The common EU approach to personal data and cybersecurity regulation

Abstract

Several sector-specific studies on EU data protection and cybersecurity frameworks can be found in the literature, but their differing legal domains has hindered the development of a common analysis of the different sets of provisions from a business perspective. This article sets out to bridge this gap, providing a systematic review and a cross-cutting operational analysis of the main legal instruments that constitute the common European approach to personal data and cybersecurity regulation for the business sector. We aim to demonstrate the existence of a core of common principles and procedural approaches referring to specific cybersecurity and data security technologies. Analysis reveals a coordinated regulatory model based on five pillars: risk-based approach, by-design approach, reporting obligations, resilience and certification schemes. We also highlight the relationship between the main directives and regulations.