Regulatory and legal framework of information and data security

Svitlana Nishchymna; Svitlana  Nazarko; Volodymyr  Pekarchuk; Yuliia  Petrovska; Alla  Popruzhna

Autores/as

Svitlana Nishchymna Penitentiary Academy of Ukraine
Svitlana Nazarko Penitentiary Academy of Ukraine
Volodymyr Pekarchuk Penitentiary Academy of Ukraine
Yuliia Petrovska Penitentiary Academy of Ukraine
Alla Popruzhna Penitentiary Academy of Ukraine

Palabras clave:

Information, Digital Transformation, Legal Framework, Public Authorities, Regulatory Density, Sanctioning Practice, Panel Analysis, Financial Responsibility, Digital Governance, Institutional Efficiency, Cross-Jurisdictional Comparison

Resumen

The strengthening of regulation of personal data protection and cybersecurity is accompanied by an increase in the number of regulatory acts and the complexity of their interaction in the digital economy. At the same time, quantitative approaches to assessing regulatory structures and their connection with law enforcement practice remain underdeveloped. The purpose of the study is to quantitatively assess the characteristics of information and personal data protection regimes in the EU, Ukraine, the United Kingdom and California, as well as analyze the relationship between regulatory density and sanction activity. The methodology includes coding 18 regulatory acts, calculating the Regulatory Density Index, analyzing the share of regulations with financial sanctions, studying law enforcement indicators for 2018–2025, and panel regression. The results showed significant differences between jurisdictions. The highest concentration of mandatory norms and financial liability is found in the EU, while Ukraine is characterized by a relatively high regulatory density but a weaker sanction component. The analysis also showed an increase in the number of fines and reports of violations in the EU. The results obtained indicate a positive relationship between regulatory architecture and sanction activity, but do not confirm a causal relationship.

Descargas

Los datos de descarga aún no están disponibles.

Referencias

ARIAS-PÉREZ, J. and VÉLEZ-JARAMILLO, J. “Ignoring the three-way interaction of digital orientation, not-invented-here syndrome and employee’s artificial intelligence awareness in digital innovation performance: A recipe for failure”, Technological Forecasting and Social Change, 174, 2022, 121305. https://doi.org/10.1016/j.techfore.2021.121305

BERENS, B.M., BOHLENDER, M., DIETMANN, H., KRISAM, C., KULYK, O. and VOLKAMER, M. “Cookie disclaimers: Dark patterns and lack of transparency”, Computers & Security, 136, 2024, 103507. https://doi.org/10.1016/j.cose.2023.103507

BLIND, K., NIEBEL, C. and RAMMER, C. “The impact of the EU General Data Protection Regulation on product innovation”, Industry and Innovation, 31(3), 2024, pp. 311–351. https://doi.org/10.1080/13662716.2023.2271858

BRADFORD, L., ABOY, M. and LIDDELL, K. “International transfers of health data between the EU and USA: A sector-specific approach for the USA to ensure an ‘adequate’ level of protection”, Journal of Law and the Biosciences, 7(1), 2020, 1-33. https://doi.org/10.1093/jlb/lsaa055

BUCKLEY, G., CAULFIELD, T. and BECKER, I. “GDPR and the indefinable effectiveness of privacy regulators: Can performance assessment be improved?”, Journal of Cybersecurity, 10(1), 2024, tyae017. https://doi.org/10.1093/cybsec/tyae017

CALIFORNIA LEGISLATURE. California Consumer Privacy Act of 2018 [1798.100 - 1798.199.100], California, 2018. Available at: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.∂=4.&lawCode=CIV&title=1.81.5 (accessed on 6 March 2026).

CALIFORNIA LEGISLATURE. California Privacy Rights Act of 2020 (Proposition 24), California, 2020. Available at: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB375 (accessed on 6 March 2026).

CAROVANO, G. and FINCK, M. “Regulating data intermediaries: The impact of the Data Governance Act on the EU’s data economy”, Computer Law & Security Review, 50, 2023, 105830. https://doi.org/10.1016/j.clsr.2023.105830

CHIARA, P.G. “Understanding the regulatory approach of the Cyber Resilience Act: Protection of fundamental rights in disguise?”, European Journal of Risk Regulation, 16(2), 2025, pp. 469–484. https://doi.org/10.1017/err.2025.9

COMPLIANCE HUB. “GDPR enforcement and data breach landscape: A synthesis of 2025–2026 trends”, 2026. Available at: https://compliancehub.wiki/gdpr-enforcement-and-data-breach-landscape-a-synthesis-of-2025-2026-trends/ (accessed on 6 March 2026).

EUROPEAN PARLIAMENT AND COUNCIL OF THE EUROPEAN UNION. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, Official Journal of the European Union, L 119, 2016, pp. 89–131. Available at: https://eur-lex.europa.eu/eli/dir/2016/680/oj (accessed on 6 March 2026).

EUROPEAN PARLIAMENT AND COUNCIL OF THE EUROPEAN UNION. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance), Official Journal of the European Union, L 333, 2022, pp. 80–152. Available at: https://eur-lex.europa.eu/eli/dir/2022/2555/oj (accessed on 6 March 2026).

EUROPEAN PARLIAMENT AND COUNCIL OF THE EUROPEAN UNION. Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Official Journal of the European Union, 2016. Available at: https://www.legislation.gov.uk/eur/2016/679 (accessed on 6 March 2026).

EUROPEAN PARLIAMENT AND COUNCIL OF THE EUROPEAN UNION. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance.), Official Journal of the European Union, L 295, 2018, pp. 39–98. Available at: https://eur-lex.europa.eu/eli/reg/2018/1725/oj (accessed on 6 March 2026).

EUROPEAN PARLIAMENT AND COUNCIL OF THE EUROPEAN UNION. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance), Official Journal of the European Union, L 152, 2022, pp. 1–44. Available at: https://eur-lex.europa.eu/eli/reg/2022/868/oj (accessed on 6 March 2026).

EUROPEAN UNION AGENCY FOR CYBERSECURITY. ENISA threat landscape 2025, 2025. Available at: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 (accessed on 6 March 2026).

EUROPEAN UNION. Charter of Fundamental Rights of the European Union, Official Journal of the European Union, C 326, 2012, pp. 391–407. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT (accessed on 6 March 2026).

FERGUSON, D.D.S. “European cybersecurity certification schemes and cybersecurity in the EU internal market”, International Cybersecurity Law Review, 3, 2022, pp. 51–114. https://doi.org/10.1365/s43439-021-00044-5

GENEVA INTERNET PLATFORM. “GDPR violation reports surge across Europe in 2025, study finds”, 31 January 2026. Available at: https://dig.watch/updates/gdpr-violations-rise-europe-2025 (accessed on 6 March 2026).

HALLINAN, D., BERNIER, A., CAMBON-THOMSEN, A., CRAWLEY, F.P., DIMITROVA, D., BAUZER MEDEIROS, C., NILSSON, G., PARKER, S., PICKERING, B. and RENNES, S. “International transfers of personal data for health research following Schrems II: A problem in need of a solution”, European Journal of Human Genetics, 29, 2021, pp. 1502–1509. https://doi.org/10.1038/s41431-021-00893-y

JIA, J., JIN, G.Z. and WAGMAN, L. “The short-run effects of the General Data Protection Regulation on technology venture investment”, Marketing Science, 40(4), 2021, pp. 593–812. https://doi.org/10.1287/mksc.2020.1271

JULIUSSEN, B.A., KOZYRI, E., JOHANSEN, D. and RUI, J.P. “The third country problem under the GDPR: Enhancing protection of data transfers with technology”, International Data Privacy Law, 13(3), 2023, pp. 225–243. https://doi.org/10.1093/idpl/ipad013

KOULIERAKIS, E. “Certification as guidance for data protection by design”, International Review of Law, Computers & Technology, 38(2), 2024, pp. 245–263. https://doi.org/10.1080/13600869.2023.2269498

KRÄMER, J. “Personal data portability in the platform economy: Economic implications and policy recommendations”, Journal of Competition Law & Economics, 17(2), 2021, pp. 263–308. https://doi.org/10.1093/joclec/nhaa030

KRETSCHMER, M., PENNEKAMP, J. and WEHRLE, K. “Cookie banners and privacy policies: Measuring the impact of the GDPR on the Web”, ACM Transactions on the Web, 15(4), 2021, Article 20, pp. 1–42. https://doi.org/10.1145/3466722

LABADIE, C. and LEGNER, C. “Building data management capabilities to address data protection regulations: Learnings from EU–GDPR”, Journal of Information Technology, 38(1), 2023, pp. 23–45. https://doi.org/10.1177/02683962221141456

MARKOPOULOU, D., PAPAKONSTANTINOU, V. and DE HERT, P. “The new EU cybersecurity framework: The NIS Directive, ENISA's role and the General Data Protection Regulation”, Computer Law & Security Review, 35(6), 2019, 105336. https://doi.org/10.1016/j.clsr.2019.06.007

MARTIN, N., MATT, C., NIEBEL, C. and BLIND, K. “How data protection regulation affects startup innovation”, Information Systems Frontiers, 21, 2019, pp. 1307–1324. https://doi.org/10.1007/s10796-019-09974-2

Mone V., Thommandru A., Maratovich F.F., Khurramovich K.F., Mirziyatovna A.K. “AI price tags and privacy: When your data sets your price”, WIREs Data Mining and Knowledge Discovery, 2026. https://doi.org/10.1002/widm.70070

MONE, V.; MITHARWAL, S. “Guardians of privacy: Exploring the viability of a United Nations-backed global data governance”, International Journal of Intellectual Property Management, 14(2), 2024, pp. 194–216. https://doi.org/10.1504/IJIPM.2024.137220

MONE, V.; SADIKOV, M. A.; YOUNAS, A.; PETIKAM, S. “Data warfare and creating a global legal and regulatory landscape: Challenges and solutions”, International Journal of Legal Information, 2024. https://doi.org/10.1017/jli.2024.22

MONE, V.; TILWANI, R.; SIVAKUMAR, C. L.; FAYZULLAEVA, S. “Evaluating the prospects of a UN-backed global data protection authority: A Third World perspective”, International Organizations Law Review, 2025. https://doi.org/10.1163/15723747-22010002

MS LAW. TAX. GDPR Enforcement Tracker: Statistics – fines imposed over time. Available at: https://www.enforcementtracker.com/ (accessed on 6 March 2026).

MULDER, T. and TUDORICA, M. “Privacy policies, cross-border health data and the GDPR”, Information & Communications Technology Law, 28(3), 2019, pp. 261–274. https://doi.org/10.1080/13600834.2019.1644068

MURPHY, M.H. “Assessing the implications of Schrems II for EU–US data flow”, International & Comparative Law Quarterly, 71(1), 2022, pp. 245–262. https://doi.org/10.1017/S0020589321000348

PEUKERT, C., BECHTOLD, S., BÁTIKAS, M. and KRETSCHMER, T. “Regulatory spillovers and data governance: Evidence from the GDPR”, Marketing Science, 41(4), 2022, pp. 746–768. https://doi.org/10.1287/mksc.2021.1339

PRESIDENT OF UKRAINE. Decree No. 685/2021 on the Decision of the National Security and Defense Council of Ukraine of October 15, 2021 on the Information Security Strategy, Ukraine, 2021. Available at: https://www.rnbo.gov.ua/ua/Ukazy/5203.html (accessed on 6 March 2026).

RASAII, A., GOSAIN, D. and GASSER, O. “Thou shalt not reject: Analyzing accept-or-pay cookie banners on the Web”, in Proceedings of the 2023 ACM Internet Measurement Conference (IMC ’23), Association for Computing Machinery, 2023, pp. 154–161. https://doi.org/10.1145/3618257.3624846

RUNTE C.; KAMPS M. “Record broken: GDPR fines exceed EUR 5 billion for the first time”, 2025. Available at: https://cms.law/en/ukr/news-information/record-broken-gdpr-fines-exceed-eur-5-billion-for-the-first-time (accessed on 6 March 2026).

RUOHONEN, J. and HJERPPE, K. “The GDPR enforcement fines at glance”, Information Systems, 106, 2022, 101876. https://doi.org/10.1016/j.is.2021.101876

SCHMITZ-BERNDT, S. “Defining the reporting threshold for a cybersecurity incident under the NIS Directive and the NIS 2 Directive”, Journal of Cybersecurity, 9(1), 2023, tyad009. https://doi.org/10.1093/cybsec/tyad009

SHASTRI, S., WASSERMAN, M. and CHIDAMBARAM, V. “GDPR anti-patterns”, Communications of the ACM, 64(2), 2021, pp. 59–65. https://doi.org/10.1145/3378061

THOMMANDRU A., MONE V., SHOKHIJAKHON F., MIRZAYEV G. “Algorithmic profiling and facial recognition in EU border control: Examining ETIAS decision-making, privacy and law”, WIREs Data Mining and Knowledge Discovery, 2025. https://doi.org/10.1002/widm.70013

TURAN, F., ROY, S.S. and VERBAUWHEDE, I. “HEAWS: An accelerator for homomorphic encryption on the Amazon AWS FPGA”, IEEE Transactions on Computers, 69(8), 2020, pp. 1185–1196. https://doi.org/10.1109/TC.2020.2988765

UK PARLIAMENT. Data Protection Act 2018, United Kingdom, 2018. Available at: https://www.legislation.gov.uk/ukpga/2018/12/contents (accessed on 6 March 2026).

UK PARLIAMENT. Online Safety Act 2023, United Kingdom, 2023. Available at: https://www.legislation.gov.uk/ukpga/2023/50/contents (accessed on 6 March 2026).

VANBERG, A.D. “Informational privacy post GDPR – end of the road or the start of a long journey?”, The International Journal of Human Rights, 25(1), 2021, pp. 52–78. https://doi.org/10.1080/13642987.2020.1789109

VERKHOVNA RADA OF UKRAINE. Constitution of Ukraine (adopted June 28, 1996, as amended), Ukraine, 1996. Available at: https://zakon.rada.gov.ua/laws/show/254%D0%BA/96-%D0%B2%D1%80 (accessed on 6 March 2026).

VERKHOVNA RADA OF UKRAINE. On Amendments to Certain Laws of Ukraine Regarding the Protection of Information and Cybersecurity of State Information Resources and Critical Information Infrastructure (Law of Ukraine No. 4336-IX, March 27, 2025), Ukraine, 2025. Available at: https://zakon.rada.gov.ua/laws/show/4336-20 (accessed on 6 March 2026).

VERKHOVNA RADA OF UKRAINE. On National Security of Ukraine (Law of Ukraine No. 2469-VIII, June 21, 2018, as amended), Ukraine, 2018. Available at: https://zakon.rada.gov.ua/laws/show/2469-19 (accessed on 6 March 2026).

VERKHOVNA RADA OF UKRAINE. On Personal Data Protection (Law of Ukraine No. 2297-VI, December 1, 2010, as amended June 14, 2025), Ukraine, 2010. Available at: https://zakon.rada.gov.ua/laws/show/2297-17?lang=en (accessed on 6 March 2026).

VERKHOVNA RADA OF UKRAINE. On Protection of Information in Information and Communication Systems (Law of Ukraine No. 80/94-VR, July 5, 1994, as amended April 20, 2025), Ukraine, 1994. Available at: https://zakon.rada.gov.ua/laws/show/80/94-%D0%B2%D1%80 (accessed on 6 March 2026).

VERKHOVNA RADA OF UKRAINE. On the Basic Principles of Ensuring Cybersecurity of Ukraine (Law of Ukraine No. 2163-VIII, October 5, 2017, as amended October 19, 2025), Ukraine, 2017. Available at: https://zakon.rada.gov.ua/laws/show/2163-19 (accessed on 6 March 2026).

WEITZENBOECK, E.M., LISON, P., CYNDECKA, M. and LANGFORD, M. “The GDPR and unstructured data: Is anonymization possible?”, International Data Privacy Law, 12(3), 2022, pp. 184–206. https://doi.org/10.1093/idpl/ipac008