Laws and regulations governing cybersecurity

Efforts to address cybersecurity can be seen in effect from the very beginning of the use of information and communication technologies. Gradually, recommendations, standards or technical norms were adopted in this area, which usually defined minimum requirements guaranteeing a certain level of security.

There are many reasons for the introduction and implementation of cybersecurity. The most common include, for example, negative economic consequences in the case of a successful cyberattack where sensitive data are stolen. A successful cyberattack can also compromise an organisation’s own operations and functioning, for example, by restricting access to computer systems or data through ransomware. Another reason for the introduction of cybersecurity may also be the loss of credibility of an attacked organisation, etc.

The last but no least important reason for the implementation of cybersecurity is to abide by legal regulations as well as the rights and obligations arising from these regulations. This legislative reason for many subjects stems from the Cybersecurity Act, but it is wrong to assume that this is the only legal norm related to the issue of cybersecurity.

In recent years, especially, there has been a massive increase in primarily international legislation that specifically focuses on the activities of entities (individuals, legal entities or states and other organisations) in cyberspace.

The field of cybersecurity differs significantly from other areas where standard security principles are applied in the real world. The difference lies mainly in the possibility of dynamic development and immediate change of cyberattacks and threats (most threats in the real world remain relatively constant), which can entail certain problems in relation to legislation. Legal regulation in this area must, on the one hand, be sufficiently general to enable it to respond effectively to partial negative cyber phenomena without the need for their detailed specification, but on the other hand, it must not be too vague in order not to infringe on the rights and legitimate interests of individuals to a greater extent than is strictly necessary.

Before the actual analysis of existing valid and effective legislation in the field of cybersecurity, it should be noted that, within the European Union and beyond, there is a clear effort to implement more effective legal instruments that would increase the quality of cybersecurity and allow adequate response to cyber threats and attacks. At present, inconsistencies and shortcomings in the legal norms of EU Member States and other states that have decided to actively participate in the creation of cybersecurity are gradually being eliminated.

“Methods of protection of data and information systems are the subject of many scientific studies today. However, without a legal basis, the technical protection of these systems and data may be ineffective due to the unclear definition of how far it is possible to go with such protection. In this context, the inconsistency of the legal regulations of individual states with the legal regulations of other states is fully manifested. Due to the development of computer and information technologies, which illustrate the international nature of cybercrime, effective protection of computer systems and data is unthinkable without the existence of an international or transnational legal framework, both among EU Member States and worldwide.”[1]

This chapter will address the legislative framework for cybersecurity in the EU and the partner countries participating in the Erasmus+ project.