The EU Cybersecurity Framework: An evaluation of the Framework’s approach in tackling cyberattacks

Abstract

The EU Cybersecurity Framework counts with numerous regulatory instruments intended to handle cybersecurity incidents. Cybersecurity incidents can be considered as events capable of disrupting the ordinary digital appliances of services and activities, thus undermining the protection of confidentiality, integrity, and availability of data. In that case, a cyber incident may be related to breaches of personal data, cyber-attacks, or any other mishaps that compromise data assets. However, the legislation intended to tackle cybersecurity incidents is deemed to face the challenges proposed by the continuous developments in technology. That is because such developments also result in the fact that the risks and threats faced by data assets are continuously changing. Consequently, the legal Framework is required to find ways to keep itself up to date with technological advances. Arguably, the traditional legal approach, consisting of creating a checklist of requirements that must be fulfilled, may not be flexible enough to accommodate circumstances unknown at the point in time such legislation would have been established. Therefore, the lack of flexibility could result in diminishing adequacy and efficiency of such an approach. The cybersecurity legal framework must find ways to incentivize the adoption of approaches that befit, in the most optimal manner, the current and evolving cyber threats. In this case, such a framework would require the adoption of a risk-based approach that incentivizes its stakeholders to implement measures perhaps beyond the ones stated in the regulatory instruments as part of their general obligations. Under this scenario, the present master thesis intends to research the adequacy and efficiency in tackling cyber incidents of such a risk-based approach adopted under the current European Cybersecurity Framework.