Cybersecurity and Data Protection in European Union Policies and Rules: The NIS Directive and the GDPR Synergy*

Miriam Viggiano

SUMMARY: 1. Introduction. - 2. Data Protection and Cybersecurity. - 3. Security of Network and Information Systems in EU Policies. — 4. Security of Personal Data Processing. -5. Conclusion.

1. Introduction

In the information society, where technology has completely changed our lives, the news of recent terrorist attacks and the constant threat to stability and peace forces us to consider the issue in relation to the reliability and security of all (national and cross-border) network and information systems and services. They are essential to our society, and affect us all individually and collectively, in commercial, professional, business, economic trends and practices, in an ever more globalised world.

At the 2019 Cyber Defence Pledge Conference, the NATO Secretary General pointed out with concern that ‘Cyber-attacks are becoming more frequent, more complex and more destructive. From low-level attempts to technologically sophisticated attacks. They come from states, and non-state actors. From close to home and from very far away’, adding that ‘Cyber-attacks can be as damaging as conventional attacks’, because of the fact that a ‘single attack can inflict billions of dollars’ worth of damage to our economies, bring global companies to a standstill, paralyse our critical infrastructure, undermine our democracies and have a crippling impact on military capabilities’.[1]

Against this background, it is very important to remember that in 2010, in the US National Security Strategy, under the Barack Obama government, the objective of ‘Strengthening Partnership’ and implementing the necessary programmes was to be based on the active participation of all the competent institutional bodies (public and private) at national and supranational level, and ‘the development of norms for acceptable conduct in cyberspace; laws concerning cybercrime, data preservation, protection, and privacy’ were highly recommended.[2]

Consequently cybersecurity and privacy and data protection issues are all involved in the protection of fundamental rights. The objective of this chapter is to analyse the related key policies outside US, at the European Union (EU) level with reference to EU official documents and legal acts.

  • [1] * All views expressed in this chapter are personal and do not represent the views of the Authority where the Author is currently employed. 2 NATO, Secretary General Jens Stoltenberg, keynote speech at the Cyber Defence Pledge Conference, London on NATO’s adaptation to cyber threats, 23 May 2019, opinions_166039.htm.
  • [2] National Security Strategy, Barack Obama government, May 2010,, 28, where it is indicated that ‘Neither government nor the private sector nor individual citizens can meet this challenge alone - we will expand the ways we work together. [...] We will work with all the key players - including all levels of government and the private sector, nationally and internationally -to investigate cyber intrusion and to ensure an organized and unified response to future cyber incidents. Just as we do for natural disasters, we have to have plans and resources in place beforehand’. See also National Security Strategy, Barack Obama government, February 2015,; National Security Strategy, Donald Trump government, December 2017, See also: N.A. Sales, ‘Regulating CyberSecurity’ (2013) 107 Nu>. U. L. Rev. 1503: D. Thaw, ‘The Efficacy of Cybersecurity Regulation’, 30 Ga. St. U. L. Rev. 287, 2014; SJ. Shackelford and A.N. Craig, ‘Beyond the New Digital Divide: Analyzing the Evolving Role of National Governments in Internet Governance and Enhancing Cybersecurity’ (2014) 50 Stan. J. Inti L. 119; SJ. Shackelford, A.A. Proia, Brenton Martell and A.N. Craig, ‘Toward a Global Cybersecurity Standard of Care: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices’ (2015) 50 Tex. Inti L. J. 305; N.G. Susskind, ‘Cybersecurity Compliance and Risk Management Strategies: What Directors, Officers, and Managers Need to Know’ (2015) 11 N.Y.U. J.L. & Bus. 573; S.Y. Peng, ‘Private Cybersecurity Standards: Cyberspace Governance, Multistakeholderism, and the (Ir)Relevance of the TBT Regime’ (2018) 51 Cornell Inti L.J. 445; W. Pierotti, ‘Cyber Babel: Finding the Lingua Franca in Cybersecurity Regulation’ (2018) 87 Fordham L. Rev. 405. 2 ’ For an understanding of ‘cybersecurity’ see: European Union Agency for Network and Information Security (ENISA), Definition of Cybersecurity: Gaps and Overlaps in Standardisation, December 2015, 3 According to article 4, para. 1, point 1, GDPR, ‘personal data’ is ‘any information relating to an identified or identifiable natural person (‘data subject’)’ and ‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. 4 There is not enough space in this chapter to examine this issue further. However, for many of the related problems and bibliographical references see: Rosario Serra Cristobal, ‘Processing Personal Data on EU Cross-border Movements to Fight Terrorism’, pp. 45-62 in this book.
< Prev   CONTENTS   Source   Next >