24 February 2020
The European Paradigm of Personal Data and Cybersecurity Regulations
Reinforcing cybersecurity is a primary goal for Europe, but, from a legal standpoint, this result is not achievable through general regulation. Starting from the assumption that in Europe several acts contribute to defining the cybersecurity legal framework, it is necessary to identify the various provisions which contribute to creating this legal and IT framework.
These legal requirements – such as those defined in the GDPR, the ePrivacy Regulation proposal, PSD2, eIDAS and the NIS Directive – entail the adoption of specific technical and organisational solutions which foster cybersecurity in Europe and make the EU a unique context for the development of data protection and cybersecurity-oriented technologies and practices.
A significant part of the analysis carried out in our research was therefore driven by defining the common security and data protection building blocks which characterise the EU regulatory patchwork. In this light, two of the main outcomes of the task concerning the legal and regulatory requirements are:
- an overview of the potential overlap concerning the existing legal obligations in the field of cybersecurity e.g. notifications, certifications; and
- the outline of a general, comprehensive and cross-cutting map of legal obligations and procedures concerning cybersecurity.
The results of the comparison highlight that the GDPR, as well as the other regulations, provides a general framework, outlining the main principles for the use of data, also in terms of data security. In this sense, the general principles – such as data minimization, storage limitation and data confidentiality, that are defined and stated in this regulation – shape the entire regulatory framework.
This common core has been defined through five main pillars, based on the obligations laid down in different articles of the GDPR, PSD2, eIDAS and the NIS Directive:
- Risk-based approach: basically an operational and security risk management framework, including adequate technical measures
- By-design approach: secure technologies by design and by default must be provided
- Reporting obligations: specific procedures for reporting must be adopted
- Resilience: developing response and recovery plans is required by law
- Certification schemes: ad hoc certification schemes have been provided for by law
In the light of the above, all the legal provisions mentioned, explicitly or implicitly, require the development of specific technologies for cybersecurity and data security. The framework provided by these different legal sources is not a patchwork, but a coordinated harmonious model, in which similar technologies are required by different regulations to address issues related to the common core of these regulations.
This uniformity demonstrates the coherence that guides the whole approach adopted by the EU legislators in the field of data protection and cybersecurity, and undoubtedly provides a clear and unique framework for the development of a roadmap for the implementation of the Network of Cybersecurity Competence Centres.
Alessandro Mantelero, POLITO
 Article 32.1.d GDPR; articles 95.1 and 97 PSD2; article 19 eIDAS, ePrivacy; recital 49 and articles 14.1, 14.2 and 16.1, 16.2 NIS Directive
 Recital 78 and article 25 GDPR; recital 89 PSD2, article 12.3.c eIDAS
 Recitals 85, 86, 87 and articles 33, 34 GDPR; articles 96 and 5.1.f PSD2; article 19.2 eIDAS; articles 9. 4 and 14.3, 14.4 and 16.3 and 16.4 NIS Directive
 Articles 32.1.b and 32.1.c GDPR; article 5.1.h PSD2, articles 10.3 and 24.2.h and 24.2.i eIDAS; Recitals 69 and articles 14.2, 16.1.c NIS Directive
 Articles. 40 and 42 GDPR; article 95.3 PSD2; recitals 44 and 55 eIDAS