Cyberattacks and cybercrimes can have various forms not only in the private sector and corporate transactions, but increasingly among the governments and between the nations. Confidential information, fateful data, as well as intellectual property, can be accessed, stolen or affected by malware. Worldwide 156 countries (80%) have enacted cybercrime legislation, 5 % draft legislation and 13% no legislation at all. Except for Budapest Convention on Cybercrime (ETS no. 185) there are not specific international rules governing cybersecurity. In EU, the 2016 Directive on security of network and information systems (NIS Directive) was the first EU wide legislation for cybersecurity and had to be implemented by all member states due May 2018. Beyond Budapest treatyand NIS, Finland has national regulation and projects relating to cybersecurity. Among other things, the newest project aims to make cybersecurity a civic skill across the Europe.
Why does it matter?
Understanding cybersecurity aka, the activities necessary for the protection of network and information systems, their users and others affected by cyber threats is vital in the digitalization era. Security of information and digital literacy not only develops digital transformation but provides for trust and protection as cybersecurity aims to protect critical systems and sensitive information from attacks and threats. These threats are almost always cross-border, therefore attached to one country’s critical infrastructure, it can affect other countries as well.
Cybercrimes and cyberattacks have various forms and are able to harm victims. Personal data, as well as intellectual property, can be accessed, stolen or compromised by malware and used to commit online fraud. Online platforms can be used to distribute illegal content as well as darknet can be used to sell illicit goods and services. Non-cash payments could be used and frauds committed as well as rights of persons violated online.
Is there law and order in international context?
Worldwide 156 countries (80%) have enacted cybercrime legislation, 5 % draft legislation and 13% no legislation at all.
Budapest Convention on Cybercrime was agreed in 2001 and is currently ratified by 65 countries worldwide, including Finland that ratified the treaty in 2007. Supplementary protocols for the treaty were added in 2003 and 2021. The Budapest Convention is a criminal justice treaty providing for inter alia list of harmonized criminalized attacks, procedural cooperation system as well as investigation and prosecution powers based on domestic procedural law. Except for the Budapest treaty there are no specifically made rules regulating cybersecurity. Most states and international organizations affirm though that existing international law applies also to the use of ICT.
How does the EU handle cybersecurity?
From a legal point of view, the 2016 Directive on security of network and information systems (NIS Directive) was the first EU wide legislation for cybersecurity and had to be implemented by all member states (MS) due May 2018. It provides several measures to secure services vital to the EU economy and society and aims to ensure that MS are prepared and ready to respond to cyberattacks.
- The directive requires MS to designate competent authorities, set up computer-security incident response teams, adopt national cybersecurity strategies, identify essential service providers in critical sectors such as energy, transport, finance, banking, health, water and digital infrastructure where a cyberattack could disrupt an essential service.
- It aims to promote risk management, improve EU-level cooperation and sets notification requirements that must be followed upon relevant incidents suck as hacking, theft of data.
After its review in 2020, NIS 2 Directive was proposed to address the shortcomings and expand the requirements to correspond to the current needs.
The proposal extends the coverage of the directive by inter alia adding new critical sectors, including all medium and large companies of these sectors, proposing a classification of entities based on their importance, not the distinction between operators and service providers, strengthening security requirements by setting minimum risk management standard and precise incident reporting mechanism and addressing security of supply chains. Also, stringent supervisory measures and enforcement requirements are set, greater cooperation enhanced and harmonization of MS sanction regimes introduced.
Additionally, Regulation 2019/881 (EU Cybersecurity Act), assigns a permanent mandate to and strengthens the role of the European Union Agency for Network and Information Security (ENISA) which provides support and technical and scientific advice for national authorities, EU institutions and businesses concerning cybersecurity and relevant legislations. The Act also establishes the EU cybersecurity certification framework for information and communication technology (ICT) products through increasing trust and security in important products and services for the digital sphere. The goal is to develop a comprehensive EU-wide certification scheme with a set of rules, technical requirements, standards and procedures for evaluation and assessment and such certificate will be recognized in all MS. The Act promotes cross-border trade by businesses, and makes the security features of the product or service easier to understand when making purchases. Several other actions including research projects and investments have been taken by the EU to tackle cyber threats.
What is the goal of Finland’s newest project?
Finland has established and is developing an educational package to make cybersecurity a civic skill across Europe. This project was awarded with five million euros from European Union (EU) recovery instrument NextGenerationEU (NGEU), and is being carried out by Aalto University and the Ministry of Transport and Communications. A three-year project will result with the launch of an open website available in all EU official languages providing for practical and useful materials to teach cybersecurity skills. It seems that the project expands succesfully in Europe.
For more information see:https://unctad.org/page/cybercrime-legislation-worldwidehttps://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdfhttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019R0881https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policieshttps://rm.coe.int/1680081561https://valtioneuvosto.fi/en/-/finland-creates-an-educational-package-to-make-cybersecurity-a-civic-skill-across-the-european-union
