My new article «Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?», has been published in Computer Law & Security Review, Volume 44.
Abstract: The end of the second decade of the 21st century has been the best of times for EU’s cybersecurity law and policy: Its NIS Directive has been transposed into all Member States’ national law, creating a new administrative structure at EU and Member State level and mandating relevant policies and strategies to update and harmonise those that were already in place. Its Cybersecurity Act of 2019 incorporated the EU Agency for Cybersecurity (ENISA), and promises to install a new European cybersecurity certification scheme. To support policy with funding, large sums of research money have been spent on the development of cybersecurity tools and the relevant framework. However, EU’s significant regulatory activity is faced with substantial difficulties. While cybersecurity concerns are placed high on the list of issues that worry Europeans making a regulatory response pressing, the cybersecurity theoretical framework is far from concluded: Difficulties start as early as when attempting to define the term, ultimately divulging a lack of common understanding. Different actors understand cybersecurity differently under different circumstances. A distinction that could perhaps prove useful in creating clarity as to its exact meaning would distinguish between cybersecurity as praxis and cybersecurity as a state. Cybersecurity as praxis would then be understood as the activities and measures that need to be undertaken in order to accomplish cybersecurity’s aims and objectives. Accordingly, cybersecurity as a state would mean the condition that is achieved once cybersecurity as praxis has succeeded; Within cybersecurity as a state persons need to be protected against any cyber threat. A distinction between cybersecurity as praxis and cybersecurity as a state would not only be useful in delineating the term’s content but could also constitute the necessary theoretical groundwork for development, ultimately, of a new right to cybersecurity. EU law has already taken positive steps towards acknowledgement of a new right to cybersecurity. However, a lot more needs to be done; Past progress needs to be continued and updated. A conceivable next step could take the form of formal acknowledgement of such a new right in EU law, in a future amendment of the Act’s provisions or otherwise.