From Insight to Compliance: The Concept of ‘Appropriate Technical and Organisational Measures’ in EU Cybersecurity Law

67 Pages Posted: 25 May 2023

See all articles by Christof Koolen

Christof Koolen

affiliation not provided to SSRN

Kim Wuyts

affiliation not provided to SSRN

Wouter Joosen

KU Leuven

Peggy Valcke

KU Leuven - Centre for IT & IP Law (CiTiP); European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS)

Abstract

Cybersecurity is a much-debated topic in both technical and legal scholarship. With contemporary business models hinging on highly performant information systems, there is increased awareness among entrepreneurs that security incidents often have devastating consequences on undertakings’ revenue streams, intellectual property, and brand reputation. Concurrently, the uptick in popularity of the topic has also generated an impulse for the European Union legislator to thoroughly review the legal framework on cybersecurity and to update existing views on IT security in the late 2010s. Yet, given the complex and rapidly evolving nature of the subject matter, reconciling views held by legal practitioners and IT professionals remains a challenging endeavour. This contribution brings these two perspectives together and offers guidance on how to assess the concept of ‘appropriate technical and organisational measures’ within the context of IT products. Accordingly, this article provides anchorage to scholarly audiences when scrutinizing the extent to which privacy and security measures qualify as ‘appropriate’ in the context of liability claims and actions for damages, thereby creating an opportunity to move from technical insight to legal compliance.

Keywords: Cybersecurity, appropriate technical and organisational measures, IT systems, GDPR, NIS2 Directive, risk assessment, compliance obligations

Suggested Citation

Koolen, Christof and Wuyts, Kim and Joosen, Wouter and Valcke, Peggy, From Insight to Compliance: The Concept of ‘Appropriate Technical and Organisational Measures’ in EU Cybersecurity Law. Available at SSRN: https://ssrn.com/abstract=4459481 or http://dx.doi.org/10.2139/ssrn.4459481

Christof Koolen (Contact Author)

affiliation not provided to SSRN ( email )

No Address Available

Kim Wuyts

affiliation not provided to SSRN ( email )

No Address Available

Wouter Joosen

KU Leuven ( email )

Peggy Valcke

KU Leuven - Centre for IT & IP Law (CiTiP) ( email )

Sint-Michielsstraat 6 box 3443
Leuven, 3000
Belgium

European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS) ( email )

Villa La Fonte, via delle Fontanelle 18
50016 San Domenico di Fiesole
Florence, Florence 50014
Italy

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
66
Abstract Views
210
Rank
598,262
PlumX Metrics