WICCON 2025

The growing legal and regulatory pressure on cybersecurity practitioners in the European Union, has led many organizations to equate compliance with security. Nevertheless, recent enforcement actions and major security incidents reveal a significant disconnect between formal compliance and substantive accountability.
This talk aims at examining how legal responsibility is evolving, especially under instruments such as the General Data Protection Regulation, the NIS2 Directive, and DIGITAL Operational Resilience Act.
Key questions addressed include:
• To what extent does compliance create a false sense of legal protection?
• How are emerging regulatory frameworks shifting the legal risk landscape in the EU?
• Can legal accountability support better security outcomes or does it incentivize minimalism and blame-shifting?
Audience Takeaways:
Understand how legal accountability is distinct from compliance.
Learn the practical implications of EU cybersecurity legislation on risk ownership.
Identify cultural and structural barriers to shared responsibility.
Gain language and frameworks to influence better internal practices.
Methodology
This talk will be developed through legal and regulatory analysis, with a focus on current and emerging cybersecurity legislation in the EU. Primary sources include GDPR, the NIS2 Directive and DORA. Each of these frameworks will be reviewed to examine how legal responsibility is defined, distributed, and enforced in the context of cybersecurity.
The analysis will be also based on published enforcement actions, supervisor guidance, and selected cased studies where formal compliance failed to prevent significant security incidents. By comparing regulatory expectations with known limitations in implementation, one can notice the growing gap between legal reform and security substance.