Cybersecurity is a concern to be tackled not only by individual States but also by the European Union as a whole. Building on the recent adoption of Regulation (EU) 2025/38, the so-called Cyber Solidarity Act, the study intends to analyse the creation of a supranational capacity to prevent and respond to cyber incidents, by answering the following questions: how and to what extent is solidarity concretely declined in the act in question? How do the mechanisms provided for by this act concretely interact with the Member States’ prerogatives in the broader security domain?

This study analyzes National Cyber Security Strategies (NCSSs) of G20 countries through a novel combination of qualitative and quantitative methodologies. It focuses on delineating the shared objectives, distinct priorities, latent themes, and key priorities within the NCSSs. Latent dirichlet allocation topic modeling technique was used to identify implicit themes in the NCSSs to augment the explicitly articulated strategies. By exploring the latest versions of NCSS documents, the research uncovers a detailed panorama of multinational cybersecurity dynamics, offering insights into the complexities of shared and unique national cybersecurity challenges. Although challenged by the translation of non-English documents and the intrinsic limitations of topic modeling, the study significantly contributes to the cybersecurity policy domain, suggesting directions for future research to broaden the analytical scope and incorporate more diverse national contexts. In essence, this research underscores the indispensability of a multifaceted, analytical approach in understanding and devising NCSSs, vital for navigating the complex, and ever-changing digital threat environment.

The swift proliferation of connected devices in the Internal Market brought attention to their weak cybersecurity standard, reflected by widespread and oftentimes unpatched vulnerabilities and successful cyberattacks. Attacks on cyber-physical systems have a critical impact not only on the Union’s economy but also on consumers’ health, safety, and fundamental rights. Against the background of the failure of the cybersecurity market of connected devices, the 10 December 2024 entered into force Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act, CRA). After casting light on the three regulatory foundational choices underpinning this EU legal act in the field of cybersecurity (ie, horizontal approach, risk-based approach, product safety approach), the article investigates the extent to which the CRA enhances the protection of fundamental rights, as claimed in the Explanatory Memorandum of the Commission’s proposal.

The growing concern over cyber risk has become a pivotal issue in the business world. Firms can mitigate this risk through two primary strategies: investing in cybersecurity practices and purchasing cyber insurance. Cybersecurity investments reduce the compromise probability, while cyber insurance transfers potential losses to insurers. This study employs a network model for the spread of infection among interconnected firms and investigates how each firm’s decisions impact each other. We analyze a non-cooperative game in which each firm aims to optimize its objective function through choices of cybersecurity level and insurance coverage ratio. We find that each firm’s cybersecurity investment and insurance purchase are strategic complements. Within this game, we derive sufficient conditions for the existence and uniqueness of Nash equilibrium and demonstrate its inefficiency. These theoretical results form the foundation for our numerical studies, allowing us compute firms’ equilibrium decisions on cybersecurity investments and insurance purchases across various network structures. The numerical results shed light on the impact of network structure on equilibrium decisions and explore how varying insurance premiums influence firms’ cybersecurity investments.

This article explores Vietnam’s distinctive approach to data privacy regulation and its implications for the established understandings of privacy law. While global data privacy regulations are premised on individual freedom and integrity of information flows, the recent Vietnamese Decree 13/2023/NĐ-CP on Personal Data Protection (herein PDPD) prioritise state oversight and centralised control over information flows to safeguard collective interests and cyberspace security. The fresh regulatory logic puts data privacy under the regulation of government agencies and moves the privacy law arena even further away from the already distant judicial power. This prompts an exploration of the nuances underlying the ways regulators and the regulated communities understand data privacy regulation. The article draws on social constructionist accounts of regulation and discourse analysis to explore the epistemic interaction between regulators and those subject to regulation during the PDPD’s drafting period. The process is highlighted by the dynamics between actors within a complex semantic network established by the state’s policy initiatives, where tacit assumptions and normative beliefs direct the way actors in various communities favour one type of thinking about data privacy regulation over another. The findings suggest that reforms to privacy laws may not result in “more privacy” to individuals and that divergences in global privacy regulation may not be easily explained by drawing merely from cultural and institutional variances.

The development of medical artificial intelligence is dependent on the availability of vast quantities of data, a considerable proportion of which is medical data containing sensitive information pertaining to the health and well-being of patients. The use of such data is subject to extensive legal regulation and is further hindered by financial and organisational constraints, which can result in limitations on accessibility. One potential solution to this problem is the use of synthetic data. This article examines the potential for their use in light of cybersecurity requirements derived from horizontal and sectoral EU legislation. The outcome of this analysis is that EU legislation does not contain specific regulations on the use of synthetic data. Consequently, it cannot be concluded that there is any prohibition on their use. Moreover, while the Medical Device Regulation (MDR) contains some general requirements for cybersecurity, these are further specified by the provisions of the AI Act. It is important to note, however, that the AI Act will not apply to Class I medical devices, which are subject only to the MDR. Furthermore, only indirect obligations within the scope under consideration can be derived from the horizontal regulations, which will apply in a limited number of cases.

Global digital integration is desirable and perhaps even inevitable for most States. However, there is currently no systematic framework or narrative to drive such integration in trade agreements. This article evaluates whether community values can offer a normative foundation for rules governing digital trade. It uses the African Continental Free Trade Area (AfCFTA) Digital Trade Protocol as a case study and argues that identifying and solidifying the collective needs of the African region through this instrument will be key to shaping an inclusive and holistic regional framework. These arguments are substantiated by analysis of the regulation of cross-border data flows, privacy and cybersecurity.

In this article, I critically examine the ‘Cyber Kill Chain’, a methodological framework for thought and action that shapes both contemporary cybersecurity practice and the discursive construction of security threats. The history and epistemology of the Cyber Kill Chain provide unique insight into the practice of contemporary cybersecurity, insofar as the Kill Chain provides cybersecurity practitioners with predetermined categories and indicators of threat that shape how threats are conceptualised and understood by defenders and suggests actions to secure against them. Locating the origins of the kill chain concept in US military operational logics, its transformation through the anticipatory inquiries of intelligence, and its automation in computational networks, this article argues that the Cyber Kill Chain is emblematic of a vigilant socio-technical logic of security, where human perception, technical sensing, and automation all respond to and co-produce the (in)security through which political security concerns are articulated. This practice makes politics; it excludes, includes, and shapes what is perceived to be dangerous and not, directly impacting the security constructed. Through a critical reading of the Cyber Kill Chain, this article provides insight into cybersecurity practitioners’ epistemic practice and as such contributes to discussions of cybersecurity expertise, threat construction, and the way in which cybersecurity is understood and practised as a global security concern.

Phishing emails cost companies millions. In the absence of technology to perfectly block phishing emails, the responsibility falls on employees to identify and appropriately respond to phishing attempts and on employers to train them to do so. We report results from an experiment with around 11,000 employees of a large U.S. corporation, testing the efficacy of just-in-time feedback delivered at a teachable moment – immediately after succumbing to a phishing email – to reduce susceptibility to phishing emails. Employees in the study were sent an initial pseudo-phishing email, and those who either ignored or fell victim to the phishing email were randomized to receive or not receive feedback about their response. Just-in-time feedback for employees who fell victim to or ignored the initial pseudo-phishing email reduced susceptibility to a second pseudo-phishing email sent by the research team. Additionally, for employees who ignored the initial email, feedback also increased reporting rates.

One of the pillars on which product liability law is based is the defence for development risks. According to this defence, the producer is not liable for the damage caused to the injured party if, at the time the product was put into circulation, the state of scientific and technical knowledge did not allow the existence of the defect to be discovered. The Proposal for a Directive drafted by the European Commission and published on 28 September 2022 continues to provide, in Article 10.1.e), the defence for development risks. The Proposal for a Directive refers to this particular issue in Recital 39, which introduces some requirements for the assessment of such defence.

However, despite this recognition, does this defence fit into the digital paradigm, and how can it be applied to damage caused by defects in products with digital elements that incorporate artificial intelligence?

The Covid-19 pandemic saw a surge in cyber attacks targeting pharmaceutical companies and research organisations working on vaccines and treatments for the virus. Such attacks raised concerns around the (in)security of bioinformation (e.g. genomic data, epidemiological data, biomedical data, and health data) and the potential cyberbio risks resulting from stealing, compromising, or exploiting it in hostile cyber operations. This article critically investigates threat discourses around bioinformation as presented in the newly emerging field of ‘cyberbiosecurity’. As introduced by scholarly literature in life sciences, cyberbiosecurity aims to understand and address cyber risks engendered by the digitisation of biology. Such risks include, for example, embedding malware in DNA, corrupting gene-sequencing, manipulating biomedical materials, stealing epidemiological data, or even developing biological weapons and spreading diseases. This article brings the discussion on cyberbiosecurity into the realms of International Relations and Security Studies by problematising the futuristic threat discourses co-producing this burgeoning field and the pre-emptive security measures it advocates, specifically in relation to bioinformation. It analyses how cyberbiosecurity as a concept and field of policy analysis influences the existing securitised governance of bioinformation, the global competition to control it, and the inequalities associated with its ownership and dissemination. As such, the article presents a critical intervention in current debates around the intersection between biological dangers and cyber threats and in the calls for ‘peculiar’ policy measures to defend against cyberbio risks in the ‘new normal’.

The proposal for a European Health Data Space aims at creating a common space where individuals may control their health data in a trusted and secure way. The objective is not only improving healthcare delivery, but also enhancing the opportunities to use health data for research and innovation. To achieve these results, the proposal implements a mandatory self-certification scheme for European health records systems as well as for wellness devices and applications, setting up essential requirements related to interoperability and security. Although this is the first intervention that sets a horizontal framework that is mandatory for all Member States, the security requirements that are included in the legislative proposal are not sufficiently detailed and comprehensive. Given that cyberthreats are increasing and security incidents affecting health data may potentially have an impact on the lives of patients, it is important that cybersecurity measures are adopted and implemented in the most effective way. The paper will analyse the European Health Data Space proposal pointing to the open issues and doubts that may be emerging and it will compare them with the proposed Cyber Resilience Act, identifying the issues that may be solved thanks to this horizontal regulation and the ones that instead remain open.

Cybersecurity of medical devices has become a concrete concern for regulators and policymakers in the European Union and United States. Following the COVID-19 pandemic, there has been an increase in cyber-attacks on critical healthcare infrastructures and their IT systems, which have suffered service disruptions and put patients’ health and safety at risk. The increase in cyberattacks on healthcare infrastructure, including medical devices, exacerbated by the growing digitalisation of healthcare services in the EU and the US, has led legislators and regulatory bodies to pay more attention to cybersecurity. Cybersecurity of AI-based medical devices requires the assessment of three areas subject to evolving regulatory approaches: medical devices, Artificial Intelligence (AI), and cybersecurity. Although they may appear distinguished in regulatory matters, the existence of AI-based medical devices and their possible cyber vulnerabilities makes clear that the three are intertwined and deserve closer attention from a regulatory point of view. Few scholars have devoted attention to AI and cybersecurity together. Even less, in our understanding, few comprehensive and EU/US comparative pieces of literature reflect on this specific issue. This paper aims to fill this gap and address the main implications of different regulatory approaches toward AI medical device cybersecurity in the EU and the US. The research stems from the assumption that regulation of medical devices in the EU has been historically inspired by regulatory trends in the US, although with the different cultural, societal, and legal traditions that made them adapt to the specificities of the territory. The paper observes that the US is a rule-based system reflecting a “command-and-control” approach, while the EU system is a principle-based one. While they share the main characteristic of being risk-regulation-based systems, their differences impact how AI-enhanced cybersecurity is regulated.