New Technologies in International Law / Tymofeyeva, Crhák et al.

data within the scope of this definition, 675 as stated in the Tallinn Manual. The above definitions are not ideal, but their flaws are quite different. The main criticism of the definitions that can be attempted by a process of reconstruction from the content of BC and DC is that a complex process of reconstruction is even required. Both acts define a number of terms: computer system, computer data, service provider, traffic data are for example defined in the BC. The DC adds to those definitions of content data, subscriber information, personal data, serious crime, child, property, proceeds of crime, freezing, confiscation, and predicate offence. What is missing from the catalogue, however, is a definition, a characterization of a cyber attack. Several key problems with such a solution can therefore be identified. Firstly, it forces the implementation of the DC principles into the orders of the signatory states on a very large scale. This causes a problem that can also be seen in the European Union when comparing the effectiveness of regulations and directives. If each state has to implement these solutions, far-reaching discrepancies will appear or, on the other hand, if an attempt is made to interfere extensively in the intellectual layer of criminal law in a given country, the solutions of the DC may prove impossible to implement in practice. Another example of the problems with such a definition are the far-reaching difficulties in modifying the adopted system. The need for constant fine-tuning of legal acts concerning cyber security can be seen, for example, in EU law, where the NIS Directive 676 has barely been implemented into the legal orders of the Member States and already had to be thoroughly reworked on the basis of the NIS2 Directive. 677 Relying on extremely general clauses makes them difficult to adapt. Of course, it can be argued that the original purpose of general clauses is precisely their generality, which allows them to be adapted to an ever-changing world. However, such an argument does not stand up to criticism in the field of cybersecurity. A good example is the phenomenon of ransomware: despite the plethora of regulations and the application of general sanctions for information security breaches throughout the Union, ransomware remains a problem and is unlikely to be solved without a tailor-made solution. This only underlines the phenomenon of ransomware being seen as illegal, using the analogy of kidnapping for ransom. This is a good example of how general criminal law norms diverge from the realities of cyberspace. One should therefore at least consider the approach proposed by some legal scholars, who advocate regulating these issues by influencing the architecture of the network, rather than solely through the letter of the law. The Convention has thus already missed an opportunity, which is not surprising given the timing of its creation, to regulate this issue in a functional manner. Nor can it be completely dismissed on the grounds that this approach was promoted by regulators in the years that followed. Unfortunately, it was also reflected in the draft proposed at the UN.

675 Ibid. 676 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union [2016] OJ L194/1. 677 Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union [2022] OJ L333/80.

161