Reporting cybersecurity to stakeholders: A review of CSRD and the EU cyber legal framework

IF 3.3 3区社会学 Q1 LAW

Computer Law & Security Review Pub Date : 2024-05-25 DOI:10.1016/j.clsr.2024.105987

Clara Boggini

{"title":"Reporting cybersecurity to stakeholders: A review of CSRD and the EU cyber legal framework","authors":"Clara Boggini","doi":"10.1016/j.clsr.2024.105987","DOIUrl":null,"url":null,"abstract":"<div><p>The purpose of this article is to explain, through a doctrinal review of the EU sustainability and cybersecurity legal framework, how the cybersecurity obligations contribute to the cybersecurity content and quality of the sustainability reporting. Previous studies are limited to voluntary cybersecurity disclosure in annual reports because they date back to before the adoption of CSRD. The CSRD harmonized sustainability reporting in the EU and introduced the ESRS, the standards for sustainability disclosure. As stated in the ESRS S4, the sustainability reporting should now address how the company manages the risks linked to data usage and data collection. Therefore, cybersecurity measures must be included in the sustainability report. This information can be used by stakeholders to assess the risk appetite and the potential long-term profitability of the company. The cybersecurity measures adopted by companies must comply with the cybersecurity obligations of the EU legal framework. While it is out of the scope of these cybersecurity obligations to inform ex ante the stakeholders of a company of how the company is managing cyber risks, these same obligations can improve the quality and content of the sustainability discourse.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"53 ","pages":"Article 105987"},"PeriodicalIF":3.3000,"publicationDate":"2024-05-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000542/pdfft?md5=3fdd089b41814b71824a24238c5e50a8&pid=1-s2.0-S0267364924000542-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924000542","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}

引用次数: 0

Abstract

The purpose of this article is to explain, through a doctrinal review of the EU sustainability and cybersecurity legal framework, how the cybersecurity obligations contribute to the cybersecurity content and quality of the sustainability reporting. Previous studies are limited to voluntary cybersecurity disclosure in annual reports because they date back to before the adoption of CSRD. The CSRD harmonized sustainability reporting in the EU and introduced the ESRS, the standards for sustainability disclosure. As stated in the ESRS S4, the sustainability reporting should now address how the company manages the risks linked to data usage and data collection. Therefore, cybersecurity measures must be included in the sustainability report. This information can be used by stakeholders to assess the risk appetite and the potential long-term profitability of the company. The cybersecurity measures adopted by companies must comply with the cybersecurity obligations of the EU legal framework. While it is out of the scope of these cybersecurity obligations to inform ex ante the stakeholders of a company of how the company is managing cyber risks, these same obligations can improve the quality and content of the sustainability discourse.

查看原文本刊更多论文

向利益攸关方报告网络安全：审查 CSRD 和欧盟网络法律框架

本文旨在通过对欧盟可持续发展和网络安全法律框架的理论回顾，解释网络安全义务如何促进可持续发展报告的网络安全内容和质量。以往的研究仅限于年度报告中的自愿网络安全披露，因为这些研究可以追溯到 CSRD 通过之前。CSRD 统一了欧盟的可持续发展报告，并引入了可持续发展信息披露标准 ESRS。如 ESRS S4 所述，可持续发展报告现在应涉及公司如何管理与数据使用和数据收集相关的风险。因此，可持续发展报告中必须包括网络安全措施。利益相关者可以利用这些信息来评估公司的风险承受能力和潜在的长期盈利能力。公司采取的网络安全措施必须符合欧盟法律框架规定的网络安全义务。虽然事先告知公司利益相关者公司如何管理网络风险不属于这些网络安全义务的范围，但这些义务同样可以提高可持续发展报告的质量和内容。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Law & Security Review LAW-

CiteScore

5.60

自引率

10.30%

发文量

审稿时长

67 days

期刊介绍： CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.