From insight to compliance: Appropriate technical and organisational security measures through the lens of cybersecurity maturity models

Cybersecurity is a much-debated topic in both technical and legal scholarship. With contemporary business models hinging on highly performant information systems, there is increased awareness among entrepreneurs that security incidents often have devastating consequences on undertakings' revenue streams, intellectual property, and brand reputation. As a result, there is an increased focus on the obligation to implement cybersecurity measures. In the context of the GDPR, cybersecurity obligations seem to converge on the requirement to deploy 'appropriate technical and organisational measures' in order to ensure a level of security commensurate with the risks posed to an organisation. Yet, given the complex and rapidly evolving nature of the subject matter, the precise meaning and scope of these obligations remain unclear. This contribution offers guidance on how to assess the concept of 'appropriate technical and organisational measures' by considering it through the lens of cybersecurity maturity models. Accordingly, this article provides anchorage to scholarly audiences when scrutinizing the extent to which privacy and security measures qualify as 'appropriate' in the context of liability claims and actions for damages, thereby creating an opportunity to move from technical insight to legal compliance.