It’s week 2 of the EU and Global Cybersecurity Fundamentals course within the Advanced Master in Privacy, Cybersecurity and Data Management LLM we created at ECPC! Today I will lecture on the EU cybersecurity legal framework live from Dakar, Senegal, where I am lecturing in the Data Protection Officer (DPO) Humanitarian Action Certificate course. Specifically, we will explore the intricacies of the European Cyberseurity Strategy, the Network and Information Security (NIS) Directive, the NIS2 proposal, and the Cybersecurity Act. Significant attention will be given to the role of ENISA in both the context of the current and forthcoming NIS Directives and the Cybersecurity Act.  

Together we will look at the EU Cybersecurity Strategy, exploring how the EU can harness and strengthen all its tools and resources in support of the goal of reaching technological sovereignty and furthering cooperation with like-minded partners around the world to promote the values of democracy, rule of law and human rights. The three major objectives of the Strategy will be touched upon, namely:

1. Resilience, technological sovereignty and leadership;
2. Building operational capacity to prevent, deter and respond;
3. Advancing a global and open cyberspace through increased cooperation. 

We will then move on to explore the NIS Directive, the first important piece of cybersecurity legislation applicable throughout Europe, considered to be the primary anchor for EU cybersecurity architecture. As you likely already know, the GDPR focuses on the rights of the data subjects and the obligations of relevant actors in processing activities. The NIS Directive, on the other hand, concerns the national critical infrastructure of Member States and focuses on the main economic sectors. 

The requirements included in the proposal for NIS2, which should help resolve the deficiencies of the current NIS Directive will then be examined. For example, we will look at the obligations of EU member states in terms of establishing cybersecurity frameworks, the designation of CSIRTs, cybersecurity risk management and reporting obligations, cooperation, information sharing, jurisdiction, supervision and enforcement, interactions with other legislation, and the role of ENISA under the proposal. 

The second half of the lecture will focus on the Cybersecurity Act, which makes the Agency stronger. In fact, the EU Cybersecurity Act grants a permanent mandate to the Agency and gives it more resources and new tasks. ENISA will have a key role in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes, which we will also touch on.  

Finally, we will expand on the concepts of “security by design” and “security by default”, which are part of the first Principle of the Maastricht Data Protection as Corporate Social Responsibility Framework (see here).