IGF 2023 Lightning Talk #141 The new European toolbox for cybersecurity regulation

Monday, 9th October, 2023 (00:45 UTC) - Monday, 9th October, 2023 (01:15 UTC)
WS 8 – Room C-1

European Cyber Conflict Research Initiative

Digital Society Institute

Corinne Casha (Ministry for Foreign and European Affairs, Malta), Government, WEOG; Nils Brinker (Digital Society Institute, ESMT Berlin; European Cyber Conflict Research Initiative)


Nils Brinker (European Cyber Conflict Research Initiative), Technical Community, WEOG;

Onsite Moderator

Corinne Casha


Richard Skalt



Targets: 9.1 Promoting resilience of digital (and non-digital) infrastructure by ensuring the security of the used systems by regulatory means 16.4 Finding effective means to fight cybercrime.


20 minutes talks, 10 minutes open discussion.

Duration (minutes)

While cybersecurity is not a new challenge, the topic has again gained significance. The ever-progressing digitalization of every aspect of everyday life proved to have made the digital society a lot more vulnerable to emerging threats through state or non-state actors. While conventional conflicts are feared to further sweep into the digital realm, cybercriminals celebrate the success story of their ransomware business model with no end in sight. European lawmakers have recognized this new quality of the threat landscape and prompted several regulatory projects to improve cybersecurity within the European Union, such as the NIS 2 directive or the Cybersecurity Act. This Lightning Talk aims to provide an overview of the current regulatory efforts on cybersecurity on the European level. It will primarily cover three main regulations: (a) the NIS 2 directive (which came into force in December), (b) the proposal for a cyber resilience act, as well as (c) parts of the proposal for an AI act. The talk will give an overview of the implemented regulatory tools, their desired effects, and an assessment of the hardships/difficulties and challenges faced when the main goal is to tackle an international threat landscape via regional regulation. Essential parts of the given talks are covered in the following article: [https://techpolicy.press/good-cybersecurity-governance-in-the-european-…](https://techpolicy.press/good-cybersecurity-governance-in-the-european-…) Based on that, this talk aims to identify the common points for incoming discussions about certain aspects surrounding the broader conversation about cybersecurity, such as enhanced cooperation among regional and national institutions, common patterns of prevention highlighted in legislation over the globe, or how the focus on protecting systems on the regional level can be relevant to the bigger picture.
As selected issues its talked about the risk of risk management in 
Also, the regulation of digital Identities in Europe should be considered as a case study on how cross-sectorial IT-Security regulation approaches can interfere with an already existing ecosystem and regulation of a specific case study.
Here the goal is to convene a discussion with attendees about the possible mechanisms to synchronize international cybersecurity regulation efforts and find mutual answers. Do regional regulatory efforts value the interests of international stakeholders accordingly, or does this kind of regulation promote the fragmentation of the tech sector? How can international forms of collaboration like the UN Digital Compact or the Ad hoc Group of Cybercrime benefit regional Cybersecurity Interests?

The talk consists of mutual results of the project ITSR.sys (funded by the German Federal Ministry of Education and Science) and the Accompanying Research of the Showcaseprojects for Digital Identities.

Key Takeaways (* deadline 2 hours after session)

European Cyber security regulation landscape is divers but seeks to consolidate and to close regulatory blindspots

International trade law does also interfere with cybersecurity regulation

Call to Action (* deadline 2 hours after session)

Assess the human factor off it security regulation

Don't forget the endusers

Session Report (* deadline 26 October) - click on the ? symbol for instructions

The lightning talk covered recent regulatory efforts by the European Union concerning cyber security. The talk covered the NIS-2 directive, the Cybersecurity Act, the Cyber Resilience Act as well as the AI Act.
The talk elaborated on the core methods and tools those regulation aims to foster IT-Security. It especially emphasized the core role of risk management.
The talk also further elaborated on two selected challenges and issues with cybersecurity regulation.
First, it conducted a case study of the IT security requirements and regulations of Digital Identities. The case study demonstrated the complex interdependencies of different regulations, stakeholders (users, private sector, government), as well as the technical infrastructure. This example was used to emphasize the difficulties of effectively ensuring or fostering Cybersecurity in a complex environment.
The second issue demonstrated was the subjectivity of risk management. It was argued that the result of risk management, which in the IT-Security law are actual technical protection measures to be implemented, heavily relies on the perspective of the risk-assessing entity. Current international efforts like the UN Cybercrime Convention were briefly discussed.

During the Discussion, several aspects and different perspectives were brought up by the audience:

  1. One Participant brought up the issue that especially the market-focused regulatory efforts by the EU do not consider interactions with international trade law. Because the CRA contains several product requirements, those might pose an issue with existing trade agreements. Future regulatory efforts should consider those interactions more.
  2. One Participant brought up the issue that existing regulation mainly focuses on the security of devices but not on the people using those. Within risk management, this can lead to blind spots for risks for certain stakeholders. One stated example was the safety of IOT devices in the context of domestic violence. If a person does not have access to a victim's home but is still the account owner for the smart home system, he could use it to, e.g., turn on the heating to demonstrate power. Because he is the rightful owner of the account, this would not be, per definition, a security risk.
  3. Another participant pointed out the market effect of the CRA. As security is a quality of a good that is difficult to asses by the average customer, common requirements prevent market failure through information asymmetries.
  4. One more aspect that was briefly discussed was the security of critical components. The question if the European legislator considers those was positively answered by a participant.