From Insight to Compliance: Appropriate Technical and Organisational Security Measures Through the Lens of Cybersecurity Maturity Models

[2024] 52 Computer Law & Security Review 1 - 10

22 Pages Posted: 16 Apr 2024

See all articles by Christof Koolen

Christof Koolen

KU Leuven - Centre for IT & IP Law (CiTiP)

Kim Wuyts

KU Leuven

Wouter Joosen

KU Leuven

Peggy Valcke

KU Leuven - Centre for IT & IP Law (CiTiP); European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS)

Date Written: April 1, 2024

Abstract

Cybersecurity is a much-debated topic in both technical and legal scholarship. With contemporary business models hinging on highly performant information systems, there is increased awareness among entrepreneurs that security incidents often have devastating consequences on undertakings’ revenue streams, intellectual property, and brand reputation. As a result, there is an increased focus on the obligation to implement cybersecurity measures. In the context of the GDPR, cybersecurity obligations seem to converge on the requirement to deploy ‘appropriate technical and organisational measures’ in order to ensure a level of security commensurate with the risks posed to an organisation. Yet, given the complex and rapidly evolving nature of the subject matter, the precise meaning and scope of these obligations remain unclear. This contribution offers guidance on how to assess the concept of ‘appropriate technical and organisational measures’ by considering it through the lens of cybersecurity maturity models. Accordingly, this article provides anchorage to scholarly audiences when scrutinizing the extent to which privacy and security measures qualify as ‘appropriate’ in the context of liability claims and actions for damages, thereby creating an opportunity to move from technical insight to legal compliance.

Keywords: Cybersecurity, Appropriate technical and organisational measures, IT systems, GDPR, Risk assessment, Compliance obligations

Suggested Citation

Koolen, Christof and Wuyts, Kim and Joosen, Wouter and Valcke, Peggy, From Insight to Compliance: Appropriate Technical and Organisational Security Measures Through the Lens of Cybersecurity Maturity Models (April 1, 2024). [2024] 52 Computer Law & Security Review 1 - 10, Available at SSRN: https://ssrn.com/abstract=4746006

Christof Koolen (Contact Author)

KU Leuven - Centre for IT & IP Law (CiTiP) ( email )

Sint-Michielsstraat 6 box 3443
Leuven, 3000
Belgium

Kim Wuyts

KU Leuven ( email )

Wouter Joosen

KU Leuven ( email )

Peggy Valcke

KU Leuven - Centre for IT & IP Law (CiTiP) ( email )

Sint-Michielsstraat 6 box 3443
Leuven, 3000
Belgium

European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS) ( email )

Villa La Fonte, via delle Fontanelle 18
50016 San Domenico di Fiesole
Florence, Florence 50014
Italy

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
66
Abstract Views
187
Rank
694,945
PlumX Metrics