The main aim of this course is to provide a general overview of the legal issues relating to cybersecurity and data security. Given the global dimension of data flows and their economic and strategic value, the legal framework will be considered at different levels, namely international, EU and national. The first part of the course focuses on data regulation as the legal protection provided to personal and non-personal data is at the root of cybersecurity laws that aim to safeguard these intangible assets. Moreover, some key data protection regulations, such as the GDPR, already include specific data security and cybersecurity requirements. In line with the transnational dimension of cybersecurity, attention will also be paid to international conventions and frameworks (Convention 108 and 108+ of the Council of Europe, OECD Guidelines). Specific environments, such as IoT and cloud computing, will be considered when dealing with data and cybersecurity issues. Finally, the recent development of AI regulation in Europe and the risk-based approach adopted by legislators will be discussed concerning the requirements that increase the level of data and system security. The second part of the course aims to provide case studies and practical examples in the field of information security. Special attention will be given to the Cybercrime Convention, GDPR-Data Breach, NIS2, Cybersecurity Act, and EU bodies (ENISA, CERT, etc.). The Cybercrime Convention, also known as the Council of Europe Convention on Cybercrime, was signed on November 23, 2001. It is the first international convention to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. The General Data Protection Regulation (GDPR), the Network and Information Systems Directive (NIS2), and the Cybersecurity Act are essential pieces of legislation aimed at protecting personal data and ensuring the security of information systems. Together, these pieces of legislation play a crucial role in promoting and protecting the security of personal data information in the digital age. Each of the individual pieces of EU legislation mentioned above will be addressed by highlighting the most relevant aspects and focusing on the practical effects in the cybersecurity world. Through case studies, the student will gain detailed knowledge of the real issues that need to be addressed to manage cybersecurity risks.

Students will acquire knowledge of the legal requirements and safeguards characterizing the field of cybersecurity. They will have knowledge of the legal principles and language, which will give them the ability to facilitate their interaction in the corporate and public sector environment, as well as in a multidisciplinary context.

Part I - Data and Privacy - The international framework: Council of Europe and OECD - The GDPR and legal compliance - Sector-specific applications and Regulation 2018/1807 on non-personal data - AI regulation and risk-based approach Part II – Cybersecurity and Cybercrime - Cybercrime Convention (Budapest, November 23 2001) - Data Breach and GDPR: 3 leading cases - Nis Directive 2 and Cybersecurity Act - The role of EU bodies (ENISA, CERT) and the most important case studies

The course is divided into lectures, and students' contributions and group activities will be encouraged.

- Hoofnagle, Chris Jay, Bart van der Sloot, e Frederik Zuiderveen Borgesius. «The European Union general data protection regulation: what it is and what it means». Information & Communications Technology Law 28, fasc. 1 (2 gennaio 2019): 65–98. https://doi.org/10.1080/13600834.2019.1573501 (open access) - Mantelero Alessandro, Giuseppe Vaciago, Maria Samantha Esposito, e Nicole Monte. «The common EU approach to personal data and cybersecurity regulation». 2020, 28(4) International Journal of Law and Information Technology 297–328 https://doi.org/10.1093/ijlit/eaaa021 (open access) - Papakonstantinou Vagelis, «Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity? », Computer Law & Security Review, Volume 44, April 2022, 105653 https://www.sciencedirect.com/science/article/pii/S0267364922000012

Dispense; Libro di testo;

Modalità di esame: Prova scritta (in aula); Prova scritta in aula tramite PC con l'utilizzo della piattaforma di ateneo;

Exam: Written test; Computer-based written test in class using POLITO platform;

... Assessment and grading criteria for the ONSITE exam. The final exam aims to evaluate the student's understanding of the topics discussed during the course and how much students apply the acquired notions to various cases. The exam is written and is 45 minutes in duration. It is divided into two sections, one focused on case analysis and one on the general legal framework (open-question).

Gli studenti e le studentesse con disabilità o con Disturbi Specifici di Apprendimento (DSA), oltre alla segnalazione tramite procedura informatizzata, sono invitati a comunicare anche direttamente al/la docente titolare dell'insegnamento, con un preavviso non inferiore ad una settimana dall'avvio della sessione d'esame, gli strumenti compensativi concordati con l'Unità Special Needs, al fine di permettere al/la docente la declinazione più idonea in riferimento alla specifica tipologia di esame.