Title Participants Abstract "New Cybersecurity Requirements for Medical Devices in the EU: The Forthcoming European Health Data Space, Data Act, and Artificial Intelligence Act" "Elisabetta Biasin, Erik Kamenjasevic" "The regulation of cybersecurity for medical devices keeps evolving in the European Union (EU). In the past few years, new pieces of legislation have been added to the initial framework for medical device cybersecurity, including the Medical Device Regulation, the General Data Protection Regulation and the Cybersecurity Act. The Artificial Intelligence Act, the European Health Data Space Regulation and the Data Act are forthcoming laws that contain cybersecurity-related requirements applicable to medical devices. This article examines the requirements stemming from each of these, as well as their role vis-a-vis the existing legal framework. We observe that despite being comprehensive and wide ranging in their changes, these new regulations may be inadequate for the task of ensuring the cybersecurity of medical devices. In our view, this approach by the EU legislature is inadequate because it fails to foresee cybersecurity requirements in a way that is truly linked with the already existing cybersecurity laws. To help address this problem, the article offers a set of workable recommendations that EU legislators would be well advised to take on board in respect of specific regulations, as well as in general, when establishing cybersecurity-related requirements." "Misaligned Union laws? A comparative analysis of private law instruments in the Cybersecurity Act and the General Data Protection Regulation" "In 2019, the Cybersecurity Act, the EU law aiming to achieve high level of cybersecurity in the Union and Member States, entered into force. The CSA belongs to a broader set of Union laws providing a framework of legal protection of individual and collective rights from harmful use of information and communication technologies. Those laws introduce private law instruments for the achievement of legislative goals.2 Despite the overarching similarities of the regulated fields, the Union legislator adopted seemingly different approaches in introducing private law instruments. The Chapter seeks to comparatively present the certification frameworks as introduced in the Cybersecurity Act and the General Protection Regulation, with the aim to provide an understanding on the legislative choices and the normative, implementation and policy reasons underpinning the introduction of private law instruments in Union laws." "The Cybersecurity Obligations of States Perceived as Platforms: Are Current European National Cybersecurity Strategies Enough?" "Vagelis Papakonstantinou" "Cybersecurity is a relatively recent addition to the list of preoccupations for modern states. The forceful emergence of the internet and computer networks and their subsequent prevalence quickly brought this to the fore. By now, it is inconceivable that modern administrations, whether public or private, can exist entirely outside the digital realm. Nevertheless, with great opportunities also comes great risk. Attacks against computer systems quickly evolved from marginalised incidents to matters of state concern. The exponential increase in the importance of cybersecurity over the past few years has led to a multi-level response. New policies, followed by relevant laws and regulations, have been introduced at national and international levels. While modern states have therefore been compelled to devise concrete cybersecurity strategies in response to potential threats, the most notable aspect of these strategies is their resemblance to one another. Such uniform thinking could develop into a risk per se: challenges may appear unexpectedly, given the dynamic nature of the internet and the multitude of actors and sources of risk, which could put common knowledge, or what may be called conventional wisdom, to the test at a stage where the scope for response is limited. This paper builds upon the idea of national states being perceived as platforms within the contemporary digital and regulatory environment. Platforms are in this context information structures or systems, whereby the primary role of states acting as platforms is that of an information broker for its citizens or subjects. This role takes precedence even over the fundamental obligation of states to provide security; it calls upon them first to co-create (basic) personal data, and then to safely store and further transmit such data. Once the key concept of states as platforms has been elaborated in section 2, this paper then presents the concrete consequences of this approach within the cybersecurity field. In section 3, former off-line practices for safely storing personal information, undertaken by states within their role as platforms, are contrasted with the challenges posed by the digitisation of information. The focus is then turned in section 4 to the EU, and the NIS Directive’s obligation upon Member States to introduce and implement national cybersecurity strategies, which are therefore examined under the lens introduced in section 2. Finally, specific points for improvement and relevant recommendations for these cybersecurity strategies are presented in section 5." "Tackling cybersecurity challenges in the energy and water sectors in the context of the cybersecurity and sectoral regulatory frameworks: the case of smart metering systems in the new digitalised environment" "Dimitra Markopoulou" "Critical Infrastructures (CIs) are the backbone of our societal and economic activities. Safeguarding their uninterrupted operation and keeping them safe against different types of threats, from natural disasters to human-induced acts, is of the essence. This analysis focuses on the energy sector mostly and the water sector secondarily as these two sectors are among the CIs that have mainly suffered the consequences of cyber incidents. In this context, the paper examines the applicability of the EU cybersecurity regulatory framework in the energy (including both electricity and gas) and the water sectors, as well as the sector specific initiatives that have been adopted so far to tackle the cybersecurity challenges the two sectors face. Given the expansive deployment of smart technologies and devices in both sectors, the regulatory regime of smart metres and the complications that are associated with their installation and use in terms of privacy and security of the collected data is examined separately. Finally, the analysis attempts to shed some light on the shortcomings of the existing legal framework and to contribute to its further effectiveness by suggesting further steps that could potentially help make the energy and water sectors more cyber resilient in the new threat landscape." "Cybersecurity of Medical Devices. Regulatory challenges in the EU" "Elisabetta Biasin, Erik Kamenjasevic" "Over the last decade, the number of connected-to-network medical devices significantly grew, which has led to their increased exposure to cyber incidents and attacks. The increasing digitalisation of healthcare service providers has enabled cyber-attack techniques towards them to become more liquid, flexible, and able to exploit all the possible paths of entry rapidly. Medical devices’ cybersecurity is currently a topic of utmost relevance all over the world. In the last years, regulators have provided guidance on medical device cybersecurity, including in the European Union (EU). The EU legal framework on healthcare cybersecurity– including medical devices law – however, is heavily characterised by specialisation, which may exacerbate complexity in medical device cybersecurity regulation. This book chapter assesses the level of maturity of the EU medical devices legal framework, in the light of the EU cybersecurity policy objectives and having regard of complexity aspects inherently characterising the healthcare sector. First, it outlines the core cybersecurity-related elements in EU Medical Devices Regulation (MDR) and offers critical remarks to the Medical Device Coordination Group Guidance on medical device cybersecurity. Secondly, the book chapter illustrates other relevant pieces of EU legislation becoming relevant to medical devices’ cybersecurity (the NIS Directive, the Cybersecurity Act, the GDPR, the Radio Equipment Directive), and it propounds critical remarks concerning the possible regulatory challenges stemming from these. The analysis finds that regulatory challenges persist due to regulatory specialisation, possibly leading to regulatory overlapping, fragmentation risks, regulatory uncertainty and duplication. In its final section, the book chapter provides recommendations for lawmakers and regulators dealing with the cybersecurity of medical devices in the EU." "The new EU cybersecurity framework" "Dimitra Markopoulou, Vagelis Papakonstantinou, Paul De Hert" "The NIS Directive is the first horizontal legislation undertaken at EU level for the protection of network and information systems across the Union. During the last decades e-services, new technologies, information systems and networks have become embedded in our daily lives. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures constitute a serious threat to their operation and consequently to the functioning of the Internal Market and the Union. This paper first discusses the Directive's addressees particularly with regard to their compliance obligations as well as Member States’ obligations as regards their respective national strategies and cooperation at EU level. Subsequently, the critical role of ENISA in implementing the Directive, as reinforced by the proposal for a new Regulation on ENISA (the EU Cybersecurity Act), is brought forward, before elaborating upon the, inevitable, relationship of the NIS Directive with EU's General Data Protection Regulation." "Cybersecurity as praxis and as a state" "Vagelis Papakonstantinou" "The end of the second decade of the 21st century has been the best of times for EU's cybersecurity law and policy: Its NIS Directive has been transposed into all Member States’ national law, creating a new administrative structure at EU and Member State level and mandating relevant policies and strategies to update and harmonise those that were already in place. Its Cybersecurity Act of 2019 incorporated the EU Agency for Cybersecurity (ENISA), and promises to install a new European cybersecurity certification scheme. To support policy with funding, large sums of research money have been spent on the development of cybersecurity tools and the relevant framework. However, EU's significant regulatory activity is faced with substantial difficulties. While cybersecurity concerns are placed high on the list of issues that worry Europeans making a regulatory response pressing, the cybersecurity theoretical framework is far from concluded: Difficulties start as early as when attempting to define the term, ultimately divulging a lack of common understanding. Different actors understand cybersecurity differently under different circumstances. A distinction that could perhaps prove useful in creating clarity as to its exact meaning would distinguish between cybersecurity as praxis and cybersecurity as a state. Cybersecurity as praxis would then be understood as the activities and measures that need to be undertaken in order to accomplish cybersecurity's aims and objectives. Accordingly, cybersecurity as a state would mean the condition that is achieved once cybersecurity as praxis has succeeded; Within cybersecurity as a state persons need to be protected against any cyber threat. A distinction between cybersecurity as praxis and cybersecurity as a state would not only be useful in delineating the term's content but could also constitute the necessary theoretical groundwork for development, ultimately, of a new right to cybersecurity. EU law has already taken positive steps towards acknowledgement of a new right to cybersecurity. However, a lot more needs to be done; Past progress needs to be continued and updated. A conceivable next step could take the form of formal acknowledgement of such a new right in EU law, in a future amendment of the Act's provisions or otherwise." "European Commission Proposes Stricter, More Encompassing Cybersecurity Obligations for Companies" "Patrick Van Eecke" "The last months of 2020 saw impressive legislative activity by the European Commission, as it rolled out proposals for several regulations (namely, the Data Governance Act, the Digital Services Act and the Digital Markets Act), as well as proposed new Standard Contractual Clauses for international data transfers (expected to be adopted by April 2021), and also dealt with issues affecting data transfers to the UK due to Brexit. Amongst all of this, it would have been easy to miss a very important update in the field of cybersecurity – the proposal for a Directive on Measures for High Common Level of Cybersecurity Across the Union (NIS2 Directive), presented on December 16, 2020." "Filling Global Governance Gaps in Cybersecurity: International and European Legal Perspectives" "Anne Verhelst, Jan Wouters" "The many recent cyber incidents have shown how cybersecurity has entered the realm of international relations. Several international organizations have taken cybersecurity policy initiatives, notably the United Nations (UN) and the European Union (EU). Both organizations aspire to a leading role in enhancing cybersecurity resilience. To date, however, these initiatives have not resulted in much regulation. This article examines which factors make lawmaking and the regulation of cybersecurity difficult at the international level, and whether some of these impediments are shared at the EU legislative level. Are difficulties in regulating cybersecurity embedded in the normative processes at the UN or the EU, or are they inherent to the high-tech phenomenon of cyber? As for the UN, the article looks at the work of the UN Group of Governmental Experts (GGE). While previous reports of the UN GGE seemed to point to an emerging international opinio juris, recent developments in the UN General Assembly (UNGA) show a strongly divided international community. At the EU level, the article discusses the two main legislative initiatives on cybersecurity that have seen the light of day: the 2016 Directive on Network and Information Security and the 2019 Regulation on the EU Cybersecurity Act." "Filling Global Governance Gaps in Cybersecurity: International and European Legal Perspectives" "Anne Verhelst, Jan Wouters" "The many recent cyber incidents have shown how cybersecurity has entered the realm of international relations. Several international organizations have taken cybersecurity policy initiatives, notably the United Nations (UN) and the European Union (EU). Both organizations aspire to a leading role in enhancing cybersecurity resilience. To date, however, these initiatives have not resulted in much regulation. This article examines which factors make lawmaking and the regulation of cybersecurity difficult at the international level, and whether some of these impediments are shared at the EU legislative level. Are difficulties in regulating cybersecurity embedded in the normative processes at the UN or the EU, or are they inherent to the high-tech phenomenon of cyber? As for the UN, the article looks at the work of the UN Group of Governmental Experts (GGE). While previous reports of the UN GGE seemed to point to an emerging international opinio juris, recent developments in the UN General Assembly (UNGA) show a strongly divided international community. At the EU level, the article discusses the two main legislative initiatives on cybersecurity that have seen the light of day: the 2016 Directive on Network and Information Security and the 2019 Regulation on the EU Cybersecurity Act."