU cybersecurity law. The event was part of the European CyberSecurity Month and it focused on the recent achievements and milestones, as well as future policy options concerning cybersecurity regulation.
After a word of welcome by Professor Vagelis Papakonstantinou, Michal Czerniawski, Digital Attaché at the Permanent Representation of Poland to the European Union (EU), shared an overview of the state of the art of cybersecurity regulation in the EU. He pointed out that the reach of cybersecurity policy and numerous legislative instruments in the EU is confined by Member States initiatives and that in this regard the European Commission and the European Union Agency for Network and Information Security (ENISA) act in their supportive competences. A particularly illustrative example of this could be the attempt to regulate the fifth generation of telecommunication systems (i.e., 5G), which are supposed to boost the EU digital economy and society in the next decade. National strategies and plans about 5G development, future coverage and quality are adopted by Member States individually and the European Commission only takes on a task of monitoring the developments among Member States. Czerniawski acknowledged that given the horizontal nature of cybersecurity regulation, it is becoming more difficult to delineate strict lines of EU cybersecurity policies. This being said, he noted that while the European Commission plays an important role as a facilitator of discussions and policy initiatives, cybersecurity remains predominately addressed at domestic level, since it includes a national security element.
Maria Grazia Porcedda, Assistant Professor at Trinity College Dublin, contributed to the debate by discussing different instruments that have a bearing on cybersecurity regulation. In particular, she focused on the regulation of ‘breaches of security’ across the following legislative instruments: e-Privacy Directive, the Framework Directive, the Electronic Identification and Assurance Services (eIDAS) Regulation; the Payment Services Directive (PSD2), the Network and Information Security (NIS) Directive laying down rules on security incidents operators of essential services and for digital service providers and the General Data Protection Regulation (GDPR). These internal market instruments can be conceptually grouped into two regimes. The e-Privacy Directive and the GDPR concern breaches affecting personal data, ‘data breaches’ for short; the remaining instruments concern ‘incidents’ or ‘breaches of security’ or ‘loss of integrity’ or ‘security incidents’ which do not necessarily affect personal data. While the definitions across these hectically developed legislative measures vary, the final objective of all of them is the same – the protection of information and its confidentiality, integrity and availability. Provided this overarching objective, Porcedda suggested that a unified law would be best placed to address the issue information security and encourage the development of a mutual learning mechanism. The detailed study of Porcedda is published in the article titled ‘Patching the Patchwork: Appraising the EU Regulatory Framework on Cyber Security Breaches’ and it is available here.
Zenzi De Graeve, Attorney in Technology, Data Protection, Intellectual Property & Media Law practice at Timelex then discussed how information security requirements stipulated by the NIS Directive and the GDPR play out in the healthcare industry. While examining the Belgian transposition of the NIS Directive, she questioned whether double administrative sanctions could be issued for the same incident and whether security measures adopted under one regulatory tool (e.g., the GDPR) are suffice to comply with the requirements stemming from the other one (e.g., NIS Directive transposed into a domestic law).