Should a distinct right to cybersecurity be recognized in the EU, and if so, what should its rationale and scope be?
I. Introduction1Disclaimer: In preparing this work, I used Grammarly to correct grammatical errors. Additionally, I employed NotebookML to search for specific data and passages, taking care to cross-check each result for accuracy.: “Cybersecurity” Conceptual Volatility and the Dilemma of Rights Positivization
In recent years, the digital landscape has become an integral part of both individual lives and institutional operations, a development fueled by the relentless pace of technological innovation. This trend marks what scholars describe as the “information turn,”2Luciano Floridi, ‘What Is the Philosophy of Information?’ (2002) 33(1/2) Metaphilosophy 1, 126 heralding a profound transformation in how societies conceive, handle, and value information. In advanced post-industrial contexts, information is not simply a resource, it is the very foundation upon which societal organisation and progress depend, with Information and Communication Technologies (ICT) standing out as the most influential determinants in modern governance and everyday life3Floridi (n 2) 126.
While heightened connectivity brings undeniable advantages, it equally generates new dangers, with the proliferation of cyber-attacks standing as a particularly salient risk. These threats are magnified by the inadequacy of traditional frameworks of international law, which remain preoccupied mainly with the prerogatives of states and are therefore ill-suited to address the vulnerabilities of private actors4Ido Kilovaty, ‘An Extraterritorial Human Right to Cybersecurity’ (2020) 10 Notre Dame Journal of International & Comparative Law 35, 36–37.
Consequently, the protection of fundamental rights is more precarious than ever in this era of cyber insecurity5Pier Giorgio Chiara, ‘Towards a Right to Cybersecurity in EU Law? The Challenges Ahead’ (2024) 53 Computer Law & Security Review 105961, 4. Against this backdrop of expanding digital threats, a pressing question emerges for the European Union: ought there to be a clearly articulated right to cybersecurity, and if so, what foundational principles and boundaries should define it?
One of the first challenges scholars face when discussing the fundamental right to cybersecurity is defining what “cybersecurity” actually means. In this context, Chiara acknowledges the difficulties in defining both cybersecurity and security, assuming that cybersecurity aims to protect against “digital threats,” while traditional security concerns the “analogue” sphere.6Chiara (n 5) 3
However, the challenge lies in determining the appropriate level of abstraction (LoA). If the LoA is based on the scope of protection, one could argue that cybersecurity is merely a subset of security, making a new right to cybersecurity “unnecessary.”7Chiara (n 5) 3
The EU Cybersecurity Act defines cybersecurity as “the activities necessary to protect network and information systems, the users of such systems, and other individuals affected by cyber threats.”8Vagelis Papakonstantinou, ‘Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?’ (2022) 44 Computer Law & Security Review 105653 Fundamentally, cybersecurity focuses on safeguarding the Confidentiality, Integrity, and Availability (the “CIA triad”) of computer systems and networks,9Papakonstantinou (n 8) 3 a focus that sets it apart from privacy, which primarily concerns the protection of personal data.10Papakonstantinou (n 8) 13
This distinction is of particular importance. As Kilovaty points out, the body of human rights currently recognized may be “insufficient or ambiguous” when it comes to addressing all aspects of cybersecurity.11Kilovaty (n 4) 53 For example, a cyberattack might result only in the deletion or manipulation of data, or take the form of a Distributed Denial of Service (DDoS) attack that limits access, with no violation of personal data.12Kilovaty (n 4) 53 In these cases, the right to privacy offers no relief, as there has been no access to or disclosure of personal information.
Acknowledging that individuals have a valid interest in protection against cyber threats does not, by itself, necessitate the establishment of a new fundamental right. The gap in legal safeguards identified by Kilovaty13Kilovaty (n 4) 53 could be filled through a range of approaches, such as adjustments to regulatory frameworks or a reconceptualisation of existing rights. The essential question is which option poses less risk.
The proposal for a distinct “right to cybersecurity” should be considered not just for its legal coherence but also for its broader political ramifications. In this context, Douzinas’s critique of rights discourse provides valuable insight. He maintains that the original purpose of human rights was deeply utopian: they embodied the hope of a society in which individuals would no longer be subjected to degradation or contempt.14Costas Douzinas, ‘Human Rights and Postmodern Utopia’ (2000) 11 Law and Critique 219, 226 Yet this emancipatory promise, he contends, has been progressively captured by institutional power: human rights have been “hijacked by governments, submerged into treaties and conventions,” their radical potential domesticated through legal formalisation.15Douzinas (n 14) 236, 239
One might argue that the current framework of fundamental rights addresses the digital realm only through separate and narrowly defined entitlements. Data protection laws regulate the processing of personal data, freedom of expression protects communication, and property rights extend to digital assets. However, each of these rights functions strictly within its own doctrinal limits, addressing only a particular aspect of digital life while overlooking others.
Douzinas identifies this as a structural feature of how rights function. The legal system, he argues, necessarily partitions the person into separate objects of protection: “the law breaks down the body into functions and parts and replaces its unity with rights which symbolically compensate for the denied and barred bodily wholeness.”16Douzinas (n 14) 230 Rights recognise and protect aspects of the person, but the person as a whole, the unified subject whose existence is more than the sum of legally protected parts, remains invisible to the law.
In the digital context, this kind of fragmentation has very real consequences. An individual whose daily life relies on safe participation in networked environments cannot be fully described as just a “data subject” under privacy law, a “speaker” under expression rights, or an “owner” of digital assets. She is, fundamentally, a whole person whose sense of security depends on the reliable operation of digital infrastructure. When a cyberattack wipes out non-personal data, disrupts access to essential services, or manipulates information without violating personal data, none of the existing rights provides relief. Such harms often fall outside the narrow categories recognized by current law. The individual suffers, but the law registers only disconnected parts, not the whole injury.
From this perspective, recognizing a right to cybersecurity could help address this fragmentation. Papakonstantinou’s distinction is helpful here: on one hand, cybersecurity as praxis refers to the specific activities taken to protect systems; on the other, cybersecurity as a state describes the overall condition in which people are truly protected from online threats. This framework clarifies how a comprehensive right to cybersecurity could move beyond narrowly defined legal protections and focus on the complete well-being of individuals in the digital age.17Vagelis Papakonstantinou, ‘Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?’ (2022) 44 Computer Law & Security Review 105653 This conceptual evolution is enshrined in the EU Cybersecurity Act and further reinforced by the NIS 2 Directive, both of which mark an explicit departure from a purely technical perspective. By expanding protection beyond “network and information systems” to incorporate “the users of such systems and other individuals affected by cyber threats”, the legislation clearly signals a shift toward a human-centric approach, one that prioritizes the safety and well-being of individuals alongside the safeguarding of technical infrastructure.18Vandezande, ‘Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor’ (2024) 52 Computer Law & Security Review 105890
In light of this, it is possible to infer that the notion of cybersecurity as a state aligns with what Douzinas, drawing on Drucilla Cornell, calls the “imaginary domain.”19Douzinas (n 14) 230, 231, 232 For Douzinas, the imaginary domain is “the image of a complete subject and a sutured body”, a vision of wholeness that underlies the fragmented entitlements produced by rights discourse.20Douzinas (n 14) 230, 231, 232 While legal rights parcel the person into discrete objects of protection, the imaginary domain captures the aspiration for existential integrity: the unified self that individual rights can only symbolically compensate for, but never fully restore. While individual rights partition the person into discrete objects of legal protection, the imaginary domain captures the aspiration toward existential integrity: the unified self that fragmented rights can only symbolically compensate but never fully reconstitute.21Douzinas (n 14) 230, 231, 232
A right to cybersecurity, understood as protecting cybersecurity as a state rather than merely mandating cybersecurity as praxis, would aspire to something similar in the digital realm. Rather than isolating specific aspects of digital existence, personal data here, communication there, assets elsewhere, it would recognise the person’s interest in secure participation in networked environments as such. The digital person would be protected not as a collection of data points, communicative acts, and owned objects, but as an integrated subject whose existential integrity depends on the reliable functioning of digital infrastructure as a whole.
Yet Douzinas’s critique operates at another level. Even rights that aspire to protect existential wholeness risk the kind of conformist co-optation he identifies. Drawing on Walter Benjamin, Douzinas warns that “the danger affects both the content of the tradition and its receivers… that of becoming a tool of the ruling classes.”22Douzinas (n 14) 226 The elevation of cybersecurity to a fundamental right in the EU legal order exemplifies this danger. Where Member States are charged under primary law with guaranteeing a protective sphere against cyber threats, they necessarily gain authority to define what that sphere encompasses and to oversee the infrastructure required to secure it. The aspiration to protect the whole digital person may thus become the justification for rendering that person wholly transparent to the state. This is the core of the positivisation dilemma: the more comprehensive the right, the more comprehensive the authority required to guarantee it.
The language of “national security” and the “responsibility to protect”23Kilovaty (n 4) 48 has historically served as justification for expansive monitoring and surveillance24Ramalho, O direito à segurança na era virtual: as implicações no Direito Constitucional (USP 2017) 108. By entrenching cybersecurity within the EU’s fundamental rights framework, legal doctrine may inadvertently provide states with robust grounds to expand their digital reach and enforcement powers. A Charter-enshrined right to cybersecurity risks becoming what Bloch warned against: “natural law co-opted for conformist conservatism.”25Douzinas (n 14) 226 In this sense, a right to cybersecurity, if positivised at the level of EU primary law, risks transformation into its opposite: a surveillance apparatus in which protection and control become indistinguishable.
In this way, this analysis suggests that positivisation involves inherent risks regardless of how carefully the right is formulated. The volatility arises not only from the conceptual choice and the ambiguities that this can bring but also from the political dynamics that accompany formal recognition within the EU fundamental rights framework.
It seems that a possible right to cybersecurity, however well-intentioned, would enter a field already structured by state power and security discourse. Its meaning would be shaped not by scholarly definitions of cybersecurity as a state but by the institutional actors charged with its implementation, the same actors whose surveillance capacities it might be invoked to constrain.
Ultimately, it is important to recall the proverb that the road to hell is paved with good intentions. As Douzinas observes, the rhetorical triumph of human rights has not brought about their fulfillment, but has instead coincided with the rise of unprecedented mechanisms of control.
II. The Right to Cybersecurity and the Boundaries of the EU Regulatory Architecture
The European Union’s regulatory rhetoric regarding cybersecurity has taken a distinctive approach: rather than recognising cybersecurity as a fundamental right under EU primary law, secondary legislation imposes obligations on addressees and establishes protective mechanisms without creating correlative rights or remedies for individuals.26Chiara (n 5) 6
This regulatory choice reflects a particular conception of cybersecurity’s place in EU law. For example, the NIS2 Directive, grounded in Article 114 TFEU (internal market harmonisation), frames cybersecurity primarily as a matter of operational resilience and business continuity for critical sectors rather than as a domain of individual protection.27Chiara (n 5) 6 The Directive’s impact assessment criteria include “severe operational disruption,” “financial loss,” and “considerable material or non-material damage.”28Vandezande (n 18) 8 In this context, cybersecurity is positioned as a means to support economic and social stability, rather than as an individual right in itself.
In particular, this means that NIS2 advances cybersecurity as praxis29Chiara (n 5) 4, taking in consideration the activities and measures undertaken to protect systems, by imposing detailed obligations on entities operating critical infrastructure. In some way, it also partially achieves cybersecurity as a state30Papakonstantinou (n 17) 2, the protective sphere where persons are secure from cyber threats, insofar as regulatory compliance creates systemic resilience that benefits individuals indirectly. What is not covered and, therefore, not provided, is the legal recognition of individuals’ interests within that protective sphere, nor any mechanism by which individuals can vindicate those interests when regulatory duties are breached.31Chiara (n 5) 6
The Cyber Resilience Act adopts a similar logic, extending cybersecurity obligations to manufacturers and distributors of products with digital elements throughout their lifecycle. Like NIS2, it imposes duties without creating corresponding rights: market surveillance authorities ensure compliance, but individuals affected by insecure products have no independent cybersecurity claim. The framework thus remains one of regulatory protection rather than rights-based empowerment.32Chiara (n 5) 6, 7
This approach has both advantages and limitations when viewed through Douzinas’s critique33Douzinas (n 14) 236, 239. On one hand, by choosing not to enshrine cybersecurity in the Charter or other primary law instruments, the EU avoids the dilemma of positivisation and refrains from granting Member States a fundamental rights mandate to oversee digital infrastructure, an outcome that such recognition would entail. The separation between regulatory duties under secondary law and fundamental rights under primary law may itself serve as a safeguard against the dynamics of a “security state”: protection is accomplished through targeted, sectoral obligations rather than through broad state authority anchored in fundamental rights.
On the other hand, this regulatory gap cannot be dismissed as merely technical. Papakonstantinou argues that if no consequences are attached to default or negligence by addressees, “a very concrete risk is raised that all these efforts do not develop their potential to the fullest extent possible.”34Papakonstantinou (n 17) 12 Without legal means for individuals to protect their interest in a secure digital life, cybersecurity remains a “behind-closed-doors policy”35Papakonstantinou (n 17) 12, an administrative concern handled exclusively within EU and Member State organisations, failing to achieve the “trust within the Union”36Papakonstantinou (n 17) 12 that the EU Cybersecurity Act identifies as a central objective.
This reveals a structural incompleteness in the current praxis. Without accountability to those it is meant to protect, the regulatory framework remains a building under construction, one that lacks the essential foundations to support the structure it aspires to become. Where individuals cannot hold addressees accountable for failures, the incentive structure that should drive compliance is weakened. Addressees respond to supervisory authorities, not to the persons whose security depends on their diligence. The praxis exists in form, but its animating purpose, the protection of individuals, lacks the legal infrastructure to compel its realisation.
However, if Douzinas’s critique warns us against the positivisation of cybersecurity as a fundamental right, given the risk of fueling the “legislative Leviathan”37Douzinas, O fim dos direitos humanos (Unisinos 2009) 121., it does not follow that the current regulatory gap should be accepted as an unavoidable compromise. The central question is not whether individuals deserve protection, but how that protection might be achieved without triggering the dynamics of state co-optation that positivisation in primary law entails. One possible path lies not in the recognition of “cybersecurity as a state”, but in the strengthening of “cybersecurity as praxis.” This implies designing accountability mechanisms that make the addressees of regulations (the entities) directly responsible to the individuals whose security depends on their compliance. In this way, protection is no longer merely an institutional concern but becomes an obligation that individuals can enforce directly, avoiding the rhetoric of absolute security while filling the accountability gap that currently characterises the NIS2 and CRA regimes.
III. Conclusion
The debate concerning the right to cybersecurity cannot be reduced to a binary choice between its recognition and its rejection. The path forward suggested here lies not in positivising cybersecurity as a state, but in strengthening cybersecurity as praxis through mechanisms that render addressees accountable to individuals. Such an approach would preserve the distance between regulatory duty and fundamental rights while addressing the gap that currently leaves persons without recourse. Protection would become enforceable from below rather than conferred from above.
This analysis has focused on the EU context, but the underlying tension extends beyond European borders. In the United States, the Snowden38Ramalho (n 24) 106, 107 revelations exposed how the language of national security and cyber protection has served to justify unprecedented surveillance of citizens worldwide cautionary tale for any jurisdiction contemplating the expansion of state authority in the name of cybersecurity. The American experience demonstrates that the risks Douzinas identifies are not merely theoretical: where states are empowered to guarantee digital security, they acquire the means to undermine it.
There are no innocent choices in the domain of rights. As Douzinas reminds us, human rights are “both the poison and its antidote, a veritable Derridean pharmakon.”39Douzinas (n 14) 240 A right to cybersecurity, if it comes to exist, will be no different. The challenge lies not in resolving this tension, but in maintaining it, seeking protection while remaining vigilant against the very apparatus that protection can engender.