There are different views in regard to the question whether regulatory efforts can efficiently combat cyber-risks. Firstly, there is a debate whether there needs to be regulation specific to cybersecurity risks or whether the general legislature on technological and operational risks could successfully regulate these issues as well (1). It seems that based on the specifics of cybersecurity and cyber-risks general legislation cannot really encompass all issues that would need to be discussed.
Secondly, even if there is specific legislation on protection against cyber-risks, a question exists concerning how detailed that legislation must be? There are strong arguments that strict regulatory efforts can be counter-productive, because this would limit the abilities of businesses to respond adequately to the ever-evolving cyber-risks (2). Prescriptive legislation with clear obligations or even worse precise technological requirements would soon be outdated, as cybercriminals would quickly find ways to breach all prescribed security defences. Alternatively, a regulatory approach based predominantly on guiding principles may be better suited to have a positive influence on cybersecurity (3).
Often after businesses suffer a cyberattack and have their technical infrastructure or client data compromised, regulators may seek to blame that organization for not preventing an attack they deem foreseeable, even in cases where in hindsight the organization could not have reasonably expected it (4). Thus, it seems beneficial for regulators to adopt guidlines on the obligations and due diligence expected from organizations, so they cannot later be blamed when cybercriminals manage to circumvent their security systems.
Lastly, the need for certain regulatory efforts can be supported based on the lack of information and incentives for business, which makes it difficult for them to self-regulate their conduct. Firstly, it may be the case that certain businesses do not have the expertise or experience to adequately consider different cyber-risks (5). Some small businesses may even undermine the risks, believing they would not be targeted based on their size and capacity (6). This however is not a sound judgment, all businesses must have adequate security systems in place. Regulatory requirements would force board members and management to implement the needed security standards and to prioritize compliance with cybersecurity requirements (7). It may be argued that businesses are motivated on their own to prioritize their security, but this additional push would ensure that in situations where heads of businesses have to decide between additional profit and stricter security measures, they would choose the latter (8).
The regulatory efforts in the EU are of a high standard. Firstly, the EU Cybersecurity Act implemented a unified cybersecurity certification scheme, which was a beneficial development of harmonizing cybersecurity standards between Member States. Secondly, the Directive(EU) 2016/1148 on security of network and information systems (“NIS Directive”)(9) also created new requirements for Мember States that overall raised the level of protection from cyber-risks:
- EU States had to reach certain cybersecurity capabilities, this included bettering their systems, carrying out cyber exercises
- EU Member States had to enable cross-border cooperation
- EU Member States were obliged to look over critical sectors and their cybersecurity
Currently, the amended NIS II Directive(10) is underway. Time will show whether the envisioned developments will be beneficial to the overall level of cybersecurity in the EU. As established, while a regulatory guideline would be extremely helpful for businesses, organizations should still be granted enough flexibility to be able to adequately respond to the ever-changing cyber-risks.
1.- Crisanto J., Prenio J., ‘Regulatory approaches to enhance banks cyber-security frameworks’, (2017), FSI Insights on policy implementation Nº 2
2.- Cristiano, Prenio n(1)
3.- Cristiano, Prenio n(1)
4.- Archie J., Leitner L., Stout A., ‘Cybersecurity regulation and best practice in the US and UK’, LexisNexis
5.- HM Government, report on ‘Cyber Security Regulation and Incentives Review’, December 2016
6.- HM Government
7.- Cristiano, Prenio n(1)
8.- Cristiano, Prenio n(1)
9.- Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, p. 1–30
10.- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM/2020/823 final
This article has been produced by Law and Internet Foundation.
The contents of this publication elaborated under the GUARD project are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission. GUARD has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 833456.