Governance of cyberspace poses a myriad of challenges. Cyberspace's reach across geopolitical boundaries, the increasing co-dependency of public and private sectors, and the challenges of anonymity and attribution defies traditional governance. The regulation of cyberspace is thus markedly different in comparison with other domains.
The threat of cyber attacks, which may cause significant disruption to critical public services and infrastructure, targets government authorities and privately-held entities alike. While in light of the aforementioned challenges, determining and enforcing internal cyber security standards for government authorities is complex in and of itself, the regulation of cyber security standards in the private sector poses a plethora of unique additional dilemmas.
The introduction of a national cyber security regulatory regime to market sectors already saturated with regulations, such as the finance or health, may provide for an adverse effect on overall compliance or impede business performance. Furthermore, locally-based private actors who operate globally, may be subject to cyber security regulatory standards from abroad.
The various models found in the EU directive on security of network and information systems (the NIS Directive) and the subsequent member state legislation (some of which still pending), alongside recently enacted non-EU cyber security legislation, may provide a comparative framework for research. However, comparative insights may also be gained from examining parallel legal schemes and regulations pertaining to cyberspace governance, such as data protection.
An effective design of the cyber security public regulator is another dilemma. The costs and benefits of centralized versus decentralized cyber regulation should be taken into account in view of the aforementioned regulatory burden, the anticipated level of cooperation from existing regulators, and the ability to attain professional expertise, retain it and disseminate cyber security know-how to other actors.
The boundaries of regulatory discretion in cyberspace, and the level of coercion employed by it, should also be explored as well as the effectiveness of voluntary cyber security standards verses coercive statutory provisions in inducing compliance with the desired level of cyber security. Accordingly, other different branches of law can be examined as possible alternatives or enhancers of regulation and supervision.
The purpose of the Research Group on Regulation of Cyber Security Standards for the Private Markets is to advance legal research concerning such dilemmas. Academics as well as members of the public and private sectors are welcome to join the group and present their research and practical insights.
* Amir Cahane – Group Coordinator
For more details, please contact Amir Cahane: firstname.lastname@example.org