Jukka Ruohonen

2024-12-11

Abstract:A directive known as NIS2 was enacted in the European Union (EU) in late 2022. It deals particularly with European critical infrastructures, enlarging their scope substantially from an older directive that only considered the energy and transport sectors as critical. The directive's focus is on cyber security of critical infrastructures, although together with other new EU laws it expands to other security domains as well. Given the importance of the directive and most of all the importance of critical infrastructures, the paper presents a systematic literature review on academic research addressing the NIS2 directive either explicitly or implicitly. According to the review, existing research has often framed and discussed the directive with the EU's other cyber security laws. In addition, existing research has often operated in numerous contextual areas, including industrial control systems, telecommunications, the energy and water sectors, and infrastructures for information sharing and situational awareness. Despite the large scope of existing research, the review reveals noteworthy research gaps and worthwhile topics to examine in further research.

Cryptography and Security,Computers and Society

Ian Walden,Johan David Michels

DOI: https://doi.org/10.48550/arXiv.2203.04887

2022-03-10

Abstract:In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EU's digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation ('GDPR') and the Network and Information Systems Directive ('NISD') apply to cloud providers. We also consider the proposed revision of the NISD and look at newly developed voluntary assurance mechanisms for cloud providers, including codes of conduct and certification schemes. We conclude that, since cloud providers are typically subject to both NISD and GDPR and to the jurisdiction of multiple regulators, they face divergent regulatory approaches, which can lead to unintended outcomes and high compliance costs.

Computers and Society,Cryptography and Security

João Vidal Carvalho,Sandro Carvalho,Álvaro Rocha

DOI: https://doi.org/10.1007/s10586-020-03052-y

2020-01-22

Cluster Computing

Abstract:"Cyber-attacks can be more dangerous than guns and tanks". This statement was made by Junker in his speech in the EU "State of the Union" in 2017 and reflects the extreme importance of this phenomenon. The increasing variety of devices that can access to Internet has contributed to the overall growth of internet users, in all kinds of places and circumstances. These devices are now part of our lives and we use it for everything. As the number of devices and tasks that we do with it are growing, more prone we are to cyber-attacks. As well, as the number of user's victim of these attacks are increasing, the general concerns about cybercrime are growing too. The growing list of cybercrimes includes crimes that have been made possible by computers, such as network intrusions and the dissemination of computer viruses, as well as computer-based variations of existing crimes, such as identity theft and terrorism which have become as major problem to people and nations. In this context, the European Union is leading the effort to regulate the defence against cyber-threats in both normative/legal and strategic levels. This reality is also very present in Portugal, where there is a sense of lack of control and capacity to combat this kind of threats. In this article, we present the European Strategy and Legislation for Cybersecurity and how this strategy applies and involves Portugal.

Jörg Monar

DOI: https://doi.org/10.1111/j.1477-7053.2007.00225.x

2007-01-01

Government and Opposition

Abstract:Abstract On the basis of an analysis of the European Union's common definition of the post-9/11 terrorist threat, this article provides a critical assessment of the EU's response. The EU has arrived at a reasonably specific definition of the common threat that avoids simplistic reductions and is a response that is sufficiently multidimensional to address the different aspects – internal and external, legislative and operational, repressive and preventive – of this threat. Yet the definition is undermined by differences between national threat perceptions. The preference for instruments of cooperation and coordination rather than integration, and poor implementation are having a negative impact on the effectiveness of the common response, the legitimacy of which is also weakened by limited parliamentary and judicial control.

political science

Cuihong Cai

DOI: https://doi.org/10.1007/978-3-031-08384-6_13

2022-01-01

Abstract:This chapter focuses on the international cybersecurity cooperation dilemma. Cybersecurity is a common concern within the international community. With the breakneck development of the Internet, countries have gradually formed cooperation mainly involving models of international conferences, international organizations, and international treaties. Despite this, international cybersecurity cooperation is still insufficient, mainly due to fragmented mechanisms, poor effectiveness, and camp-based confrontations. From a realist point of view, these problems arise from objective factors such as differences in willingness, interests, and demands, amplified by gaps in strength, cost sharing, benefit distribution, and technical uncertainties. From the perspective of constructivism, there are also contributing factors such as misperceptions caused by stereotypes and misperceptions inherent to the characteristics of cyberspace. EU-South Korea cybersecurity cooperation should be open and inclusive to eliminate misperceptions, develop a tailor-made framework for cybersecurity cooperation, establish a dedicated cybersecurity cooperation mechanism, and pursue greater autonomy in the cyberspace of confrontation between camps. In their cooperation there is room for the EU and South Korea to play a greater role in cybersecurity.

Anton Didenko

DOI: https://doi.org/10.2139/ssrn.3533664

2020-01-01

SSRN Electronic Journal

Abstract:Over the past several years, the cybersecurity regulatory landscape has undergone unprecedented change. Bespoke cybersecurity laws and regulations have replaced pre-existing general risk management and business continuity rules in a number of jurisdictions, including the European Union, Hong Kong, Russia, the USA and Singapore. Cybersecurity has also become the focus of international rules and recommendations adopted by numerous international organisations. The financial sector lies at the centre of the new regulatory initiatives – which, in the absence of an agreed international approach, vary substantially across jurisdictions. This article analyses these emerging legal frameworks by (i) conducting a comparative study of the novel cybersecurity regulations in finance, (ii) identifying the common features of such frameworks and (iii) assessing the prospect of their harmonisation at an international level. It argues that international harmonisation in this area is necessary to overcome the underlying regulatory challenges and outlines the scope of rules amenable, first, to initial (de minimis) and, second, subsequent (more expansive) harmonisation. The article concludes with a list of main upcoming challenges in designing and harmonising cybersecurity regulations in finance and practical recommendations for overcoming them.

Sandra Schmitz-Berndt,Pier Giorgio Chiara

DOI: https://doi.org/10.1365/s43439-022-00058-7

2022-07-20

International Cybersecurity Law Review

Abstract:Abstract With the COVID-19 pandemic accelerating digital transformation of the Single Market, the European Commission also speeded up the review of the first piece of European Union (EU)-wide cybersecurity legislation, the NIS Directive. Originally foreseen for May 2021, the Commission presented the review as early as December 2020 together with a Proposal for a NIS2 Directive. Almost in parallel, some Member States strengthened (or adopted) national laws beyond the scope of the NIS Directive to respond adequately to the fast-paced digital threat landscape. Against this backdrop, the article investigates the national interventions in the field of cybersecurity recently adopted by Italy and Germany. In order to identify similarities and divergences of the Italian and German national frameworks with the European Commission’s Proposal for a NIS2 Directive, the analysis will focus on selected aspects extrapolated from the Commission Proposal, namely: i) the enlarged scope; ii) detailed cybersecurity risk-management measures; iii) more stringent supervisory measures; and, iv) stricter enforcement requirements, including harmonised sanctions across the EU. The article concludes that the national cybersecurity legal frameworks under scrutiny already match the core of the proposed changes envisaged by the NIS2 Proposal.

Tobias Liebetrau

DOI: https://doi.org/10.1111/jcms.13523

2023-09-22

Journal of Common Market Studies

Abstract:This article furthers the debate between European Studies and Critical Security Studies by demonstrating how European Union (EU) single market integration functions as a security practice in the area of cybersecurity. It explores how the EU has rendered digitisation as a security concern and cybersecurity emerged as an object of EU governance by developing an analytical approach based on problematisation. Situating the problematisation approach in the genealogical tradition of Foucault, it argues that it provides us with an analytical toolbox enabling inquiry into the conditions that make contemporary security problems possible, powerful and changeable. Tracing EU security problematisations of digitisation over four decades, it shows how the single market has come to function as a security practice and stresses the political implications of it. The final part of the article re‐problematises the findings to afford insights into how they can be rethought at the intersection of European Studies and Critical Security Studies.

Ivana Cesarec

DOI: https://doi.org/10.51381/adrs.v3i1.45

2020-11-17

Annals of Disaster Risk Sciences

Abstract:States, organizations and individuals are becoming targets of both individual and state-sponsored cyber-attacks, by those who recognize the impact of disrupting security systems and effect to people and governments. The energy sector is seen as one of the main targets of cyber-attacks against critical infrastructure, but transport, public sector services, telecommunications and critical (manufacturing) industries are also very vulnerable. One of most used example of cyber-attack is the Ukraine power grid attack in 2015 that left 230,000 people without power for up to 6 hours. Another most high profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus (first used on Iranian nuclear facility) which could be adapted to attack the SCADA systems (industrial control systems) used by many critical infrastructures in Europe.Wide range of critical infrastructure sectors are reliant on industrial control systems for monitoring processes and controlling physical devices (sensors, pumps, etc.) and for that reason, physical connected devices that support industrial processes are becoming more vulnerable. Not all critical infrastructure operators in all sectors are adequately prepared to manage protection (and raise resilience) effectively across both cyber and physical environments. Additionally there are few challenges in implementation of protection measures, such as lack of collaboration between private and public sector and low levels of awareness on existence of national key legislation.From supranational aspect, in relation to this papers topic, the European Union has took first step in defense to cyber threats in 2016 with „Directive on security of network and information systems“ (NIS Directive) by prescribing member states to adopt more rigid cyber-security standards. The aim of directive is to improve the deterrent and increase the EU’s defenses and reactions to cyber attacks by expanding the cyber security capacity, increasing collaboration at an EU level and introducing measures to prevent risk and handle cyber incidents. There are lot of other „supporting tools“ for Member States countries, such as European Union Agency for Network and Information Security – ENISA (which organize regular cyber security exercises at an EU level, including a large and comprehensive exercise every two years, raising preparedness of EU states); Network of National Coordination Centers and the European Cybersecurity Industrial, Technology and Research Competence Centre; and Coordinated response to major cyber security incidents and crises (Blueprint) with aim to ensure a rapid and coordinated response to large-scale cyber attacks by setting out suitable processes within the EU.Yet, not all Member States share the same capacities for achieving the highest level of cyber-security. They need to continuously work on enhancing the capability of defense against cyber threats as increased risk to state institutions information and communication systems but also the critical infrastructure objects. In Southeast Europe there are few additional challenges – some countries even don't have designated critical infrastructures (lower level of protection; lack of „clear vision“ of criticality) and critical infrastructures are only perceived through physical prism; non-EU countries are not obligated to follow requirements of European Union and its legislation, and there are interdependencies and transboundary cross-sector effects that needs to be taken in consideration. Critical infrastructure Protection (CIP) is the primary area of action, and for some of SEE countries (like the Republic of Croatia) the implementation of cyber security provisions just complements comprehensive activities which are focused on physical protection.This paper will analyze few segments of how SEE countries cope with new security challenges and on which level are they prepared for cyber-attacks and threats: 1. Which security mechanisms they use; 2. The existing legislation (Acts, Strategies, Plan of Action, etc.) related to cyber threats in correlation with strategic critical infrastructure protection documents. Analysis will have two perspectives: from EU member states and from non-EU member states point of view. Additionally, for EU member states it will be analyzed if there were any cyber security legislation before NIS directive that meets same aims. The aim of research is to have an overall picture of efforts in region regarding cyber-security as possibility for improvement thorough cooperation, organizational measures, etc. providing also some recommendations to reduce the gap in the level of cyber-security development with other regions of EU.

Yan Shevchenko

DOI: https://doi.org/10.31249/poln/2021.03.11

2021-01-01

Political science (RU)

Abstract:The European Union (EU) has been advocating a strategy to assert its digital sovereignty for a relatively long period of time. This attempt, however, runs up against a range of obvious problems and obstacles, such as a united Europe’s dependence on foreign technologies and services and the inadequacy of investments made to support its industrial policy (in particular in the digital sphere). The EU is trying to overcome these problems with an ambitious strategy, the “European strategy for data”, which will enable the Union to navigate in an international context characterized by a substantial lack of a global data governance system, but the efficiency and effectiveness of the strategy can only be assessed in a few years' time. According to the author of this paper’s point of view, to achieve its policy objectives, the EU must pay attention to safeguarding the competitiveness of its companies, pursuing policies that, in defending the right to privacy and security of European users, are clear and harmonized. At the same time, the EU must implement policies that are able to redistribute the wealth produced in the digital field, countering the current dangerous concentrations of wealth and power in the hands of a few oligopolistic companies.

Jukka Ruohonen

DOI: https://doi.org/10.1007/s11023-021-09566-7

IF: 5.339

2021-07-20

Minds and Machines

Abstract:Abstract This short theoretical and argumentative essay contributes to the ongoing deliberation about the so-called digitalfug sovereignty, as pursued particularly in the European Union (EU). Drawing from classical political science literature, the essay approaches the debate through paradoxes that arise from applying classical notions of sovereignty to the digital domain. With these paradoxes and a focus on the Peace of Westphalia in 1648, the essay develops a viewpoint distinct from the conventional territorial notion of sovereignty. Accordingly, the lesson from Westphalia has more to do with the capacity of a state to govern. It is also this capacity that is argued to enable the sovereignty of individuals within the digital realm. With this viewpoint, the essay further advances another, broader, and more pressing debate on politics and democracy in the digital era.

computer science, artificial intelligence

DOI: https://doi.org/10.26565/2075-1834-2020-29-38

2020-01-01

Abstract:The article is devoted to the research of legal and organizational principles of ensuring information security of states in the modern conditions of development of information society. Theoretical approaches to the definition of the essence of «information security» and «national security» are analyzed and their interrelation is proved. The urgency of the chosen topic of scientific research is caused by the fact that confrontation in the information sphere becomes a fundamentally new sphere of competition between the states. The rapid pace of development of information and communication technologies, creation of a global information space has led to many cybernetic threats in important spheres of political, economic, social and cultural life of society. The paper presents the results of the analysis of information security of the state as a factor of influence on the national security of the state as a whole, and thus defines information security as an integral part of national security. Given the magnitude of the global information challenge, the inability to address these issues through the efforts of individual states, the article explores the issue of international cooperation in providing international information security within the United Nations. The contents of the basic international legal acts adopted by the UN General Assembly, which indicate the threats to the international security of the information space and the need for the states to take joint action to counter the challenges in the field. Particular attention is paid to the peculiarities of regional cooperation of states in providing information security within the European Union. It is determined that this area of EU activity is one of the priorities for today. The main EU normative acts are analyzed, which present the European approach to the problem of information security. The general characteristics of the activities of the special bodies of the EU (European Union Agency for Network and Information Security - ENISA, European Cybercrime Centre), whose activities are aimed at providing information security, are given. The article explores the issues of guaranteeing information security of Ukraine and protection of the national information space. The types of real and potential information threats to the information space of Ukraine are revealed, as well as practical recommendations are given on improving the state information policy and creating an effective system of counteracting cyberspace threats. Emphasis is placed on the fact that state information policy should reflect urgent issues that have arisen in the international information and information security sphere. Effective implementation of strategic priorities, basic principles and tasks of the state information security policy requires improvement of legal and organizational mechanisms of information security management.

Alexandru Circiumaru

DOI: https://doi.org/10.2139/ssrn.3831815

2021-01-01

SSRN Electronic Journal

Abstract:Who gets to shape the future? This paper presents how the concept of ‘digital sovereignty’ arises as a response to this question while the transition into the digital age advances at pace. It subsequently focuses on the concept of ‘EU digital sovereignty’, which despite lacking a clear and precise definition, is evaluated through its three dimensions (1) EU and other states; (2) EU and non-state actors, in particular, Big Tech players and (3) EU citizens and the digital world. While the EU is yet to present reliable ways to measure its progress towards this goal, this paper argues that Artificial Intelligence and Competition Policy can be, and indeed already are, used to pursue the overarching goal of digital sovereignty. As the three key characteristics of EU digital sovereignty are autonomy, ability to influence, and protection of EU citizens’ self-determination online, an analysis of how legislative proposals in these fields, together with other acts of EU institutions and competition decisions, have and could continue to be used for these purposes

Kaspar Rosager Ludvigsen,Shishir Nagaraja

DOI: https://doi.org/10.48550/arXiv.2205.13196

2022-05-26

Abstract:Safety is becoming cybersecurity under most circumstances. This should be reflected in the Cybersecurity Resilience Act when it is proposed and agreed upon in the European Union. In this paper, we define a range of principles which this future Act should build upon, a structure and argue why it should be as broad as possible. It is based on what the cybersecurity research community for long have asked for, and on what constitutes clear hard legal rules instead of soft. Important areas such as cybersecurity should be taken seriously, by regulating it in the same way we see other types of critical infrastructure and physical structures, and be uncompromising and logical, to encompass the risks and potential for chaos which its ubiquitous nature entails. We find that principles which regulate cybersecurity systems' life-cycles in detail are needed, as is clearly stating what technology is being used, due to Kirkhoffs principle, and dismissing the idea of technosolutionism. Furthermore, carefully analysing risks is always necessary, but so is understanding when and how the systems manufacturers may fail or almost fail. We do this through the following principles: Ex ante and Ex post assessment, Safety and Security by Design, Denial of Obscurity, Dismissal of Infallibility, Systems Acknowledgement, Full Transparency, Movement towards a Zero-trust Security Model, Cybersecurity Resilience, Enforced Circular Risk Management, Dependability, Hazard Analysis and mitigation or limitation, liability, A Clear Reporting Regime, Enforcement of Certification and Standards, Mandated Verification of Security and Continuous Servicing. To this, we suggest that the Act employs similar authorities and mechanisms as the GDPR and create strong national authorities to coordinate inspection and enforcement in each Member State, with ENISA being the top and coordinating organ.

Computers and Society,Cryptography and Security

Ronan Hamon,Henrik Junklewitz,Josep Soler Garrido,Ignacio Sanchez

DOI: https://doi.org/10.1109/access.2024.3391021

IF: 3.9

2024-05-03

IEEE Access

Abstract:This article examines the interplay between artificial intelligence (AI) and cybersecurity in light of future regulatory requirements on the security of AI systems, specifically focusing on the robustness of high-risk AI systems against cyberattacks in the context of the European Union's AI Act. The paper identifies and analyses three challenges to achieve compliance of AI systems with the cybersecurity requirement: accounting for the diversity and the complexity of AI technologies, assessing AI-specific risks, and developing secure-by-design AI systems. The contribution of the article consists in providing an overview of AI cybersecurity practices and identifying gaps in current approaches to security conformity assessment for AI systems. Our analysis highlights the unique vulnerabilities present in AI systems and the absence of established cybersecurity practices tailored to these systems, and emphasises the need for continuous alignment between legal requirements and technological capabilities, acknowledging the necessity for further research and development to address the challenges. It concludes that comprehensive cybersecurity practices must evolve to accommodate the unique aspects of AI, with a collaborative effort from various sectors to ensure effective implementation and standardisation.

computer science, information systems,telecommunications,engineering, electrical & electronic

Paul Klumpes

DOI: https://doi.org/10.1057/s41288-023-00287-9

Abstract:The increasing threat of cyberattacks has resulted in increased efforts by both the U.K. government and regulatory authorities to coordinate efforts to influence cybersecurity risk management practices in the U.K. insurance sector, focusing on cyber risk underwriters. This paper provides an evaluation of these arrangements. It first provides a descriptive overview of the key U.K. regulatory authorities and the evolution of their efforts over the past decade, as well as the scope for broader collaborations with industry and member-based associations and international organisations. It then evaluates the effectiveness of these efforts by providing a multi-method study of the incidence, nature and evolution of cost of data breaches, investment in computer systems and software intangible assets at risk of cyberattack, and a content analysis of annual reports of both U.K. regulators and a sample of U.K. insurers. The findings suggest that while both the total costs of data breaches and the size of investment in computer systems and software intangibles at risk of cyberattack have gradually increased over time, the degree of engagement with cyber as a reporting issue by both cyber insurers and financial regulators has not. It is concluded that while these efforts have been apparently successful in avoiding a large-scale, systemic cyberattack on the U.K. insurance industry, there are significant gaps and overlaps in the system of cyber regulatory oversight.

G. Yu. Nikiporets-Takigawa,E. V. Buchnevb

DOI: https://doi.org/10.26794/2226-7867-2022-12-1-70-74

2022-02-09

Abstract:The development of information technologies and the widespread digitalisation of many life factors needs an individual’s information security in the digital space. Also, it indicates the need to develop a system of control over this space. This article discusses the main problems concerning the Russian national cybersecurity policy concept. The authors note that two multidirectional trends influence the implementation of the security policy and the protection of information resources and data. First, it is the lack of a clear definition of the Internet space and its boundaries in the legislative framework. Second, the significant interest of the public sector in the independence and security of this space from possible threats and attacks. The formation of the concept of national interest in the field of cybersecurity leads to the solution of several tasks at once, both in the internal domain of digital presence and in the international arena. The authors provide several fundamental terms that will be interesting and necessary for further research in this direction. We have drawn attention to the insufficient terminological elaboration of this topic.

Jukka Ruohonen

DOI: https://doi.org/10.48550/arXiv.2302.09942

2023-02-20

Computers and Society

Abstract:Access to online data has long been important for law enforcement agencies in their collection of electronic evidence and investigation of crimes. These activities have also long involved cross-border investigations and international cooperation between agencies and jurisdictions. However, technological advances such as cloud computing have complicated the investigations and cooperation arrangements. Therefore, several new laws have been passed and proposed both in the United States and the European Union for facilitating cross-border crime investigations in the context of cloud computing. These new laws and proposals have also brought many new legal challenges and controversies regarding extraterritoriality, data protection, privacy, and surveillance. With these challenges in mind and with a focus on Europe, this paper reviews the recent trends and policy initiatives for cross-border data access by law enforcement agencies.

Adejoke T. Odebade,Elhadj Benkhelifa

2023-03-24

Abstract:This study compares the National Cybersecurity Strategies (NCSSs) of publicly available documents of ten nations across Europe (United Kingdom, France, Lithuania, Estonia, Spain, and Norway), Asia-Pacific (Singapore and Australia), and the American region (the United States of America and Canada). The study observed that there is not a unified understanding of the term "Cybersecurity"; however, a common trajectory of the NCSSs shows that the fight against cybercrime is a joint effort among various stakeholders, hence the need for strong international cooperation. Using a comparative structure and an NCSS framework, the research finds similarities in protecting critical assets, commitment to research and development, and improved national and international collaboration. The study finds that the lack of a unified underlying cybersecurity framework leads to a disparity in the structure and contents of the strategies. The strengths and weaknesses of the NCSSs from the research can benefit countries planning to develop or update their cybersecurity strategies. The study gives recommendations that strategy developers can consider when developing an NCSS.

Computers and Society

Sara Ricci,Simon Parker,Jan Jerabek,Yianna Danidou,Argyro Chatzopoulou,Remi Badonnel,Imre Lendak,Vladimir Janout

DOI: https://doi.org/10.1109/te.2023.3340868

2024-01-01

IEEE Transactions on Education

Abstract:Demand for cybersecurity professionals from industry and institutions is high, driven by an increasing digitization of society and the growing range of potential targets for cyber attacks. However, despite this pressing need a significant shortfall in the number of cybersecurity experts remains and a discrepancy has emerged between the skills introduced through education and those required in professional settings. In this article, a political, economic, social, technological, legal, and environmental (PESTLE) analysis was utilized to explore the factors impacting cybersecurity education in Europe. The PESTLE analysis enabled the categorization of factors affecting cybersecurty education and skills and allowed for cybersecurity professionals to assess the relevance of the factors at a national-level and European-level. Utilizing the concept of modularity from social network analysis, the interconnectivity of factors was also considered. Finally, a European-level stakeholder survey was conducted to verify the findings. As a result of the above process, a lack of societal awareness of cybersecurity was identified as a major challenge to education, along with a lack of EU-level certification. It should be noted that significant differences between factors perceived as impacting cybersecurity education were found between countries suggesting a need for local solutions to the problem.

engineering, electrical & electronic,education, scientific disciplines