Hostname: page-component-76d6cb85b7-xh428 Total loading time: 0 Render date: 2026-07-16T08:47:14.168Z Has data issue: false hasContentIssue false

Rethinking Cybersecurity Research Governance: Lessons from the Act on Digital Services?

Published online by Cambridge University Press:  29 October 2025

Michal Rampášek
Affiliation:
Faculty of Law, Institute of Information Technology Law and Intellectual Property Law, Comenius University Bratislava, Bratislava, Slovakia
Matúš Mesarčík*
Affiliation:
Faculty of Law, Institute of Information Technology Law and Intellectual Property Law, Comenius University Bratislava, Bratislava, Slovakia
*
Corresponding author: Matúš Mesarčík; Email: matus.mesarcik@flaw.uniba.sk
Rights & Permissions [Opens in a new window]

Abstract

EU law lacks a coherent legal framework that adequately defines, protects, and empowers cybersecurity researchers, particularly those operating outside formal institutions. This paper examines how cybersecurity research fits within the evolving EU regulatory landscape, with a particular focus on the Digital Services Act (DSA), the Cyber Resilience Act (CRA), and the NIS2 Directive. It explores the legal ambiguity surrounding researcher status, the conditions for data access and auditing under the DSA, and the challenges posed by current vetting requirements. Drawing on doctrinal legal analysis and interdisciplinary insights from cybersecurity and platform governance, the paper argues that while the DSA provides novel tools such as vetted researcher access and auditing obligations for Very Large Online Platforms (VLOPs) its structure is better suited for systemic risk research than for adversarial, exploratory cybersecurity testing. The paper concludes that a sustainable model for cybersecurity research governance in the EU must go beyond DSA-style vetting, incorporating flexible mechanisms like coordinated vulnerability disclosure and bug bounty programs, as reflected more directly in the CRA.

Information

Type
Articles
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2025. Published by Cambridge University Press