International Cybersecurity Law Review (2023) 4:137–146

https://doi.org/10.1365/s43439-022-00072-9

SHORT REPORTS

The European framework for cybersecurity: strong

assets, intricate history

Salvino A. Salvaggio · Nahuel González

Received: 21 September 2022 / Accepted: 16 October 2022 / Published online: 28 November 2022
© The Author(s) 2022

Abstract Over the last decade, the European Union (EU) has demonstrated a con-
sistent determination to promote a global, open, stable, and secure cyberspace for
everyone. A structured (and chronological) review of key EU documents, reports,
and directives on cybersecurity shows that the recommendations from the relevant
EU institutions (Parliament, Commission, Council) have been persistent over time,
reiterating the same core issues that seem to not yet have been solved after a decade
of debates and experts’ advice. Since at least 2012, EU institutions have identified
the two domains that are under constant critical observation for the deployment of
a coordinated European cybersecurity approach—gaps in policies and poor integra-
tion—while the European fundamentals of cybersecurity (both human and physical)
have been consistently seen as an asset rather than a liability. However, the pro-
gressive de-professionalization of coding that tends to blur the distinction between
amateurs and professionals should not be underestimated, as it furtively introduces
a new class of risk related to unverified or circularly certified skills. It is there-
fore recommended that the regulatory framework is expanded to better govern the
accreditation/certification of professional cybersecurity experts as well.

Keywords European Union · Cybersecurity · Digital policies · Digital Markets

Act · AI Act · Cybersecurity Act

 Salvino A. Salvaggio
Hamad bin Khalifa University, Doha, Qatar
E-Mail: ssalvaggio@hbku.edu.qa
Nahuel González
Laboratorio de Sistemas de Información Avanzados (LSIA), Facultad de Ingeniería, Universidad de
Buenos Aires, Buenos Aires, Argentina

K
138 Int. Cybersecur. Law Rev. (2023) 4:137–146

1 Background

Over the last decade, the European Union (EU) has shown a consistent determi-
nation to promote a global, open, stable, and secure cyberspace for everyone, and
a clear desire “to take a more proactive stance in the discussions (...) on international
security in cyberspace” [7, p. 20]. In addition to the identification of a variety of
fast-evolving cyber threats1, the EU has established a list of sectors, industries, tech-
nologies, institutions, and services—such as, but not limited to, “hospitals, energy
grids, railways, and the ever-increasing number of connected objects in our homes,
offices and factories” [8]2—which are considered both critical to our societies and
economies, and highly exposed to the risk of digital criminality. Furthermore, the
concept of cybersecurity has evolved over the same timeframe: From an original fo-
cus on technological weaknesses preventing the EU Member States and the private
sector from extracting the potential value from the Internet, it progressively shifted
to a broader but more acute concern over:

a) Defense and security deficiencies that could harm the “integrity and security of
democratic systems” [12, p. 23] and challenge the resilience of essential infra-
structure [9–11], which should be preserved and protected by all means, espe-
cially since the “EU’s critical infrastructure and essential services are increasingly
interdependent and digitized” [12, p. 5].
b) Detrimental social impact of malicious or criminal use of the Internet [5].

As early as December 2000, the European Commission communicated to the Eu-

ropean Parliament and Council a list of important issues, including cybercrime and
cybersecurity, to be addressed by the European Council in Nice on 7–8 December
[15]. By doing so, the EU initiated the process that brought cybersecurity higher
on the priority list of European institutions and agencies. Eventually, in September
2013, the EU defined its first comprehensive Cybersecurity Strategy [16] and has
since released an abundant corpus of reports, studies, and, ultimately, a set of poli-
cies and directives that have been regularly updated over the years3. Undoubtedly,
key milestones in the European cybersecurity policymaking process have been the
first Network and Information Systems (NIS) Directive [18], the Cybersecurity Act
[17, 19], followed by the European Strategy for Data (which comprises the Data
Governance Act [20], the Digital Markets Act [21], and the Digital Services Act
[22]4), and the more recent Data Act [25], or the revised Network and Information
Systems (NIS 2) Directive [23].

1 Namely, ransomware, malware, cryptojacking or hidden cryptomining, email attacks, data breaches, and

leaks, distributed denial-of-service (DDoS) attacks, disinformation, non-malicious threats, supply chain
threats [12].
2 The European Commission listed 10 critical sectors, “energy, transport, banking, financial market infra-

structure, health, drinking water, waste water, digital infrastructure, public administration, and space” [9,
p. 3] and gives the Member States the possibility to “to identify critical entities using common criteria on
the basis of a national risk assessment.”.
3 See, for example, the cybersecurity timeline of the European Council [13], and related documents.
4 A crisp description of these Acts is provided by ITA [29].

K
Int. Cybersecur. Law Rev. (2023) 4:137–146 139

The concrete impact of the decade-long regulatory environment of cybersecu-

rity has been pervasive and highly diversified, from a substantial increase in the
awareness of cyber risks [28] to the development and adoption of new artificial in-
telligence (AI)- or machine learning (ML)-based products and services to counteract
cybercrime [1, 35, 38, 39], just to name a couple.
However, after several rounds of updates and improvements to European cyberse-
curity proposals and regulations, it is also useful to highlight issues whose resolution
would further facilitate the transition to a safer digital life in Europe.

2 Two key issues

2.1 Top–down: persistent gaps

A systematic survey of more than 10 years of EU documents, reports, and directives

on cybersecurity from a historical perspective shows that the recommendations from
the relevant EU institutions (Parliament, Commission, Council) have been persistent
over time, reiterating the same core issues that seem to have not yet been solved
after a decade of debates and experts’ advice. Since at least 2012, EU institutions
have identified the two domains that are under constant critical observation for the
deployment of a coordinated European cybersecurity approach: (1) gaps in policies
and (2) poor integration (between policies, between member states and the EU, and
between EU agencies).
At a first sight, one could jump to the hurried conclusion that, to say the least,
things do not move very fast in EU institutions. We, however, believe that this is
excellent news. In the last decade, despite the repeatedly pinpointed gaps in policies
and lack of integration, the capacity itself has never been organically questioned.
Competencies, ideas, technologies, and infrastructures have been rightfully pushed
toward continuous improvements, but they have never been described in any recom-
mendation, directive, or experts’ view as dangerously deficient. In other words—and
that is where the good news lies—although there have been recommendations to en-
hance education, accelerate technology development, and facilitate the deployment
of infrastructures related to cybersecurity, the European fundamentals of cybersecu-
rity have been seen as an asset rather than a liability. If the EU had identified a serious
problem with poor assets, our institutions, democracies, private sector, and critical
infrastructures would be in an alarming situation because it takes several years to
build capacity, establish a new industry, secure funding, replace physical assets, hire
the expert staff, and, most importantly, define and implement new curricula, and
give the appropriate higher education to a generation of students [3, 26]. The fact
that the core and the bulk of the EU cybersecurity-related recommendations point
to policy gaps or integration weaknesses highlights a problem that is easier to solve
than the lack or fragility of core assets and skills. It also explains why the main EU
initiatives under the “cyber diplomacy” [6, 14] framework of action(s) are a pillar

K
140 Int. Cybersecur. Law Rev. (2023) 4:137–146

component of the solution5; rather than only relying on sanctions, cyber diplomacy
is a scheme to facilitate dialogue between those stakeholders who are capable of
filling the policy and integration gaps for coordinated European cybersecurity and
cyber defense [30]. As Josep Borell, High Representative of the Union for Foreign
Affairs and Security Policy, put it: “Beyond strengthening our own cyber resilience,
it is in the European DNA to prioritize cooperation and dialogue (...). We want ev-
eryone to reap the benefits that the Internet and the use of technologies provide. At
the same time, we need effective answers to fast-changing cyber threats. Achieving
both objectives will be at the heart of our new EU Cybersecurity Strategy” [4].
The notion of EU cyber diplomacy, therefore, reflects two important attributes of
the EU’s cybersecurity approach: (1) The EU aims to act as a global standard setter
through strong policies, and (2) such vision is rooted in the trust that cybersecurity
assets (both physical and human) available across Europe, although perfectible, can
bear the edifice of coordinated cyber regulations and defense.

2.2 Bottom–up: the need for higher standards for human resources

There is an important proviso to the assertions of the previous section, which forces
us to temporarily shift our focus away from policies to dig into the uncomfortable
realm of technicalities. Although the application of adequate software engineering
processes can reduce the probability of exploitable weaknesses and mitigate their
severity, even a small mistake on the part of one of the many members of a devel-
oping chain can remain unnoticed for long while fully compromising the security
of the systems overall. Hence, we need to temporarily abandon the top–down ap-
proach and delve, bottom–up, into some specifics of software construction to better
understand how policy can, and sometimes cannot, help with the aforementioned
objective of promoting a global, open, stable, and secure cyberspace for everyone.

2.2.1 Overview of the software construction process from a security perspective

For the rest of our discussion, the standard terminology of software engineering as
defined by the IEEE Software Engineering Body of Knowledge (SWEBOK) will be
used [34]; all quotes in this section belong to the former. From a bird’s eye view
that will suffice for our purposes, software construction is a process that involves,
at least, the successive stages of design, development, operation, and maintenance;
these will be referred to together as the life cycle.
Software engineering processes, which are “concerned with work activities ac-
complished by software engineers to develop, maintain, and operate software,” sup-
port the overarching process of software construction. Their utility extends to hard,
quantifiable goals such as “to measure and improve the quality of software products
in an efficient manner.”

5 Among others, see the call for “EU Cyber Diplomacy Support Initiative” (https://www.euro-access.

eu/calls/framework_partnership_agreement_humanitarian_aid_1) or the “EU Cyber Direct—EU Cyber

Diplomacy Initiative” (https://eucyberdirect.eu).

K
Int. Cybersecur. Law Rev. (2023) 4:137–146 141

In particular, security is considered a software quality issue and is one of the few
key cross-cutting concerns that shows up in all stages of the software life cycle.
As such, software systems should, by design, “prevent unauthorized disclosure, cre-
ation, change, deletion, or denial of access to information and other resources” but
also “tolerate security-related attacks or violations by limiting damage, continuing
service, speeding repair and recovery, and failing and recovering securely.” Yet, mit-
igation of risks is not confined to the design stage as, for example, security concerns
during software development “may necessitate one or more software processes to
protect the security of the development environment and reduce the risk of malicious
acts.”
For this purpose, a set of quality analysis and evaluation techniques, such as
software design reviews and static analysis, as well as a set of practical recom-
mendations for programming languages, tools, and coding practices, complements
the specialized process of security testing. The latter, which is carried out during
the development, operation, and maintenance phases, verifies “the confidentiality,
integrity, and availability of the systems and its data” and that the system cannot be
misused or abused by a malicious actor directly or through malware.

2.2.2 Vulnerabilities and their causes

Software engineering processes have been shown to reduce the probability and mit-
igate the severity of exploitable weaknesses when applied carefully [31]. However,
the ubiquity of exploitable vulnerabilities in software, the pervasiveness of auto-
matic updates, and their increasing frequency show how difficult it is to achieve
those objectives. For example, the Common Vulnerabilities and Exposures (CVE)
database included less than 4600 software vulnerabilities in 2000; while, at the time
of writing, the number of vulnerabilities covered is in the order of 200,000, a 40-
fold increase in two decades.
From a security perspective, and thus focusing on exploitable vulnerabilities and
not on software quality in general, we would like to emphasize as a root cause the
huge asymmetry between vulnerability creation and detection. Exploitable vulnera-
bilities have been repeatedly shown to be easy to introduce in the code base, even
with a single small modification of the source code, whether unnoticed or malicious,
by a single programmer [27] or as a result of misunderstanding security concepts
[40]. Although significant improvements have been made, reliable detection has
remained elusive, both for human auditors and automated tools [37].
As an example, the reader might remember Log4Shell, a critical vulnerability
made public in December 2021 that affected millions of servers worldwide [2].
Log4Shell is a vulnerability in Apache Log4j, a logging utility developed and main-
tained by the Apache Software Foundation and included as a dependency in a wide
range of programs from software development environments to security tools and
cloud platforms. It was introduced to the code base of Log4j, unknowingly, by a sin-
gle contributor while adding a feature requested by its community of users. This is
one, but not the only, cautionary tale that illustrates the importance of considering
a bottom–up approach to cybersecurity as a necessary complement to the top–down
regulatory approach.

K
142 Int. Cybersecur. Law Rev. (2023) 4:137–146

2.2.3 What can (or cannot) policymakers do?

In contrast to physical security—where the scale of the deleterious effects is in

general proportional to the severity of the flaw—in the field of cybersecurity, a sin-
gle, small vulnerability in a dependency or an underlying communication layer can
be enough to compromise the whole system [33]. When adding the ubiquitous In-
ternet of Things into the picture [32]—which is already blurring the boundaries
between physical systems and their digital counterparts—we can foresee a frighten-
ing scenario in which the weakest of the two sets the height of the security bar, as
a malicious actor can now click to commit an act of terrorism, not cyberterrorism
[36].
The realms of cybersecurity and traditional security have been merged into one.
And the AI revolution will only increase the inherent risks. As the Preamble (51)
of EUR-Lex [24] puts it, “cybersecurity plays a crucial role in ensuring that AI
systems are resilient against attempts to alter their use, behaviour, performance
or compromise their security properties by malicious third parties exploiting the
system’s vulnerabilities” and “to ensure a level of cybersecurity appropriate to the
risks, suitable measures should therefore be taken by the providers of high-risk AI
systems, also taking into account, as appropriate, the underlying ICT infrastructure.”
It is well understood that it is not the role of policymakers to tackle software
issues directly. This is the responsibility of information security experts. In the last
two decades, however, there has been a cultural push toward the idea that coding
is easy and everybody can be a programmer or a network specialist. Although the
democratization of programming and inclusive access to information technologies
since elementary education has been strongly supported by the vast majority of
stakeholders and regulators, the distinction between (trained) amateurs and certified
professionals should not be underestimated. The safety of our lives, both digital and
physical, depends on it.
The certifications provided by a myriad of companies or specialized training cen-
ters to their own students should not be considered as a sufficient guarantee, for this
self-reference often misses the point of regulated education and peer assessment. An
expansion of the EU’s regulatory framework to cover the accreditation/certification
of cybersecurity professional experts would bring the additional benefit of aligning
all human resources to the highest shared standards.
In this way, from the bottom up and by raising the standards of human resources,
many potential vulnerabilities that software engineering processes failed to mitigate,
which evaded the scrutiny of human auditors and fooled the state-of-the-art auto-
matic detection tools, will never enter the code base of the software that supports
the operations of critical infrastructure in the EU and the world, cutting off cyber
threats and their physical counterparts at their roots.

3 Conclusion

As mentioned, EU institutions aim to become a global standard-setter through clear,

sharp policies and regulations, as has been achieved with recent legal texts (see Dig-

K
Int. Cybersecur. Law Rev. (2023) 4:137–146 143

ital Markets Act [21], Digital Services Act [22], High common level of cybersecurity
across the Union [23], Artificial Intelligence Act [24], and the Data Act [25]). The
Subsidiarity section of the Digital Markets Act clearly states that the unfair prac-
tices of gatekeepers impede start-ups and smaller businesses from offering better,
diversified products at more competitive prices [21]; this is particularly relevant in
this context because resilience in the cybersecurity landscape requires diversifica-
tion of the underlying infrastructure and core assets—diversification as opposed to
acceptance of monopolistic practices, in order to mitigate the inherent risk of cyber
monoculture.
The EU can afford such an ambitious scope, precisely because it does not lack the
required core assets. But also those valuable assets should be safeguarded from poor
operations; capacities, competencies, ideas, technologies, and infrastructures related
to cybersecurity require high standards of operations, education, programming, de-
sign, and production. Or else, we risk shifting the current challenges of integration
and policies to a harder challenge: of rebuilding core assets, which would take no
less than 10 years to handle.
Acknowledgements This article is an expanded version of a contribution presented at the High-Level
Roundtable on Cybersecurity (April 26th, 2022), hosted by Ms. Eva Kaili, Vice President of the European
Parliament, organized by the Panel for the Future of Science and Technology (STOA) of the European
Parliament, with the support of the European Parliamentary Research Service (EPRS). Many thanks to
Vice President Kaili for her support and commitment to cybersecurity. The authors would like to thank
Ms. Susan Essex for language editing and proofreading the manuscript.

Funding Open Access funding provided by the Qatar National Library.

Conflict of interest S.A. Salvaggio and N. González declare that they have no competing interests.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License,
which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as
you give appropriate credit to the original author(s) and the source, provide a link to the Creative Com-
mons licence, and indicate if changes were made. The images or other third party material in this article
are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the
material. If material is not included in the article’s Creative Commons licence and your intended use is not
permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly
from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.
0/.

References

Cited literature

1. Abdullahi M, Baashar Y, Alhussian H, Alwadain A, Aziz N, Capretz LF, Abdulkadir SJ (2022) Detect-
ing Cybersecurity Attacks in Internet of Things Using Artificial Intelligence Methods: A Systematic
Literature Review. Electronics. https://doi.org/10.3390/electronics11020198
2. Associated Press “Recently uncovered software flaw ‘most critical vulnerability of the last decade’.”
The Guardian. https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-
vulnerability-log-4-shell (Created 11 Dec 2021). Accessed 7 Nov 2022
3. Blažič BJ (2022) Changing the landscape of cybersecurity education in the EU: Will the new approach
produce the required cybersecurity skills? Educ Inf Technol 27:3011–3036. https://doi.org/10.1007/
s10639-021-10704-y

K
144 Int. Cybersecur. Law Rev. (2023) 4:137–146

4. Borrell J (2019) “Cyber diplomacy and shifting geopolitical landscapes.” EU Cyber Forum, Brussels
(14 Septembre 2019). https://www.eeas.europa.eu/eeas/cyber-diplomacy-and-shifting-geopolitical-
landscapes_en. Accessed 7 Nov 2022
5. Burton J, Lain C (2020) Desecuritising cybersecurity: towards a societal approach. J Cyber Policy
5(3):449–470. https://doi.org/10.1080/23738871.2021.1948582
6. Delmeire M, Lavadoux F (2021) “EU Cyber Diplomacy 101.” European Institute of Public Adminis-
tration Blog. https://www.eipa.eu/blog/eu-cyber-diplomacy-101/. Accessed 7 Nov 2022
7. European Commission (EC) (2020) The EU’s Cybersecurity Strategy for the Digital Decade. Joint
Communication of the European Parliament and the Council. https://digital-strategy.ec.europa.eu/en/
library/eus-cybersecurity-strategy-digital-decade-0. Accessed 7 Nov 2022
8. European Commission (EC) (2020) The Cybersecurity Strategy. Press Release. https://digital-strategy.
ec.europa.eu/en/policies/cybersecurity-strategy. Accessed 7 Nov 2022
9. European Commission (EC) (2020) Proposal for a Directive of the European Parliament and of the
Council on the Resilience of Critical Entities. COM(2020) 829 final. 2020/0365 (COD). https://
ec.europa.eu/home-affairs/system/files/2020-12/15122020_proposal_directive_resilience_critical_
entities_com-2020-829_en.pdf. Accessed 7 Nov 2022
10. European Commission (EC) (2020) New EU Cybersecurity Strategy and new rules to make physical
and digital critical entities more resilient. Press Release. https://ec.europa.eu/commission/presscorner/
detail/en/ip_20_2391. Accessed 7 Nov 2022
11. European Commission (EC) (2020) The Commission proposes a new directive to enhance the resilience
of critical entities providing essential services in the EU. News Article. https://ec.europa.eu/home-
affairs/news/commission-proposes-new-directive-enhance-resilience-critical-entities-providing-
essential-services-2020-12-16_en. Accessed 7 Nov 2022
12. European Council (2021) Top cyber threats in the EU. https://www.consilium.europa.eu/en/infographics/
cyber-threats-eu/. Accessed 7 Nov 2022
13. European Council (2022) Timeline cybersecurity. https://www.consilium.europa.eu/en/policies/
cybersecurity/timeline-cybersecurity/. Accessed 7 Nov 2022
14. European Parliament Research Service (2020) Understanding the EU’s approach to cyber diplomacy
and cyber defence. Briefing. EU policies—Insights. PE 651.937. https://www.europarl.europa.eu/
RegData/etudes/BRIE/2020/651937/EPRS_BRI(2020)651937_EN.pdf. Accessed 7 Nov 2022
15. European Union (EUR-Lex) (2000) Communication from the Commission to the Council and Euro-
pean Parliament—The eEurope 2002 update prepared by the European Commission for the European
Council in Nice, 7th and 8th December 2000. COM/2000/0783 final. Document 52000DC0783. https://
eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52000DC0783. Accessed 7 Nov 2022
16. European Union (EUR-Lex) (2013on) European Parliament resolution of 12 September 2013 on a Cy-
bersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace (2013/2606(RSP)).
Official Journal of the European Union. Document 52013IP0376. https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:52013IP0376. Accessed 7 Nov 2022
17. European Union (EUR-Lex) (2013) Regulation (EU) No 526/2013of the European Parliament and
of the Council of 21 May 2013 concerning the European Union Agency for Network and Information
Security (ENISA) and repealing Regulation (EC) No 460/2004. Official Journal of the European Union.
Document 32013R0526. https://eur-lex.europa.eu/eli/reg/2013/526. Accessed 7 Nov 2022
18. European Union (EUR-Lex) (2016) Directive (EU) 2016/1148of the European Parliament and of the
Council of 6 July 2016 concerning measures for a high common level of security of network and
information systems across the Union. Official Journal of the European Union. Document 32016L1148.
https://eur-lex.europa.eu/eli/dir/2016/1148. Accessed 7 Nov 2022
19. European Union (EUR-Lex) (2019) Regulation (EU) 2019/881 of the European Parliament and of the
Council of 17 April 2019on ENISA (the European Union Agency for Cybersecurity) and on infor-
mation and communications technology cybersecurity certification and repealing Regulation (EU) No
526/2013 (Cybersecurity Act). Official Journal of the European Union. Document 32019R0881. https://
eur-lex.europa.eu/eli/reg/2019/881. Accessed 7 Nov 2022
20. European Union (EUR-Lex) (2020) Proposal for a Regulation of the European Parliament and of
the Council on European data governance (Data Governance Act). COM/2020/767 final. Docu-
ment 52020PC0767. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0767.
Accessed 7 Nov 2022
21. European Union (EUR-Lex) (2020) Proposal for a Regulation of the European Parliament and of the
Council on contestable and fair markets in the digital sector (Digital Markets Act). COM/2020/842
final. Document 52020PC0842. https://eur-lex.europa.eu/legal-content/en/ALL/?uri=COM:2020:842:
FIN. Accessed 7 Nov 2022

K
Int. Cybersecur. Law Rev. (2023) 4:137–146 145

22. European Union (EUR-Lex) (2020) Proposal for a Regulation of the European Parliament and of
the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive
2000/31/EC. COM/2020/825 final. Document 52020PC0825. https://eur-lex.europa.eu/legal-content/
EN/TXT/?uri=CELEX:52020PC0825. Accessed 7 Nov 2022
23. European Union (EUR-Lex) (2020) Proposal for a Directive of the European Parliament and of the
Council on measures for a high common level of cybersecurity across the Union, repealing Direc-
tive (EU) 2016/1148. COM/2020/823 final. Document 52020PC0823. https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:52020PC0823. Accessed 7 Nov 2022
24. European Union (EUR-Lex) (2021) Proposal for a Regulation of the European Parliament and of
the Council laying down harmonised rules on Artificial Intelligence (Artificial Intelligence Act) and
Amending certain Union legislative Acts. COM/2021/206 final. Document 52021PC0206. https://eur-
lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0206. Accessed 7 Nov 2022
25. European Union (EUR-Lex) (2022) Proposal for a Regulation of the European Parliament and of the
Council on harmonised rules on fair access to and use of data (Data Act). COM/2022/68 final. Doc-
ument 52022PC0068. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0068.
Accessed 7 Nov 2022
26. Fischer PJ (2022) A cybersecurity skills framework. In: Information Resources Management Associ-
ation (ed) Research anthology on advancements in cybersecurity education. IGI Global, pp 211–230
https://doi.org/10.4018/978-1-6684-3554-0.ch010
27. Gao J, Li L, Kong P, Bissyandé TF, Klein J (2019) Understanding the evolution of android app vulner-
abilities. IEEE Trans Reliab 70(1):212–230
28. Global cybersecurity index (2020) https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-
cybersecurity-index.aspx. Accessed 7 Nov 2022
29. International Trade Administration (ITA) (2021) EU—country commercial guide on cyber-security.
https://www.trade.gov/country-commercial-guides/eu-cyber-security. Accessed 7 Nov 2022
30. Ivan P (2019) Responding to cyberattacks: Prospects for the EU Cyber Diplomacy Toolbox. Eu-
ropean Policy Center, Brussels. Discussion Paper. https://www.epc.eu/content/PDF/2019/pub_9081_
responding_cyberattacks.pdf. Accessed 7 Nov 2022
31. Kreitz M (2019) Security by design in software engineering. ACM Sigsoft Softw Eng Notes
44(3):23–23
32. Mapple C (2017) Security and privacy in the internet of things. J Cyber Policy 2(2):155–184. https://
doi.org/10.1080/23738871.2017.1366536
33. Nebbione G, Calzarossa MC (2020) Security of IoT application layer protocols: challenges and find-
ings. Future Internet 12(3):55
34. Bourque P, Fairley RE (eds) (2014) “Guide to the Software Engineering Body of Knowledge, Version
3.0.” IEEE Computer Society. http://www.swebok.org. Accessed 7 Nov 2022
35. Segal E (2020) “The Impact of AI on Cybersecurity.” Institute of Electrical and Electronics Engineers
(IEEE) Computer Society, Tech News. https://www.computer.org/publications/tech-news/trends/the-
impact-of-ai-on-cybersecurity. Accessed 7 Nov 2022
36. Schneier B (2018) Click here to kill everybody: security and survival in a hyper-connected world. W.
W. Norton, New York
37. Shen Z, Chen S (2020) A survey of automatic software vulnerability detection, program repair, and
defect prediction techniques. Secur Commun Networks. https://doi.org/10.1155/2020/8858010
38. Sreedevi AG, Nitya Harshitha T, Vijayan Sugumaran PS (2022) Application of cognitive computing in
healthcare, cybersecurity, big data and IoT: a literature review. Inf Process Manag. https://doi.org/10.
1016/j.ipm.2022.102888
39. Talab Z (2021) “Overview of AI-based Cybersecurity Technologies.” Developer, August 13. https://
www.developer.com/security/overview-ai-cybersecurity/. Accessed 7 Nov 2022
40. Votipka D, Fulton KR, Parker J, Hou M, Mazurek ML, Hicks M (2020) Understanding security mis-
takes developers make: qualitative analysis from build it, break it, fix it. In: 29th USENIX Security
Symposium (USENIX Security 20), pp 109–126

Further reading
41. European Parliament Research Service (2017) Achieving a sovereign and trustworthy ICT industry
in the EU. Scientific Foresight Unit (STOA) PE 614.531. https://www.europarl.europa.eu/RegData/
etudes/STUD/2017/614531/EPRS_STU(2017)614531_EN.pdf. Accessed 7 Nov 2022

K
146 Int. Cybersecur. Law Rev. (2023) 4:137–146

42. European Parliament Research Service (2017) Cybersecurity in the EU Common Security and Defence
Policy: Challenges and risks for the EU. Scientific Foresight Unit (STOA) PE 603.175. https://www.
europarl.europa.eu/RegData/etudes/STUD/2017/603175/EPRS_STU(2017)603175_EN.pdf. Accessed
7 Nov 2022
43. European Parliament Research Service (2021) Strategic communications as a key factor in countering.
Scientific Foresight Unit (STOA) PE 656.323. https://www.europarl.europa.eu/RegData/etudes/STUD/
2021/656323/EPRS_STU(2021)656323_EN.pdf. Accessed 7 Nov 2022

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps
and institutional affiliations.