Decode the cyber with ACIG. Simplifying Cybersecurity Regulations: A Path to Europe’s Digital Sovereignty. Interview with prof. Paul Timmers
ACIG's Editor-in-Chief, prof. Aleksandra Gasztold, spoke with prof. Paul Timmers about the challenges of simplifying cybersecurity regulations and advancing Europe’s digital sovereignty
Prof. Paul Timmers is research associate at the University of Oxford, professor at KU Leuven, President of the Supervisory Board Estonian eGovernance Academy, CEO of iivii and partner at WeltWert.
Aleksandra Gasztold: In your report, you emphasize the need to simplify complex cybersecurity regulations and prioritize critical cybersecurity risks. This approach is essential to ensuring Europe’s digital sovereignty and making sure that policies are both effective and manageable. What are the most significant challenges in the current cybersecurity regulations that create confusion for stakeholders?
Paul Timmers: The landscape of EU cybersecurity rules and regulations is quite complex even if the laws themselves are not contested. Complexity can lead to confusion, which in turn delays compliance and costs precious resources. For instance, a critical infrastructures company may have to understand the Network and Information Security Directive, the Critical Entities Resilience Act, the Cyber Resilience Act, the Cyber Security Act for certification, and likely sectoral rules when in telecoms, energy, or finance. This is in addition to data protection regulation, the GDPR, and possibly the AI Act. The need for legislative understanding also gets pushed upstream in the supply chains, where many other and smaller companies may be involved.
Aleksandra Gasztold: Can you briefly explain how simplifying these regulations could accelerate Europe’s progress toward cybersecurity sovereignty?
Paul Timmers: Guidance can help navigating the cybersecurity regulatory landscape, by cutting through the maze of rules and making regulation more understood, effective and accepted. Guidance should be accompanied by helpdesks at national level to assist domestic companies. We thereby promote both cybersecurity and strategic autonomy. One could argue that the market can take care of providing such guidance, but a lesson from the GDPR is that the market neither does so in a timely fashion nor in a way that as a matter of priority benefits European companies.
Aleksandra Gasztold: What specific steps do you recommend to make EU regulations easier to implement for businesses and governments?
Paul Timmers: A concrete way forward is to provide clear and authoritative guidance in the form of European Commission (EC) Recommendations. In addition, I would do two things: make some funding available from the EU Digital Europe Program for helpdesks and provide feedback from these helpdesks to the legislators for the review of the laws (usually in three years). This is not a plea for additional regulation. Recommendations are a normal soft legislation mechanism that can be in place fast, much faster than hard legislation.
Finally, would we not all be relieved if technology is also made simpler and adheres to security-by-default? Let’s challenge tech companies to take their responsibility in this respect.
References:
C. Stolwijk, M. Punter, P. Timmers, J. Rabbie, D. Regeczi, S. Dalmolen (2024) Towards a sovereign digital future – the Netherlands in Europe. TNO. https://publications.tno.nl/publication/34642268/o5remY/TNO-2024-R10300.pdf
P. Timmers, M. Punter and C. Stolwijk (2024) Cybersecurity and Digital sovereignty—Bridging the gaps. TNO. https://publications.tno.nl/publication/34643188/DvSKsfCM/timmers-2024-cybersecurity.pdf
Prof. Paul Timmers is research associate at the University of Oxford, professor at KU Leuven, President of the Supervisory Board Estonian eGovernance Academy, CEO of iivii and partner at WeltWert.
Aleksandra Gasztold: In your report, you emphasize the need to simplify complex cybersecurity regulations and prioritize critical cybersecurity risks. This approach is essential to ensuring Europe’s digital sovereignty and making sure that policies are both effective and manageable. What are the most significant challenges in the current cybersecurity regulations that create confusion for stakeholders?
Paul Timmers: The landscape of EU cybersecurity rules and regulations is quite complex even if the laws themselves are not contested. Complexity can lead to confusion, which in turn delays compliance and costs precious resources. For instance, a critical infrastructures company may have to understand the Network and Information Security Directive, the Critical Entities Resilience Act, the Cyber Resilience Act, the Cyber Security Act for certification, and likely sectoral rules when in telecoms, energy, or finance. This is in addition to data protection regulation, the GDPR, and possibly the AI Act. The need for legislative understanding also gets pushed upstream in the supply chains, where many other and smaller companies may be involved.
Aleksandra Gasztold: Can you briefly explain how simplifying these regulations could accelerate Europe’s progress toward cybersecurity sovereignty?
Paul Timmers: Guidance can help navigating the cybersecurity regulatory landscape, by cutting through the maze of rules and making regulation more understood, effective and accepted. Guidance should be accompanied by helpdesks at national level to assist domestic companies. We thereby promote both cybersecurity and strategic autonomy. One could argue that the market can take care of providing such guidance, but a lesson from the GDPR is that the market neither does so in a timely fashion nor in a way that as a matter of priority benefits European companies.
Aleksandra Gasztold: What specific steps do you recommend to make EU regulations easier to implement for businesses and governments?
Paul Timmers: A concrete way forward is to provide clear and authoritative guidance in the form of European Commission (EC) Recommendations. In addition, I would do two things: make some funding available from the EU Digital Europe Program for helpdesks and provide feedback from these helpdesks to the legislators for the review of the laws (usually in three years). This is not a plea for additional regulation. Recommendations are a normal soft legislation mechanism that can be in place fast, much faster than hard legislation.
Finally, would we not all be relieved if technology is also made simpler and adheres to security-by-default? Let’s challenge tech companies to take their responsibility in this respect.
References:
C. Stolwijk, M. Punter, P. Timmers, J. Rabbie, D. Regeczi, S. Dalmolen (2024) Towards a sovereign digital future – the Netherlands in Europe. TNO. https://publications.tno.nl/publication/34642268/o5remY/TNO-2024-R10300.pdf
P. Timmers, M. Punter and C. Stolwijk (2024) Cybersecurity and Digital sovereignty—Bridging the gaps. TNO. https://publications.tno.nl/publication/34643188/DvSKsfCM/timmers-2024-cybersecurity.pdf
| eISSN: | 2956-4395 |
| ISSN: | 2956-3119 |
Publisher
NASK – National Research Institute
Kolska Street 12
01-045 Warsaw, Poland
www.nask.pl
E-mail: contact@acigjournal.pl
Kolska Street 12
01-045 Warsaw, Poland
www.nask.pl
E-mail: contact@acigjournal.pl
© 2006-2025 Journal hosting platform by Bentus
We process personal data collected when visiting the website. The function of obtaining information about users and their behavior is carried out by voluntarily entered information in forms and saving cookies in end devices. Data, including cookies, are used to provide services, improve the user experience and to analyze the traffic in accordance with the Privacy policy. Data are also collected and processed by Google Analytics tool (more).
You can change cookies settings in your browser. Restricted use of cookies in the browser configuration may affect some functionalities of the website.
You can change cookies settings in your browser. Restricted use of cookies in the browser configuration may affect some functionalities of the website.
