Cybersecurity in Finance from a legal perspective: Smart Regulation from Soft Law to Hard Law in a Multi-level Legal Framework

When it comes to regulating a topic as far-reaching and relevant for many different sectors of our economy as cybersecurity, the regulatory approaches required are as manifold as the underlying technical challenges the cybersecurity discipline aims to solve.

The SOTER project is carrying out an overview of the existing regulatory framework in order to understand how different rules, standards and guidance documents interact, to better contextualize the piloting activities of the developed tools.

A variety of regulatory instruments ranging from hard law to soft law has grown to form a complex net of regulation that financial institutions have to consider in the course of their compliance activities.

In contrast to hard law, soft law has a reduced legally binding effect. [1] The reasons for the multi-level regulation of cybersecurity in finance by means of hard law and soft law, as well as some nuances between these two pivotal points, can be found in the fact that there are many different competencies for regulating relevant cases on both member state and European Union level. Moreover, due to the different technological, human factor or merely organisational challenges banks and FinTechs face regarding cybersecurity, a broad range of substantive and procedural provisions facilitates efficient and reasonable regulation.

Within the different regulatory instruments relevant for cybersecurity in the finance sector, one can discern a certain hierarchy, ranging from a directly enforceable level of binding hard law to different kinds of soft law regulation. Apart from European Union regulations [2], directives [3] and national statutes and regulations, cybersecurity in finance is regulated by many different kinds of regulatory instruments, such as standards [4], guidelines [5] and recommendations [6] which can be of international, supranational, or national origin.

Even in the context of binding and directly applicable regulations issued by the European Parliament and the Council, there may be found some elements of a “softer” approach to bringing about compliance with certain cybersecurity norms.

An example is Article 40 of the General Data Protection Regulation which provides for a strong involvement of the stakeholders of a certain sector in creating the contents of codes of conduct. [7] These codes of conduct are drafted to fit the specific needs of data controllers in a certain sector, and in a next step, they can be approved by the supervisory authorities which then monitors compliance with the codes of conduct. [8]

Another example of soft law regulation relevant for cybersecurity in the finance sector are standards issued by the international standardisation organisation. Although the standards themselves are not part of the body of law, they are in practice often referred to when it comes to determining the state of the art, thereby shaping the (future) interpretation of binding legal acts. [9]

Guidelines and Recommendations, often issued by authorities with special expertise [10] (such as the European Banking Authority or the European Union Agency for Cybersecurity), also play an important role in a regulatory field as dependent on technical development as cybersecurity regulation.

As soft law instruments are used to clarify the understanding of “hard” legal terms, this creates beneficial effects for both those subject to the law (receiving guidance in how to comply with their legal obligations) and the administrative authorities (as monitoring compliance is facilitated by clear rules on how to live up to the state of the art or demonstrate certain efforts to fulfil their due diligence). [11] Thus, soft law instruments often play a crucial role in legal practice, albeit that they lack immediate legal consequences.

Named soft law instruments not only allow for certain flexibility in regulating fast-changing and complex matters[12], but they may also pave the way for future developments in hard law regulatory efforts, taking an “anticipating” function. [13]

Nevertheless, certain problematic aspects of soft law have to be kept in mind too: firstly, soft law regulation often lacks the democratic legitimacy that hard law regulation is eager to uphold. Secondly, from a fundamental rights perspective, the right to an effective remedy might be compromised where the factual incentive to comply with a certain soft law regulatory instrument is stronger than its legal “capacity”, but the – often very formalised – possibilities for legal remedy do not apply. Thirdly, the rule of law principle requires appropriate public access to the rules, which may be problematic even in the case of static references to certain soft law instruments.

In order to achieve legal certainty, soft law instruments are a useful tool for financial institutions as they facilitate proving compliance with the state of the art in the field of cybersecurity. Therefore, even though soft law does not entail directly enforceable legal consequences, players in the field would be well advised to take the various guidelines, recommendations, and standards into account.

Author: Nora Schreier, University of Graz

For more information about SOTER visit the project website and follow us on Twitter and LinkedIn.

 [[1]] J. Schwarze, ‘Soft Law im Recht der Europäischen Union’, European Law Journal (2011), 3–18, at 3.

 [[2]] Such as GDPR, Regulation (EU) 2016/679 and eIDAS, Regulation (EU) 910/2014.

 [[3]] Such as the Directive on security of network and information systems, Directive (EU) 2016/1148 and the Payment Services Directive, Directive (EU) 2015/2366.

 [[4]] e.g. Standards issued by the International Organisation for Standardisation (ISO).

 [[5]] e.g. Guidelines issued by the European Banking Authority (EBA).

 [[6]] e.g. Recommendations issued by the European Cybersecurity Agency (ENISA).

 [[7]] Article 40 GDPR; R. Gmeiner, ‘Verhaltenskodizes und Ähnliches – oder: Anmerkungen zum “Hartkochen von Soft Law”’, zfV (2020), 215–29, at 229.

 [[8]] E. Lachaud, ‘What GDPR tells about certification’, Computer Law & Security Review 38 (2020), 1–12, at 9; J. Wagner, ‘Die (neuen) Pflichten des Verantwortlichen nach der DS-GVO: Von der Registrierungspflicht zur weitgehenden Selbstregulierung’ in D. Jahnel (ed.), Datenschutzrecht: Jahrbuch 2017 (2017), pp. 35–74, at p. 71.

 [[9]] Schwarze, ‘Soft Law im Recht der Europäischen Union’, 10.

 [[10]] D. Markopoulou, V. Papakonstantinou and P. de Hert, ‘The new EU cybersecurity framework: The NIS Directive, ENISA’s role and the General Data Protection Regulation’, Computer Law & Security Review 35 (2019), 105336, at 6.

 [[11]] A. Novotny, ‘Stand der Technik von NIS-Maßnahmen: Auslegungshilfen zwischen IT, OT und IOT’ in E. Schweighofer, F. Kummer and A. Saarenpää (eds.), Internet of Things: Tagungsband des 22. Internationalen Rechtsinformatik Symposions IRIS 2019 (2019), pp. 565–72, at p. 568.

 [[12]] I. Eisenberger, Innovation im Recht (2016), p. 131.

 [[13]] Gmeiner, ‘Verhaltenskodizes und Ähnliches – oder: Anmerkungen zum “Hartkochen von Soft Law”’, 228; Schwarze, ‘Soft Law im Recht der Europäischen Union’, 15.