After an introduction to the notions of cybersecurity and cybersecurity-related risks, this preface introduces four collected contributions on challenges and perspectives of EU cybersecurity policies in cyber-physical ecosystem.

This paper provides practical guidance to UK-based financial institutions (UKFIs) that are subject to the “operational resilience” guideline requirements of the Bank of England (BoE), Prudential Regulatory Authority and Financial Conduct Authority, issued in 2021, and fully effective for 31 March 2025. It contains practical suggestions and recommendations to assist UKFIs in implementing the guidelines. The scope of the paper covers issues related to (a) overviewing the latest equivalent operational resilience guidance in other countries and internationally (b) identifying key issues related to risk culture, risk appetite, information technology, tolerance setting, risk modelling, scenario planning and customer oriented operational resilience (c) identifying a framework for operational resilience based on a thorough understanding of these parameters and (d) designing and implementing an operational resilience maturity dashboard based on a sample of large UKIFs. The study also contains recommendations for further action, including enhanced controls and operational risk management frameworks. It concludes by identifying imperative policy actions to ensure that the implementation of the guidelines is more effective.

This paper presents the first empirical analysis demonstrating how international security influences global data flows. Firms exchange data traffic to achieve fast, stable, and affordable access to digital infrastructure, driving digital interdependence. While international security shapes economic interdependence, the mechanisms linking the two – sanctions, tariffs, boycotts, and contracts – create little risk for Internet interconnection, which is commonly exempted from sanction and tariff regimes, not directly consumed by the public, and not enabled through traditional contracts. I theorize that international conflict generates cybersecurity externalities as state and non-state actors directly weaponize digital interdependence. Firms and their networks sit directly in the path of future conflicts. Leveraging network topographical measurements from computer engineering, I test whether conflict expectations increase states’ mutual reliance to move data. I find robust evidence that power politics shapes digital interdependence and use additional analyses to argue that externalities, rather than state preferences, drive this process.

In the early 2000, cybersecurity breaches were classified as “Internet crimes” and therefore managed through the tools of the criminal justice system. The Budapest Convention on Cybercrime forged new incriminating provisions and new procedural guidelines, updating the categories of criminal law and criminal procedure for the digital age. This style, unfortunately, has proved to be insufficient. To face the growing number of threats, the EU has shifted towards a much more preemptive, administrative-law-based approach to cybersecurity, with a view to protect critical infrastructure and industries from disruptive attacks. The criminal layer, however, has not been replaced: the relevant, international instruments are still there, and they have been recently extended to cover more ground. The essay will examine the new wave of legislation on cybercrime such as the United Nations Cybercrime Treaty, trying to identify the interactions and the frictions between two different contrast strategies to abusive cyber operations.

Cybersecurity is a concern to be tackled not only by individual States but also by the European Union as a whole. Building on the recent adoption of Regulation (EU) 2025/38, the so-called Cyber Solidarity Act, the study intends to analyse the creation of a supranational capacity to prevent and respond to cyber incidents, by answering the following questions: how and to what extent is solidarity concretely declined in the act in question? How do the mechanisms provided for by this act concretely interact with the Member States’ prerogatives in the broader security domain?

This study analyzes National Cyber Security Strategies (NCSSs) of G20 countries through a novel combination of qualitative and quantitative methodologies. It focuses on delineating the shared objectives, distinct priorities, latent themes, and key priorities within the NCSSs. Latent dirichlet allocation topic modeling technique was used to identify implicit themes in the NCSSs to augment the explicitly articulated strategies. By exploring the latest versions of NCSS documents, the research uncovers a detailed panorama of multinational cybersecurity dynamics, offering insights into the complexities of shared and unique national cybersecurity challenges. Although challenged by the translation of non-English documents and the intrinsic limitations of topic modeling, the study significantly contributes to the cybersecurity policy domain, suggesting directions for future research to broaden the analytical scope and incorporate more diverse national contexts. In essence, this research underscores the indispensability of a multifaceted, analytical approach in understanding and devising NCSSs, vital for navigating the complex, and ever-changing digital threat environment.

The swift proliferation of connected devices in the Internal Market brought attention to their weak cybersecurity standard, reflected by widespread and oftentimes unpatched vulnerabilities and successful cyberattacks. Attacks on cyber-physical systems have a critical impact not only on the Union’s economy but also on consumers’ health, safety, and fundamental rights. Against the background of the failure of the cybersecurity market of connected devices, the 10 December 2024 entered into force Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act, CRA). After casting light on the three regulatory foundational choices underpinning this EU legal act in the field of cybersecurity (ie, horizontal approach, risk-based approach, product safety approach), the article investigates the extent to which the CRA enhances the protection of fundamental rights, as claimed in the Explanatory Memorandum of the Commission’s proposal.

The growing concern over cyber risk has become a pivotal issue in the business world. Firms can mitigate this risk through two primary strategies: investing in cybersecurity practices and purchasing cyber insurance. Cybersecurity investments reduce the compromise probability, while cyber insurance transfers potential losses to insurers. This study employs a network model for the spread of infection among interconnected firms and investigates how each firm’s decisions impact each other. We analyze a non-cooperative game in which each firm aims to optimize its objective function through choices of cybersecurity level and insurance coverage ratio. We find that each firm’s cybersecurity investment and insurance purchase are strategic complements. Within this game, we derive sufficient conditions for the existence and uniqueness of Nash equilibrium and demonstrate its inefficiency. These theoretical results form the foundation for our numerical studies, allowing us compute firms’ equilibrium decisions on cybersecurity investments and insurance purchases across various network structures. The numerical results shed light on the impact of network structure on equilibrium decisions and explore how varying insurance premiums influence firms’ cybersecurity investments.

This article explores Vietnam’s distinctive approach to data privacy regulation and its implications for the established understandings of privacy law. While global data privacy regulations are premised on individual freedom and integrity of information flows, the recent Vietnamese Decree 13/2023/NĐ-CP on Personal Data Protection (herein PDPD) prioritise state oversight and centralised control over information flows to safeguard collective interests and cyberspace security. The fresh regulatory logic puts data privacy under the regulation of government agencies and moves the privacy law arena even further away from the already distant judicial power. This prompts an exploration of the nuances underlying the ways regulators and the regulated communities understand data privacy regulation. The article draws on social constructionist accounts of regulation and discourse analysis to explore the epistemic interaction between regulators and those subject to regulation during the PDPD’s drafting period. The process is highlighted by the dynamics between actors within a complex semantic network established by the state’s policy initiatives, where tacit assumptions and normative beliefs direct the way actors in various communities favour one type of thinking about data privacy regulation over another. The findings suggest that reforms to privacy laws may not result in “more privacy” to individuals and that divergences in global privacy regulation may not be easily explained by drawing merely from cultural and institutional variances.

The development of medical artificial intelligence is dependent on the availability of vast quantities of data, a considerable proportion of which is medical data containing sensitive information pertaining to the health and well-being of patients. The use of such data is subject to extensive legal regulation and is further hindered by financial and organisational constraints, which can result in limitations on accessibility. One potential solution to this problem is the use of synthetic data. This article examines the potential for their use in light of cybersecurity requirements derived from horizontal and sectoral EU legislation. The outcome of this analysis is that EU legislation does not contain specific regulations on the use of synthetic data. Consequently, it cannot be concluded that there is any prohibition on their use. Moreover, while the Medical Device Regulation (MDR) contains some general requirements for cybersecurity, these are further specified by the provisions of the AI Act. It is important to note, however, that the AI Act will not apply to Class I medical devices, which are subject only to the MDR. Furthermore, only indirect obligations within the scope under consideration can be derived from the horizontal regulations, which will apply in a limited number of cases.

Global digital integration is desirable and perhaps even inevitable for most States. However, there is currently no systematic framework or narrative to drive such integration in trade agreements. This article evaluates whether community values can offer a normative foundation for rules governing digital trade. It uses the African Continental Free Trade Area (AfCFTA) Digital Trade Protocol as a case study and argues that identifying and solidifying the collective needs of the African region through this instrument will be key to shaping an inclusive and holistic regional framework. These arguments are substantiated by analysis of the regulation of cross-border data flows, privacy and cybersecurity.

In this article, I critically examine the ‘Cyber Kill Chain’, a methodological framework for thought and action that shapes both contemporary cybersecurity practice and the discursive construction of security threats. The history and epistemology of the Cyber Kill Chain provide unique insight into the practice of contemporary cybersecurity, insofar as the Kill Chain provides cybersecurity practitioners with predetermined categories and indicators of threat that shape how threats are conceptualised and understood by defenders and suggests actions to secure against them. Locating the origins of the kill chain concept in US military operational logics, its transformation through the anticipatory inquiries of intelligence, and its automation in computational networks, this article argues that the Cyber Kill Chain is emblematic of a vigilant socio-technical logic of security, where human perception, technical sensing, and automation all respond to and co-produce the (in)security through which political security concerns are articulated. This practice makes politics; it excludes, includes, and shapes what is perceived to be dangerous and not, directly impacting the security constructed. Through a critical reading of the Cyber Kill Chain, this article provides insight into cybersecurity practitioners’ epistemic practice and as such contributes to discussions of cybersecurity expertise, threat construction, and the way in which cybersecurity is understood and practised as a global security concern.

Phishing emails cost companies millions. In the absence of technology to perfectly block phishing emails, the responsibility falls on employees to identify and appropriately respond to phishing attempts and on employers to train them to do so. We report results from an experiment with around 11,000 employees of a large U.S. corporation, testing the efficacy of just-in-time feedback delivered at a teachable moment – immediately after succumbing to a phishing email – to reduce susceptibility to phishing emails. Employees in the study were sent an initial pseudo-phishing email, and those who either ignored or fell victim to the phishing email were randomized to receive or not receive feedback about their response. Just-in-time feedback for employees who fell victim to or ignored the initial pseudo-phishing email reduced susceptibility to a second pseudo-phishing email sent by the research team. Additionally, for employees who ignored the initial email, feedback also increased reporting rates.

One of the pillars on which product liability law is based is the defence for development risks. According to this defence, the producer is not liable for the damage caused to the injured party if, at the time the product was put into circulation, the state of scientific and technical knowledge did not allow the existence of the defect to be discovered. The Proposal for a Directive drafted by the European Commission and published on 28 September 2022 continues to provide, in Article 10.1.e), the defence for development risks. The Proposal for a Directive refers to this particular issue in Recital 39, which introduces some requirements for the assessment of such defence.

However, despite this recognition, does this defence fit into the digital paradigm, and how can it be applied to damage caused by defects in products with digital elements that incorporate artificial intelligence?

The Covid-19 pandemic saw a surge in cyber attacks targeting pharmaceutical companies and research organisations working on vaccines and treatments for the virus. Such attacks raised concerns around the (in)security of bioinformation (e.g. genomic data, epidemiological data, biomedical data, and health data) and the potential cyberbio risks resulting from stealing, compromising, or exploiting it in hostile cyber operations. This article critically investigates threat discourses around bioinformation as presented in the newly emerging field of ‘cyberbiosecurity’. As introduced by scholarly literature in life sciences, cyberbiosecurity aims to understand and address cyber risks engendered by the digitisation of biology. Such risks include, for example, embedding malware in DNA, corrupting gene-sequencing, manipulating biomedical materials, stealing epidemiological data, or even developing biological weapons and spreading diseases. This article brings the discussion on cyberbiosecurity into the realms of International Relations and Security Studies by problematising the futuristic threat discourses co-producing this burgeoning field and the pre-emptive security measures it advocates, specifically in relation to bioinformation. It analyses how cyberbiosecurity as a concept and field of policy analysis influences the existing securitised governance of bioinformation, the global competition to control it, and the inequalities associated with its ownership and dissemination. As such, the article presents a critical intervention in current debates around the intersection between biological dangers and cyber threats and in the calls for ‘peculiar’ policy measures to defend against cyberbio risks in the ‘new normal’.