Eng Cn Translate this page:
Please select your language to translate the article


You can just close the window to don't translate
Library
Your profile

Back to contents

International Law and International Organizations
Reference:

Legal Status of European Union Bodies and Institutions in the Field of Cybersecurity

Giris Valeriya Alekseevna

ORCID: 0000-0000-0000-0000

Postgraduate, Department of Integration and European Law of the Kutafin Moscow State Law University (MSAL)

123000, Russia, Moscow, Sadovaya-Kudrinskaya str., 9

valeri_ka@list.ru

DOI:

10.7256/2454-0633.2023.1.39986

EDN:

CNSRAT

Received:

14-03-2023


Published:

21-03-2023


Abstract: The relevance of the reasearch topic stems from the fact that different state bodies are involved in addressing cybersecurity services. While each of the state bodies has their own goals and objectives, the successful resolution of the issues entirely depends on their effective cooperation. The existing resources and expertise available in the EU member states and corresponding EU institutions, bodies and agencies provide a solid basis for a collective response to cybersecurity threats. As a result, the EU has established a system of cyber security risk management bodies. The purpose of this article is to investigate the activities of key EU cyber security authorities. To achieve this goal and analyse the activities of the main EU bodies in the field of cybersecurity , the author has used several methods, such as the systematic approach, the formal-legal method, the comparative-legal method and the historical method. The author has come to the conclusion that cooperation and information exchange are essential elements in addressing cyber security issues. At the same time, to achieve coherence among cyber security bodies, the EU is taking measures to strengthen their joint work. In addition, it has been concluded that the EU, as a regional integration organization where member states act on the basis of mutual trust, is a reliable platform for addressing cyber security issues.


Keywords:

EU law, cyber security, cyber threats, cyber resilience, cyber defence, cyber space, cyber attack, information security, cybercrime, cyber incident

This article is automatically translated. You can find original text of the article here.

The need to strengthen the security of modern society from a sharply increasing number of cyber threats has become a catalyst for the development of a regulatory framework aimed at increasing the level of cyber resilience of modern states.

Today, the cybersecurity requirements imposed in one state may differ significantly from the requirements imposed in another. This circumstance has become one of the reasons why the issue of cybersecurity has acquired great international importance.

However, the development of international law on this issue is complicated. There are still no universal agreements on cybersecurity at the international level, as well as there are no joint mechanisms for responding to cyber threats. This circumstance makes States vulnerable to emerging cyber threats, since in cyberspace States are in a state of interdependence due to the decentralized nature of threats.

The European Union (hereinafter referred to as the EU, the Union) has attempted to create a unified approach to cybersecurity among EU member States and ensure its implementation through the activities of the EU system of bodies.

Professor S. Y. Kashkin notes that the EU has a broad organizational mechanism, the subjects of which are increasingly intertwined in an unusual way [1, p.70]. In this regard, I would like to note that with the development of cybersecurity in the EU, there has been a tendency to complicate the institutional system.

Next, we will focus on a more detailed consideration of the legal status and activities of EU bodies in the field of cybersecurity.

The European Commission aims to strengthen the cooperation of member States on the issue of increasing the level of cybersecurity. The European Commission carries out the achievement of this goal jointly with other EU institutions, bodies and agencies.

The key place among the EU bodies in the field of cybersecurity is occupied by the EU Cybersecurity Agency, formerly called the European Agency for Network and Information Security (hereinafter referred to as the Agency). It should be noted that in accordance with EU legislation, agencies are separate bodies other than EU institutions and separate legal entities that are established to perform specific tasks.

According to paragraph 2 of Article 1 of Regulation No. 460/2004 on the establishment of the European Network and Information Security Agency, the Agency's role is "to assist the European Commission and the EU Member States, as well as to support cooperation with entrepreneurs to help them meet the requirements for network and information security, thereby ensuring the smooth functioning of the internal market, including the requirements set out in the present and future Community legislation" [2].

Based on this, the Agency's work is reduced to an independent advisory body of the EU member states and European entrepreneurs, providing access to information and resources necessary for functioning in cyberspace.

Initially, the Agency's work mainly consisted of collecting information about all emerging threats in cyberspace, providing non-binding consultations to EU member States and other interested parties, as well as creating a platform for the exchange of experience.

The main legal basis for the adoption of Regulation No. 460/2004, which established the Agency, was Article 95 of the Treaty Establishing the European Community, which allows the EU authorities to take measures that harmonize the national legislation of the EU member States.

Nevertheless, the UK expressed concern about the legality of using article 95 of the Treaty Establishing the European Community as the legal basis for the establishment of the Agency, since "the Agency's functions are limited to developing expertise and providing advice to a wide range of potential recipients, and the only possible link that can exist between the tasks it performs and harmonization rights are a link arising from the fact that the Agency helps the European Commission. However, this role, which is presented as a technical research function, is too far from Community legislation aimed at harmonizing national legislation"[3].

The United Kingdom, in an application filed with the EU Court for the repeal of Regulation No. 460/2004, stated that the provision of non-binding consultations could not amount to "approximation of the provisions established by legislative acts, regulations or administrative acts in the member States" within the meaning of Article 95 of the Treaty Establishing the European Community. Moreover, the dissemination of such recommendations may in practice increase the differences that exist between national laws"[3].

In its Decision, the EU Court rejected the UK's application and justified the legality of the adoption by the European Parliament of Regulation No. 460/2004 in accordance with Article 95 of the Treaty Establishing the European Community, ruling as follows:

- The tasks assigned to the Agency in accordance with Article 3 of Regulation No. 460/2004 are closely related to the objectives pursued by the Directives Regulating Electronic Communications services and Related Means and Services, and specific Directives in the field of network and information security.

- The European Parliament had the right to consider that the opinion of an independent body providing technical advice at the request of the European Commission and the EU Member States could facilitate the transfer of Directives regulating electronic communications services into the laws of the member States and the implementation of these Directives at the national level.

-Regulation No. 460/2004 is not an isolated measure, but is part of the relevant legislative mechanism limited by Directive [4] and special Directives, and is aimed at completing the internal market in the field of electronic communications.

Thus, the above decision allowed the EU not only to take measures that promote harmonization, but also to establish bodies that can facilitate the convergence of EU member states' policies in the field of cybersecurity. The EU Court of Justice has ruled that the Agency is an appropriate means of preventing the occurrence of differences that may create obstacles to the smooth functioning of the internal market in this area.

After a year of the Agency's operation, the European Commission conducted an assessment of its activities, which was provided in advance by Article 25 of Regulation No. 460/2004 and was mandatory for making a decision on further extension of the powers of this organization after the end of the five-year mandate.

The assessment of the Agency's activities was set out in the relevant communication of the European Commission [5], in which the latter made a positive conclusion on the extension of the Agency's mandate, and also pointed out a number of problems related to the Agency's activities and ways to solve them.

The main problems identified by the European Commission can be defined as organizational, they include shortcomings in the Agency's structure, the remoteness of the Agency's location (the Agency's headquarters was located in Heraklion, Greece) and the problem of the Agency's strategic role, which at that time was focused mainly on the preparation of reports on the progress of its activities. In its communication, the European Commission proposed recommendations on the Agency's governance structure, as well as on the revision of Articles 2 and 3 of Regulation No. 460/2004 in order to establish the Agency's key objectives based on the results.

Taking into account the positive assessment of the Agency's activities issued by the European Commission in 2008, the European Parliament and the Council adopted another Regulation No. 1007/2008 [6], extending the Agency's mandate until March 2012..

In the EU Council Resolution of December 18 , 2009 [7] The role and potential of the Agency and the need for "further development of the Agency into an effective body" are recognized. In this regard, the European Commission has developed a draft of a new Regulation on the Agency [8], proposing the expansion of its functions and the extension of its mandate. As the legal basis of this organization, it is proposed to use Article 114 of the Treaty on the Functioning of the EU, which is almost identical to Article 95 of the Treaty on the Establishment of the European Communities.

The Cybersecurity Strategy for the European Union 2013 - Open, Secure and Reliable [9] identified the Agency as a necessary entity overseeing the management of cybersecurity, which needed only a modernized mandate with additional powers. In this regard, a new Regulation on the Agency was adopted, which strengthened the mandate of this organization. Earlier, Regulation No. 580/2011 [10] extended the term of the Agency's mandate until September 13, 2013. The new mandate was approved by Regulation 526/2013 on April 16, 2013 [11] and was set for seven years.

As already mentioned, the new Regulations on the Agency provided for strengthening its role. First of all, the new Regulation granted the Agency the authority to support the creation and operation of a fullscale EU Computer Emergency Response Team (hereinafter - CERT-EU) to counter cyber attacks at the EU level.

To improve the efficiency of the new Regulations established a new additional branch of the Agency with operational staff in Athens. The changes also affected the management structure, in which the executive board was introduced, allowing the Agency's board to focus on issues of strategic importance and thereby increase the effectiveness of the Agency. The Executive Director, according to the Regulations, is appointed with the approval of the European Parliament.

Directive No. 2016/1148 [12] assigned the Agency the role of the secretariat of Computer Security Incident Response Teams (hereinafter referred to as CSIRTs), which was created to facilitate rapid and effective operational cooperation between EU Member States in relation to specific cybersecurity incidents and the exchange of information on risks.

Thus, with the adoption of Directive No. 2016/1148, the role of the Agency was actually strengthened, which was later recognized by the European Commission during the evaluation of its activities and enshrined in the subsequent adopted Regulation No. 2019/881 [13], which finally assigned the Agency a central role in ensuring cybersecurity in the EU.

One of the aspects of cybersecurity is cybercrime. In order to minimize the risks from cybercrime, regulatory legal acts aimed at combating cybercrime have been adopted within the EU. In addition, specialized EU bodies, such as the EU Agency for Police Cooperation (hereinafter referred to as Europol) and the EU Agency for Criminal Justice Cooperation (hereinafter referred to as Eurojust), play a significant role in addressing cybercrime issues.

Eurojust was established by a decision of the EU Council[14] as an EU agency with the aim of improving coordination and cooperation between the competent judicial authorities of the member States, especially in relation to serious organized crime. The aforementioned decision was replaced by Regulation 2018/1727 [15], which in turn aims to strengthen the role of Eurojust in the administration of justice across borders for a safer Europe. Eurojust has established a Group to combat financial and economic crimes (hereinafter referred to as the Group) whose powers include combating cybercrime.

In addition to the work of the Group, in 2016, on the basis of the EU Council's Opinion of June 9, 2016 [16], the European Judicial Network for Combating Cybercrime at Eurojust was established to support judicial authorities dealing with cybercrime. The plenary sessions of the European Judicial Network for Combating Cybercrime are held twice a year with the support of Eurojust and with the joint participation of representatives from Europol and the European Commission, which, in turn, facilitates the exchange of views between interested parties on common cybercrime problems.

Europol is a law enforcement agency that was established by the Decision of the Council of April 6, 2009 on the establishment of a European Police Agency. According to which, it is intended to provide practical assistance and information support at the European level to the activities of the police authorities of States in the field of combating: transnational organized crime, international terrorism, as well as other serious forms of international crime: drug trafficking, money laundering, etc. [17]. The current legal basis for Europol's activities is Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the EU Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/LDPE, 2009/934/LDPE, 2009/935/LDPE, 2009/936/LDPE and 2009/968/LDPE.

Initially, solving issues related to cybercrime was not part of the scope of Europol's tasks. Indeed, in one of the studies, E. Ilbiz and K. Kaunert emphasize that Europol's activities aimed at combating cybercrime were not its priority task until the second half of the 2010s [18, p.3].

Nevertheless, the EU Internal Security Strategy adopted by the European Commission on November 22, 2010 [19] notes that the Europol Center for Combating High-Tech Crimes plays an important coordinating role for law enforcement agencies in the fight against cybercrime.

As one of the further priority actions of the Internal Security Strategy, the EU has identified the establishment of a European Center for Combating Cybercrime within the framework of Europol by 2013.

A more detailed proposal describing the main functions of the European Center for Combating Cybercrime was outlined in the Message [20] of the European Commission. The official launch of the European Center for Combating Cybercrime was carried out by Europol in January 2013 as its unit.

It is important to note that the legal basis for the creation of this unit was Europol. In our opinion, the creation of this unit within the organizational structure of Europol served as a solid legal basis for its further development as a significant entity in the fight against cybercrime, since it allowed it to use the already existing and accumulated arsenal of Europol's capabilities for conducting investigations and cooperation in the investigation of cybercrime.

Thus, a simple and economical organizational structure was created in the EU in order to ensure the effective implementation of the tasks assigned to it [21].

Given the number of bodies involved in the prevention of cybercrime, it is important to pay attention to the fact that in the EU special attention is paid to cooperation between them, ensuring synergy and complementarity of their mandates and competencies.

In this regard, platforms for interaction are being created in the EU to discuss and prioritize key issues and further actions in the fight against cybercrime. These include the EU Task Force on Combating Cybercrime. It is a forum for the heads of EU cybercrime authorities and member States, which meets twice a year in Europol. In addition, the Europol European Center for Combating Cybercrime, together with the EU Task Force on Combating Cybercrime, has established a Joint Task Force on Combating Cybercrime, which consists of cybersecurity officers from member States, non-EU law enforcement partners, and employees of the Europol European Center for Combating Cybercrime.

European researchers, having analyzed the activities of various structures dealing with cybercrime both in the EU and in the member states, come to the conclusion that it is acceptable to create completely new organizational structures, especially in the current economic climate [22, p.4].

As a result, I would like to emphasize that as a result of the analysis, it can be concluded that the expansion of the EU's organizational mechanism, whose main activity is the fight against crime, indicates the growing nature of threats associated with cybercrime. In conditions when the activities of a specialized body cannot cope with the solution of newly emerged types of crimes, it is necessary to create effective sub-divisions whose activities will focus only on combating certain types of crimes (cybercrimes).

Continuing the idea of the growing nature of the threats that information and communication technologies entail, R. Wessel and Yu. Miadzvetskaya notes that the growing number of cyber attacks and their destructive nature have become the reason for the creation of foreign policy-oriented response measures in the EU [23, p.414].

According to the Operational Guidelines for EU International Cooperation in Building Cyber Capabilities [24] published by the European Commission, the necessary measures in the field of cybersecurity are measures to ensure diplomatic commitments aimed at maintaining an open, free and secure cyberspace, and the development of cyber defense strategies to protect military networks and assets.

The European Foreign Policy Service, the European Defense Agency, and Permanent Structured Cooperation are actively involved in the implementation of the above measures.

The European External Action Service was established by the EU Council Decision 2010/427/EC of July 26, 2010 [25] as an autonomous EU body, which is under the leadership of the High Representative and supports him in fulfilling his mandate. The European External Action Service provides support to Member States in the use of diplomatic measures, in particular with regard to public communication, support for general situational awareness and interaction with third countries in the event of a crisis.

Within the framework of the European Foreign Policy Service, the EU Intelligence Analysis Center, a High-level Group of Experts and the EU Military Headquarters are involved in ensuring cybersecurity.

Analyzing the role of the European Foreign Policy Service in the field of cybersecurity, D. Duych comes to the conclusion that the main role of this service is auxiliary and consists in ensuring greater coherence and coordination in the field of cybersecurity, especially in the field of cyber defense[26, p.101].

The European Defense Agency was established by Council Decision 2004/551/CFSP of July 12, 2004 on the establishment of the European Defense Agency [27] and is an EU agency whose goal is to develop defense capabilities in the field of crisis management, as well as to promote and strengthen European cooperation in the field of armaments. The European Defense Agency was established on the basis of paragraph 3 of Article 42 of the EU Treaty. Its tasks are set out in detail in Article 45 of the EU Treaty.

In the field of cybersecurity, the European Defense Agency is responsible for coordinating cyber defense capabilities. Under the auspices of the European Defense Agency, there are several programs that also focus on the development of cooperation between member States on cybersecurity issues. Among them, we can single out the Deployable Cyber Evidence Collection and Evaluation Capability program, which is aimed at developing a technical demonstration of the capabilities of digital forensics for the military.

Also, within the framework of the project group of the European Defense Agency for Cyber Defense, the Cyberpolygon Federation project was launched, the purpose of which is to unite and share existing cyberpolygon capabilities between member states.

As one of the latest programs of the European Defense Agency, it should be noted the operational network of the Military Computer Emergency Response Group MICNET. The launch of this program was initiated by the EU Cyber Defense Policy[28]. MICNET should serve as a framework and infrastructure for information exchange between different levels of the cyber defense community and external stakeholders.

In addition, issues related to the field of cybersecurity are included in the Ongoing Structured Cooperation launched in 2017. By the decision of the EU Council [28]. Its legal basis is Article 42 (6) of the EU Treaty, which provides that those Member States whose military capabilities meet higher criteria and who have assumed more binding obligations to each other in this area in order to fulfill the most difficult tasks should establish permanent structured cooperation within the Union.

For the field of cybersecurity, Permanent structured cooperation plays an important role. One of the first projects that was initiated within the framework of Permanent Structured Cooperation was the project on the organization of Rapid Cyber Response Teams. Cybersecurity specialists united within such a group can provide assistance to Member States, EU institutions, EU missions and operations, as well as partner countries, contributing to the EU's overall capacity to prevent, deter and respond to cyber threats.

K.K. Renda rightly points out that the EU's lack of a centralized cyber command undermines its cyber defense capabilities and limits its ambitions to become more influential in this new area of policy[29, p.482].

The fact that EU military operations and missions in or through cyberspace also require the creation of an appropriate organizational structure that could adequately reflect the requirements of cyber defense was confirmed in the EU Strategy for Cyberspace as an Area of Operations [30]. Subsequently, the published EU Cyber Defense Policy [28] laid the foundation for the creation of the EU Cyber Commanders Conference. It is planned that it will meet at the secretariat of the European Defense Agency and with the participation of the EU Military Headquarters at least twice a year to discuss operational issues and other relevant topics.

Thus, the EU's approach to cybersecurity is based not only on ensuring internal security through law enforcement agencies such as Europol and Eurojust. In the EU, special attention is paid to external aspects of security, the EU's international participation in solving these issues, including responding to malicious actions. In this regard, within the framework of the common security and defense policy through the activities of the European Defense Agency, the European Foreign Policy Service, Ongoing structured cooperation is being carried out to strengthen the overall level of cybersecurity of the Member States and the EU.

Of course, achieving a high level of cybersecurity is impossible without the development and formation of intellectual potential. In this regard, two more structural elements were included in the EU organizational structure by Regulation No. 2021/887 of the European Parliament and of the Council of May 20, 2021 [31]: the European Competence Center for Industrial, Technological and Research Cybersecurity (hereinafter referred to as the Competence Center) and the Network of National Coordination Centers (hereinafter referred to as the Network).

According to Article 3 of the Regulation, the role of the Competence Center and the Network is to assist the EU in the development of technological, academic, public, research and industrial cybersecurity potential.

It follows from the presented that in the EU, an extensive system of bodies is engaged in ensuring cybersecurity. The main bodies in the field of cybersecurity include the EU Cybersecurity Agency, the European Defense Agency, Europol and Eurojust.

Considering that cooperation and information exchange in solving cybersecurity problems are essential elements for achieving a high level of protection against cyber threats, it is necessary to create a coordinated mechanism of interaction and cooperation between the bodies involved in the field of cybersecurity.

Describing the organizational mechanism of the EU, Professor A.Ya. Kapustin also points out that maintaining a constant dialogue and cooperation between EU institutions is an essential characteristic of the relationship between institutions [32, p.232].

Thus, in order to establish cooperation between Europol and the EU Cybersecurity Agency and to support EU member states and its institutions in preventing and combating cybercrime, a Strategic partnership Agreement was signed in 2014 between the EU Cybersecurity Agency and Europol [31], which also lays the foundation for interaction and mutual assistance between these organizations.

Nevertheless, in legal terms, the starting point for establishing cooperation between cybersecurity agencies was Article 7 of Regulation No. 2019/881 [13]. The said Regulation defines as an obligation that the Agency must cooperate at the operational level and establish interaction with the institutions, bodies, institutions and agencies of the Union, including CERT-EU, bodies dealing with cybercrime, and bodies dealing with the protection of confidentiality and personal data.

The cooperation agreement between the Agency and CERT-EU was officially established after signing in 2021. Memorandum of Understanding [33], which defines the areas of cooperation (capacity building, operational cooperation, as well as knowledge and information) and establishes an approximate distribution of roles between them: CERT-EU will play a leading role in providing assistance to EU institutions, bodies and institutions, and the Agency will contribute to the extent and limits defined by its mandate, and vice versa.

In addition, a Memorandum of Understanding was also signed between the European Defense Agency, the EU Cybersecurity Agency, the European Center for Combating Cybercrime and CERT-EU to improve cooperation [34]. The Report [35] of the European Commission determined that this Memorandum strengthened cooperation and synergy between these organizations in accordance with their mandates and contributed to the further development of the provision of expertise, operational and technical support to the EU and Member States in the field of cybersecurity.

In June 2021, the European Commission, in its Recommendation [36], announced the creation of a Joint Cyber Unit. Earlier, the proposal for its creation was outlined in the political guidelines [37] of the President of the European Commission, Ursula von der Leyen. This initiative is an important step towards the completion of the European cybersecurity risk management system. It aims to ensure the coordination of efforts in the EU to prevent, detect, deter, mitigate and respond to large-scale cyber incidents and crises.

The Joint Cyber Unit will act as a platform to ensure a coordinated EU response to large-scale cyber incidents and crises, as well as to assist in recovery after these attacks.

The combined cyber division provides a virtual and physical platform and does not require the creation of an additional autonomous body. Its creation should not affect the competence and powers of the national cybersecurity authorities and the relevant structures of the Union. It unites all cybersecurity communities, that is, the civilian population, law enforcement agencies, diplomacy and defense.

Platform participants should play either an operational or a supporting role. Operational participants should include the Cybersecurity Agency, Europol, the Computer Emergency Response Team for EU Institutions, Bodies and agencies, the European Commission, the European External Action Service, the CSIRTs network and the European Network of the Organization for Relations with Cyber Crises[1] (hereinafter - EU-CyCLONe). Auxiliary participants should include the European Defense Agency, the Chairman of the Horizontal Working Group of the Cyberspace Council and one representative from the cybersecurity projects of the Permanent Structured Cooperation.

It should be emphasized that at the moment the EU is on the way to completing the European cybersecurity risk management system.

The results of the work of the EU Cybersecurity Agency demonstrate successful experience in bringing together stakeholders whose activities are aimed at ensuring cyber security. The adopted regulatory legal acts in the EU, strengthening the mandate of the EU Cybersecurity Agency, as well as acts regulating the activities in the field of cybersecurity of other reviewed bodies, emphasize this need.

Thus, the EU's approach to achieving a high level of cybersecurity is to create optimal conditions for strengthening further coordination and cooperation between relevant EU institutions, bodies and agencies. In order to provide mutual assistance to cyber communities responsible for cybersecurity, for combating cybercrime, for conducting cyber diplomacy, for cyber defense, the creation of a Joint cyber Unit was initiated.

In conclusion, it should be noted that the EU, as a regional integration organization where member states act on the basis of the principle of mutual trust, is a reliable platform for solving cybersecurity problems. This circumstance demonstrates the need to further strengthen cooperation between the Russian Federation and its partners at the regional level in order to achieve a high overall level of cybersecurity.

[1]With the adoption in December 2022. Directive 2022/2555 officially established the European Network of the Organization for Relations with Cyber Crises (hereinafter - EU-CyCLONe) to support the coordinated management of cybersecurity incidents throughout the EU, as well as to ensure the regular exchange of information between Member States and institutions, bodies, offices and agencies of the EU.

References
1. Kashkin S.Y. The Lisbon Treaty-a new stage in the development of the law of the European Union // State and Law, 9. 2008. P.59-66
2. Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency // Official Journal of the European Union. 13.3.2004. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32004R0460 (accessed 20.02.2023 .).
3. Judgment of the Court United Kingdom of Great Britain and Northern Ireland v European Parliament and Council of the European Union. Regulation (EC) No 460/2004-European Network and Information Security Agency-Choice of legal basis. CaseC-217/04. 2 May 2006 .10. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62004CJ0217&from=EN (accessed 20.02.2023 .).
4. Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) // Official Journal. 24.04.2002. URL: https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX%3A32002L0021 (accessed 20.02.2023 .).
5. Communication from the Commission to the European Parliament and the Council On the evaluation of the European Network and Information Security Agency (ENISA) // Brussels. 1.6.2007. URL: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52007DC0285 (accessed 20.02.2023 .).
6. Regulation (EC) no 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration // Official Journal of the European Union. 31.10.2008. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008R1007&from=EN (accessed 20.02.2023 .).
7. ouncil Resolution of 18 December 2009 on a collaborative European approach to Network and Information Security 2009/C 321/01 // Official Journal of the European Union. 29.12.2009. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009G1229%2801%29 (accessed 20.02.2023 .).
8. Proposal for a Regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA) // Brussels. 30.9.2010. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010PC0521&from=EN (accessed 20.02.2023 .).
9. Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the regions Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace // Brussels. 7.2.2013. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52013JC0001&from=EN (accessed 20.02.2023 .).
10. Regulation (EU) No 580/2011 of the European Parliament and of the Council of 8 June 2011 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration Text with EEA relevance // Official Journal of the European Union. 24.6.2011. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32011R0580&from=EN (accessed 20.02.2023 .).
11. Regulation (EU) No 526/2013 of the European Parliament and the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 // Official Journal of the European Union. 18.6.2013. URL: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32013R0526(accessed 20.02.2023 .).
12. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union // Official Journal of the European Union. 19.07.2016. URL: https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN (accessed 20.02.2023 .).
13. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) // Official Journal of the European Union.07.06.2019. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2019.151.01.0015.01.ENG (accessed 20.02.2023 .).
14. Decision 2002/187/JHA setting up Eurojust with a view to reinforcing the fight against serious crime // Official Journal of the European Communities. 6.3.2002. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002D0187 (accessed 20.02.2023 .).
15. Regulation (EU) 2018/1727 of the European parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA/ // Official Journal of the European Union. 21.11.2018. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1727&from=BG (accessed 20.02.2023 .).
16. Conclusions of the Council of the European Union on the European Judicial Cybercrime Network-Council conclusions // Brussels. 9 June 2016. URL: https://www.consilium.europa.eu/media/24301/network-en.pdf (accessed 20.02.2023 .).
17.  .. 6 2009 . (). URL: https://eulaw.ru/translation/reshenie-o-sozdanii-evropola/ (accessed 20.02.2023 .).
18. Ilbiz E., Kaunert . Europol and cybercrime: Europols sharing decryption platform // Journal of Contemporary European Studies.2021. .3
19. Communication from the Commission to the European Parliament and the Council the EU Internal Security Strategy in Action: Five steps towards a more secure Europe // Brussels. 22.11.2010. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52010DC0673 (accessed 20.02.2023 .).
20. Communication From The Commission To The Council And The European Parliament Tackling Crime in our Digital Age: Establishing a European Cybercrime Centre // Brussels. 28.3.2012. URL: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52012DC0140 (accessed 20.02.2023 .).
21. Robinson N., Disley E., Potoglou D., Reding A., Culley D. M., Maryse M., Botterman M., Carpenter G., Blackman C., Millard J. Feasibility Study for a European Cybercrime Centre // RAND Corporation.2012.
22. Miadzvetskaya Y., Wessel R.A. The Externalisation of the EUs Cybersecurity Regime: The Cyber Diplomacy Toolbox // European Papers. 2022. No. 27/2022. 7(1). C. 413-438.
23. Operational guidance for the EU's international cooperation on cyber capacity building // Luxembourg: Publications Office of the European Union. 2018. URL: https://www.iss.europa.eu/content/operational-guidance-eu%E2%80%99s-international-cooperation-cyber-capacity-building (accessed 20.02.2023 .).
24. Council decision of 26 July 2010 establishing the organisation and functioning of the European External Action Service 2010/427/EU/ // Official Journal of the European Union. 3.8.2010. URL: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:201:0030:0040:EN:PDF (accessed 20.02.2023 .).
25. Duic D. The EEAS as a Navigator of EU Defence Aspects in Cyberspace/ Duic D. // European Foreign Affairs Review. 2021.
26.  . 101 114. 26. Council Joint Action 2004/551/CFSP of 12 July 2004 on the establishment of the European Defence Agency // Official Journal. 17.7.2004. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32004E0551 (accessed 20.02.2023 .).
27. EU Policy on Cyber Defence // Brussels. 10.11.2022. URL: https://www.eeas.europa.eu/sites/default/files/documents/Comm_cyber%20defence.pdf (accessed 20.02.2023 .).
28. Council Decision (CFSP) 2017/2315 of 11 December 2017 establishing permanent structured cooperation (PESCO) and determining the list of participating Member States // Official Journal of the European Union. 14.12.2017. URL: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32017D2315 (accessed 20.02.2023 .).
29. Renda K.K. The development of EU cybersecurity policy: from a coordinating actor to a cyber power? // Ankara AvrupaÇalışmalarıDergisi. N2.2021. . 467-495
30. European Union Military Vision and Strategy on Cyberspace as a Domain of Operations // (EEAS(2021) 706 REV 4, 15 September 2021. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004E0551 (accessed 20.02.2023.).
31. Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres // Official Journal of the European Union. 8.6.2021. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021R0887 (accessed 20.02.2023 .).
32. Kapustin A.Y. General characteristics of the basic principles of the ec institutional system // News of higher education institutions. Jurisprudence 1.2000. .232.
33. Agreement on strategic co-operation between the European Union Agency for Network and information security and the European Police office ( 26.06.2014). URL: https://www.europol.europa.eu/cms/sites/default/files/documents/Agreement_on_Strategic_Co-operation_between_the_European_Union_Agency_for_Network_and_Information_Security_and_the_European_Police_Office.pdf (accessed 20.02.2023)
34. Memorandum of Understanding on structured cooperation between ENISA and CERT-EU (15.02.2021). URL: https://www.enisa.europa.eu/about-enisa/structure-organization/management-board/management-board-decisions/mb-decision-2021-4-on-structured-cooperation-with-cert-eu-with-annex-mou (accessed 20.02.2023.).
35. Memorandum of Understanding The European Union Agency for Network and Information Security (ENISA) of the first The European Defence Agency (EDA) of the second part, Europols European Cybercrime Centre (EC3) of the third part, The Computer Emergency Response Team for the EU Institutions, Agencies and Bodies (CERT-EU) of the fourth part (23.05.2018). URL: https://eda.europa.eu/docs/default-source/documents/mou---eda-enisa-cert-eu-ec3---23-05-18.pdf (accessed 20.02.2023 .)
36. Commission Recommendation (EU) 2021/1086 of 23 June 2021 on building a Joint Cyber Unit // Official Journal of the European Union. 5.7.2021. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021H1086 (accessed 20.02.2023 .)
37. Ursula von der Leyen A Union that strives for more My agenda for Europe : political guidelines for the next European Commission 2019-2024. URL: https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 (accessed 20.02.2023 .)

Peer Review

Peer reviewers' evaluations remain confidential and are not disclosed to the public. Only external reviews, authorized for publication by the article's author(s), are made public. Typically, these final reviews are conducted after the manuscript's revision. Adhering to our double-blind review policy, the reviewer's identity is kept confidential.
The list of publisher reviewers can be found here.

The subject of the study. The subject of the peer-reviewed article "The legal status of bodies and institutions of the European Union in the field of cybersecurity" is the norms of law enshrined in international legal acts defining the legal status of bodies (organizations) The European Union, which are entrusted with the functions of ensuring the international information security of the member States. Research methodology. The methodological apparatus of this scientific work consists of modern methods of cognition: historical, formal-logical, legal-technical, formal-dogmatic, comparative jurisprudence, etc. The author of the article also used such scientific methods and techniques as deduction, modeling, systematization and generalization. The main method is comparative analysis. The work used a combination of theoretical and empirical information. The relevance of research. Global digitalization and the construction of an information society (with the transition to a knowledge society), of course, in addition to "convenience", carries many challenges, risks and threats, which requires the adoption of appropriate legal, organizational and technical measures, including at the international level. The organizational and legal experience of the European Union may be of not only scientific, but also practical interest. The issue of the organization (structure of bodies) of information security in the territory of the European Union deserves attention. The scientific novelty of the research. Cybersecurity issues, including the organization of the activities of bodies (organizations) The European Union, were the subject of research by such authors as V.A. Giris, V.I. Pantin, A.K. Pankovskaya, etc. However, the aspect of the study chosen by the author of this article has elements of scientific novelty: for the first time, the necessity and expediency of a special institution is argued: "in order to provide mutual assistance to cyber communities responsible for cybersecurity, for combating cybercrime, for conducting cyber diplomacy, for cyber defense, the creation of a Joint cyber Unit was initiated." Style, structure, content. The article is written in a scientific style, using special terminology. The material is presented consistently, competently and clearly. The author's position is well-reasoned. Although the article is not formally divided into parts, it is nevertheless logically structured (introduction, main part and conclusion) . The topic stated by the author is disclosed, the content of the article corresponds to its title. Although, in the opinion of the reviewer, it may be incorrect to use the term "institutions" in the title of the article, since it needs to be clarified. One can only imagine that the author meant such a legal category as an "organization", since an "institution" for lawyers is a special organizational and legal form of non-profit organizations. Bibliography. Despite the rather large list of sources used, it can be noted that the author has not studied the works of other scientists (mentioned above: V.A. Giris, V.I. Pantin, A.K. Pankovskaya), who also studied the problems of international information security of the European Union. There are no references in the article to the works of the leading Russian expert in the field of information law and information security, T.A. Polyakova. Appeal to opponents. The appeal to the points of view of other scientists is correct, all borrowings are in the form of citations with links to the source of the publication. Conclusions, the interest of the readership. The reviewed article "The legal status of the bodies and institutions of the European Union in the field of cybersecurity" meets the requirements for scientific publications, is relevant, practically significant and contains elements of scientific novelty. This work is recommended for publication in the scientific journal International Law and International Organizations. because it meets the editorial policy of this publication. The article may be of interest to specialists in the field of information law and information security, international law, as well as teachers, doctoral students, postgraduates, undergraduates and students of law faculties and universities.