From Insight to Compliance: The Concept of ‘Appropriate Technical and Organisational Measures’ in EU Cybersecurity Law
67 Pages Posted: 25 May 2023
Cybersecurity is a much-debated topic in both technical and legal scholarship. With contemporary business models hinging on highly performant information systems, there is increased awareness among entrepreneurs that security incidents often have devastating consequences on undertakings’ revenue streams, intellectual property, and brand reputation. Concurrently, the uptick in popularity of the topic has also generated an impulse for the European Union legislator to thoroughly review the legal framework on cybersecurity and to update existing views on IT security in the late 2010s. Yet, given the complex and rapidly evolving nature of the subject matter, reconciling views held by legal practitioners and IT professionals remains a challenging endeavour. This contribution brings these two perspectives together and offers guidance on how to assess the concept of ‘appropriate technical and organisational measures’ within the context of IT products. Accordingly, this article provides anchorage to scholarly audiences when scrutinizing the extent to which privacy and security measures qualify as ‘appropriate’ in the context of liability claims and actions for damages, thereby creating an opportunity to move from technical insight to legal compliance.
Keywords: Cybersecurity, appropriate technical and organisational measures, IT systems, GDPR, NIS2 Directive, risk assessment, compliance obligations
Suggested Citation: Suggested Citation