Research Network on Regulatory Developments in Cybersecurity

The increasing digitalisation of vital public and private services has led to enormous societal gains, but it has also expanded the cyberthreat landscape, increasing the number and sophistication of such attacks. Cyberattacks targeting critical sectors such as health, finance, and energy have become a major concern and when successful, put citizens' lives at risk. To deal with these threats, the European Union has proposed several laws to enhance the cyber and physical resilience of critical entities and networks, including the draft Network and Information Systems (NIS 2) Directive, the proposal for Critical Entities Resilience Directive, and the draft Cyber Resilience Act. However, legal scholarship in this field is scarce partly because this is an evolving area but also due to lack of case law and other authoritative guidance. Where there is scholarship, it is often fragmented across institutions and disciplines, which reduces its reach and impact. The CyberReg Network brings together an interdisciplinary team of researchers with the aim of advancing scholarly exchange and impact by (1) stimulating collective research efforts and developing a shared understanding on the impact of the legislative initiatives on cybersecurity; and (2) building bridges between academics, policy makers and industry and thereby contribute to a more resilient society. To achieve these goals, the Network will focus in answering the following questions: (1) To what extent do the above-mentioned legislative initiatives adequately address the cyberthreats facing society today? (2) How do these legislative initiatives interact with each other and with existing rules? (3) How should we bridge the gap between general legal requirements on cybersecurity and organizations’ needs for having concrete and actionable items? The Network’s research efforts will primarily focus on regulatory developments in the EU and Norway but it will also keep abreast of global developments in cybersecurity norms.

Cyberthreats have become a great societal concern. The increasing digitalisation of vital public and private services, together with the Russian invasion of Ukraine, has expanded the cyberthreat landscape, giving rise to new vulnerabilities and risks. To deal with this new reality, the EU has unveiled several legislative proposals that aim to bolster cyber and physical resilience of critical entities and networks. Key among these initiatives are the proposals for NIS 2 Directive, the Critical Entities Resilience Directive, the Cyber Resilience Act and the Secure Connectivity Act. These initiatives come on top of existing and upcoming legislative initiatives that address security such as the GDPR, proposals for eIDAS Regulation and the Artificial Intelligence Act. This creates a complex and dense regulatory landscape that requires scrutiny. The CyberReg Network brings together researchers with the aim of stimulating harmonized research efforts on these legislative initiatives and increase impact by engaging with, and disseminating insights to, key change agents from the public and private sectors. The activities of the Network will focus on the follwoing three key areas: 1) creating avenues to foster knowledge exchange with a view to developing shared understanding of the regulatory developments, their interaction and impact in addressing the cyberthreats; 2) creating support system for researchers to increase visibility and collaboration internationally, encourage publication in international journals, and thereby strengthen the quality of research; 3) increase the discovery and accessibility of research on cyberthreats and associated regulatory developments and thereby improve the ability of industry, policymakers, and students to better understand and respond to the threats. The network will run for four years and will bring together an interdisciplinary team comprising researchers from BI, UiO, UiT, Politihøyskolen, TUM and University of Luzern.