Appunti Information and technology law (parte 1)

Informa)on and Technology Law (FINAL SPEECH)

1° Lecture: 22/09/2025

Over the years, cyber-aNacks have become more frequent, larger in scale,

and more sophis)cated and that’s why cybersecurity is now a top priority.

We can group cyber-threats into four main categories:

- Cyber war

- Cyber espionage

- Cyber terrorism and vandalism

- Cybercrime

Cybersecurity includes all ac)ons to prevent and reduce cyber threats. It

focuses on:

- Network and informa)on security

- Figh)ng cybercrime

- Cyber defense

Cybersecurity law focuses on protec)ng not just data, but also systems

and networks in both the public and private sectors. It is based on three

fundamental principles:

Confiden)ality: which means preven)ng unauthorized access to

• informa)on.

Integrity: which ensures that data is not altered during transmission.

• Availability: meaning informa)on must be accessible when needed,

• without delays.

This protec)on applies to all sectors—public and private alike—since both

are vulnerable to cyber threats.

To achieve this, laws can be coercive (hard laws that impose obliga)ons)

or coopera)ve (soZ laws that encourage investment and good prac)ces).

In many cases, coopera)ve laws are more effec)ve because they promote

proac)ve security measures.

Cybersecurity laws must also take a forward-looking approach, aiming not

just to respond to incidents, but to prevent aNacks in the first place.

Ul)mately, the goal is to reduce or prevent harm in three cri)cal areas:

Harm to individuals.

• Harm to business interests.

• Harm to na)onal security.

•

To be effec)vely true cybersecurity laws must:

- Be flexible and adaptable.

- Consider the human factor.

- Be updated regularly to deal with new risks.

- Promote coopera)on and informa)on sharing.

2° Lecture: 29/09/2025

The EU can only act in cybersecurity if the power is explicitly conferred by

the Trea)es, and this is called the principle of conferral. Anything not

given to the EU stays with the Member States, especially in areas like

na)onal security, which remains their full responsibility.

When the EU acts, it must also respect the principles of subsidiarity and

propor)onality. That means the EU should intervene only when objec)ves

cannot be reached by Member States alone, and the ac)on should not go

beyond what is necessary.

The EU builds its cybersecurity laws on several Treaty ar)cles, including:

Art. 114 TFEU: Internal market

• Art. 62 and 53(1): Freedom to provide services

• Art. 127(2) and 132(1): Payment systems

• Art. 83(1): Freedom, security, and jus)ce

• Art. 74: Coordina)on at EU level

•

To respond to increasing cyber threats, the EU launched the ProtectEU

strategy, which focuses on:

Protec)ng cri)cal infrastructure

• Enhancing cybersecurity

• Securing transport hubs

• Figh)ng online threats

•

Given that malicious cyber ac)vi)es are ongoing, the EU must give

constant aNen)on to cybersecurity. This led to laws like:

The NIS2 Direc)ve

• The Cyber Resilience Act

• The Cyber Solidarity Act

• The 2025 Hospital Cybersecurity Ac)on Plan

•

Future priori)es include:

Informa)on sharing

• Supply chain protec)on

• Ransomware response

• Promo)ng technological sovereignty

•

The EU uses a decentralized structure, dividing responsibili)es into:

1. Network and Informa)on Security:

→ Handled by ENISA, which also works on cer)fica)on and

resilience

2. Cybercrime:

→ Managed by EC3 (European Cybercrime Centre)

3. Cyber Defense:

→ Guided by the European Defence Agency

All of these are coordinated by the Joint Cyber Unit, which supports:

Inventories of EU cyber capabili)es

• Crisis and situa)on reports

• Rapid Reac)on Teams

• Coopera)on agreements

•

Due to the technical complexity of cybersecurity, private actors play a key

role. This leads to public-private partnerships, or PPPs, which are long-

term agreements between governments and private companies.

ENISA and the EU promote PPPs to improve:

Informa)on sharing

• Collabora)on

• Crisis response

•

There are four main types of cybersecurity PPPs:

1. Ins)tu)onal PPPs – Created by legal acts, oZen involving working

groups and rapid-response teams

2. Goal-oriented PPPs – Focused on specific goals or awareness,

organized as plalorms or councils

3. Outsourcing PPPs – Provide services and help with policy

implementa)on

4. Hybrid PPPs – Use CSIRTs (Computer Security Incident Response

Teams) to manage incidents

PPPs s)ll face problems like:

Lack of human resources

• Limited public funding

• Low trust or shared understanding

• Poor adop)on by SMEs

• Weak legal frameworks

•

The European Cyber Security Organisa)on (ECSO) was created in 2016

under Belgian law. It:

Works as the Commission’s partner for cybersecurity PPPs (e.g.

• Horizon 2020)

Brings together cybersecurity companies, public authori)es, and

• researchers

Promotes policy recommenda)ons and industrial development in

• Europe

3° Lecture: 01/10/2025

Cybersecurity and cybercrime are )ghtly linked because both protect the

confiden)ality, integrity, and availability of digital infrastructures—just

with different tools.

Cybersecurity uses technical, legal, and organiza)onal safeguards, while

cybercrime law targets illegal acts like hacking, data theZ, and fraud.

That’s why criminal law is essen)al, through two pillars:

- substan)ve criminal law (offenses and penal)es)

- criminal procedure (inves)ga)on and prosecu)on).

Together with cybersecurity, they are mutually reinforcing: they prevent

cybercrime, strengthen resilience, support evidence collec)on, and

reduce aNackers’ incen)ves.

Today, most crimes have a digital component, and the EU Cybersecurity

Strategy (2020) stresses that resilience alone isn’t enough—legal

accountability maNers.

Also, during the years, Cybercrime has expanded from “computer crime”

into crimes commiNed in or through cyberspace. According to Koops

(2010) cybercrime is:

- global,

- real-)me,

- anonymous,

- fast,

- scalable,

- and de-territorialized

The Council of Europe Recommenda)on (1989) pushed coopera)on, and

a 1990 report highlighted new legal interests like data integrity, exclusive

access, and digital rights.

This led to the Budapest Conven)on (2001), the first major treaty in this

area which:

- criminalizes aNacks on digital infrastructures,

- strengthens inves)ga)ve powers,

- and promotes public–private and inter-state coopera)on.

It covers computer integrity crimes (illegal access, misuse of devices),

computer-related crimes (ICT-based forgery/fraud), and corporate liability,

and it requires domes)c legisla)on to make enforcement possible.

At EU level, Ar)cle 83 TFEU supports ac)on on serious cross-border crime,

leading to Direc)ve 2013/40/EU. The Direc)ve defines cybercrimes (like

illegal access and data interference), criminalizes tools such as malware,

mandates corporate liability, and requires penal)es to be effec)ve,

propor)onate, and dissuasive.

Because the problem is global, the UN Conven)on (2024) was adopted. It

addresses both the benefits and criminal risks of ICTs, aims to prevent and

combat cybercrime, boosts interna)onal coopera)on and capacity-

building, and insists on human rights protec)ons.

It covers cyber-enabled crimes (child exploita)on, online abuse,

laundering, ICT-based fraud), promotes preven)on policies, and follows a

mul)-stakeholder approach involving states, law enforcement, academia,

industry, and civil society.

In Italy, Law 90/2024 uses a dual approach: a tougher tradi)onal criminal

law line, and a modern line focused on ransomware, adding new offenses

and extending corporate liability.

Ransomware—defined by the Cybercrime Conven)on CommiNee and

classified by ENISA as digital extor)on—oZen follows a RaaS model, with

steps of access, execu)on, blackmail, payment. The human factor,

especially phishing, remains central.

The law introduces special procedural regimes for cri)cal infrastructure

aNacks, reduces penal)es for collabora)ng accomplices, and includes

witness protec)on.

Cybercrime is now also framed under interna)onal criminal law, with the

ICC recognizing cyber-enabled genocide, war crimes, crimes against

humanity, and acts of aggression.

So overall, cybercrime isn’t just technical—it’s a maNer of interna)onal

peace, jus)ce, and security.

4° Lecture: 06/10/2025

In recent years, the EU has strengthened its legal framework on

cybersecurity and digital resilience, upda)ng old direc)ves and

introducing new ones.

Key acts include:

Direc)ve on the Resilience of Cri)cal En))es (2022)

• NIS 2 Direc)ve (2022)

• Cybersecurity Act (2018)

• Cyber Solidarity Act (2023)

• Cyber Resilience Act, AI Act (2024)

• European Health Data Space (2025)

•

The Res