European Union Regulations
The European Union (EU) has been actively progressing with the development, adoption and/or implementation of legislation to tackle the increasing threats of cyberattacks. This also includes cyber threats such as disinformation and harmful content online, and cyber espionage. The EU also works on regulating emerging and disruptive technologies such as Artificial Intelligence (AI).
The large number of policies and new norms that this elicits raises a number of challenges, notably the:
- potential new risks created;
- impact on the open and free nature of the Internet
- complexity of navigating legal language and new norms
- capacity of EU member states to implement and enforce new rules at the national level
- their effectiveness to really shield people targeted by the malicious use of technology
As an independent and neutral organisation, the CyberPeace Institute’s voice is important in bringing evidence-based insights and recommendations on EU policy.
EU Regulatory Ecosystem
General Data Protection Regulation, May 2018 – Data Protection Regulation ensuring the privacy and rights of individuals’ data.
ePrivacy Regulation (to replace ePrivacy Directive), Expected by 2023 – Regulation to protect electronic communications data and privacy (this focuses on cookies and other tracking technologies).
Data Act, Expected by 2023 – Rules on fair access to and use of data generated by the use of a product or related services.
NIS/NIS2 Directives, 6 July 2016 & 16 January 2023 – Enhancement of the security of network and information systems across the EU.
Cybersecurity Act, April 2019 – Framework for cybersecurity certification of products, processes and services.
Cyber Resilience Act, In deliberation at the EU Parliament and Council – Mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle.
AI Act, expected late 2025 / early 2026 – Policies addressing the ethical and security aspects of artificial intelligence.
5G Security Toolbox, January 2020 – Measures to secure 5G networks against potential cyber threats.
Digital Services Act (DSA) & Digital Market Act (DMA), November 2022 – New rules for digital platforms and content moderation to safeguard fundamental rights, strenghten fair competition, innovation.
EU Cyber Diplomacy Toolbox, 2017 – Policy for responding to malicious cyber activities and ensuring a rules-based cyberspace.
Trans-Atlantic Data Privacy Framework (replacing the EU-US Privacy Shield), July 2023 – Agreements for cross-border data transfers with adequate privacy protections.
EU Cyber Solidarity Act, Draft of April 2023 currently under negotiation – Protection of critical and highly critical sectors, through the improvement of preparedness, detection and response to cybersecurity incidents across the EU.
E-Evidence Directive & Regulation, August 2023 – New rules on cross border access to electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings
Terrorist content online, April 2021 – Hosting service providers offering services in the Union, irrespective of their place of main establishment, insofar as they disseminate information to the public
Our Approach
We emphasize evidence-based policies, drawing on in-house analysis and investigations of the harmful use of digital technology. This also includes our direct assistance and support to non-governmental organisations (NGOs) and vulnerable communities affected by the malicious use of technologies.
We analyse specific themes and issues and determine how they are addressed by the EU regulatory ecosystem so that we can share actionable observations and recommendations.
This is our current focus:
- The impact of technology on human vulnerability: We analyse issues and the impact linked to transparency and vulnerability disclosure, due diligence and corporate responsibility, and the targeting of vulnerable groups by threat actors.
- Human Harm and Accountability: We recognise the criticality of monitoring the malicious use of technology and documenting the resulting human harms and impact to effectively prevent their misuse. This contributes to building an accountability culture. We engage for the inclusion of elements in EU policy that will support crucial processes. This includes elements such as cyber incident tracing and human harm monitoring.
- Open Source: We believe that Open Source development enables transdisciplinary research and experimentation. It also contributes to creating a secure, open, interoperable, and unrestricted internet. We posit that new EU rules for centralising auditing and increasing transparency in the Open Source ecosystem may lead to a fragmented community. This could hinder important projects, and raise awareness of these concerns.
We assess good practice in the implementation of EU regulations, consider its evolution and development in order to determine effective implementation.
We examine existing EU mechanisms set up to respond to malicious cyber activities and strengthen the resilience of the EU population and EU Member States, such as the EU Cyber Diplomacy Toolbox. We engage to provide our observations and recommendations.
September 2023 – Workshop for the European Parliament’s Subcommittee on Security and Defence (SEDE) on The role of cyber in the Russian war against Ukraine: Its impact and the consequences for the future of armed conflict
June 2023 to 31 May 2025 – Empowering EU law enforcement agencies to support humanitarian actors
Since January 2022 – Monitoring the impact on critical infrastructure of cyber attacks and operations in the context of the war in Ukraine
2020 to 2022 – Monitoring cyberattacks against the healthcare sector and their impact on people
2023 – Engagement with Paris Peace Forum and Paris Call on the Action Plan 2023-2027 initiative and co-chairing the cyber mercenaries track
July 2022 – EU Corporate Sustainability Due Diligence Directive, Spyware: European Policy Brief
June 2022 – Leading a working group at the European Cyber Agora on the role of civil society in monitoring the proliferation of intrusive technologies
September 2023 – CyberPeace Institute’s Approach to Responsible Use of Artificial Intelligence
July 2023 – Generative AI and Cybersecurity