European Union Regulations
The European Union (EU) has been actively progressing with the development, adoption and/or implementation of legislation to tackle the increasing threats of cyberattacks. This also includes cyber threats such as disinformation and harmful content online, and cyber espionage. The EU also works on regulating emerging and disruptive technologies such as Artificial Intelligence (AI).
The large number of policies and new norms that this elicits raises a number of challenges, notably the:
As an independent and neutral organisation, the CyberPeace Institute’s voice is important in bringing evidence-based insights and recommendations on EU policy.
EU Regulatory Ecosystem
General Data Protection Regulation, May 2018 – Data Protection Regulation ensuring the privacy and rights of individuals’ data.
ePrivacy Regulation (to replace ePrivacy Directive), Expected by 2023 – Regulation to protect electronic communications data and privacy (this focuses on cookies and other tracking technologies).
Data Act, Expected by 2023 – Rules on fair access to and use of data generated by the use of a product or related services.
NIS/NIS2 Directives, 6 July 2016 & 16 January 2023 – Enhancement of the security of network and information systems across the EU.
Cybersecurity Act, April 2019 – Framework for cybersecurity certification of products, processes and services.
Cyber Resilience Act, In deliberation at the EU Parliament and Council – Mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle.
AI Act, expected late 2025 / early 2026 – Policies addressing the ethical and security aspects of artificial intelligence.
5G Security Toolbox, January 2020 – Measures to secure 5G networks against potential cyber threats.
Digital Services Act (DSA) & Digital Market Act (DMA), November 2022 – New rules for digital platforms and content moderation to safeguard fundamental rights, strenghten fair competition, innovation.
EU Cyber Diplomacy Toolbox, 2017 – Policy for responding to malicious cyber activities and ensuring a rules-based cyberspace.
Trans-Atlantic Data Privacy Framework (replacing the EU-US Privacy Shield), July 2023 – Agreements for cross-border data transfers with adequate privacy protections.
EU Cyber Solidarity Act, Draft of April 2023 currently under negotiation – Protection of critical and highly critical sectors, through the improvement of preparedness, detection and response to cybersecurity incidents across the EU.
E-Evidence Directive & Regulation, August 2023 – New rules on cross border access to electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings
Terrorist content online, April 2021 – Hosting service providers offering services in the Union, irrespective of their place of main establishment, insofar as they disseminate information to the public
We emphasize evidence-based policies, drawing on in-house analysis and investigations of the harmful use of digital technology. This also includes our direct assistance and support to non-governmental organisations (NGOs) and vulnerable communities affected by the malicious use of technologies.
We analyse specific themes and issues and determine how they are addressed by the EU regulatory ecosystem so that we can share actionable observations and recommendations.
This is our current focus:
- The impact of technology on human vulnerability: We analyse issues and the impact linked to transparency and vulnerability disclosure, due diligence and corporate responsibility, and the targeting of vulnerable groups by threat actors.
- Human Harm and Accountability: We recognise the criticality of monitoring the malicious use of technology and documenting the resulting human harms and impact to effectively prevent their misuse. This contributes to building an accountability culture. We engage for the inclusion of elements in EU policy that will support crucial processes. This includes elements such as cyber incident tracing and human harm monitoring.
- Open Source: We believe that Open Source development enables transdisciplinary research and experimentation. It also contributes to creating a secure, open, interoperable, and unrestricted internet. We posit that new EU rules for centralising auditing and increasing transparency in the Open Source ecosystem may lead to a fragmented community. This could hinder important projects, and raise awareness of these concerns.
We assess good practice in the implementation of EU regulations, consider its evolution and development in order to determine effective implementation.
We examine existing EU mechanisms set up to respond to malicious cyber activities and strengthen the resilience of the EU population and EU Member States, such as the EU Cyber Diplomacy Toolbox. We engage to provide our observations and recommendations.