Governing the human factor in cybersecurity: A regulatory perspective
Abstract
In an increasingly interconnected world, cyberattacks have emerged as one of the most pressing global threats, endangering critical infrastructure, compromising sensitive data, and disrupting essential services across sectors. As a result, cybersecurity has become a key policy priority at all levels of governance. In response, the European Union (EU) adopted, inter alia, the Cybersecurity Strategy for the Digital Decade and significantly expanded its legislative framework to strengthen cybersecurity requirements through both horizontal and sector-specific regulatory instruments. Alongside policy instruments, cybersecurity efforts have emphasised technical measures to address the evolving cybersecurity threat landscape. However, there is growing recognition that cybersecurity cannot be effectively understood or addressed solely through technical measures. Cybersecurity posture depends not only on technological safeguards but also, fundamentally, on the so-called ‘human factor’. Against this backdrop, this article examines how the human factor is conceptualised and addressed within the EU’s cybersecurity legal frameworks. Adopting a qualitative, interdisciplinary approach grounded in doctrinal legal research, the article analyses the regulatory treatment of the human factor within EU cybersecurity law. It contributes to broader debates on cybersecurity governance by identifying regulatory gaps, proposing recommendations for better integrating human-centred cybersecurity strategies into EU regulatory frameworks, and outlining avenues for future research to strengthen cybersecurity resilience.
Keywords: Human Factor, Cybersecurity, Regulatory Governance
DOI: 10.54941/ahfe1007413
Cite this paper
More from this volume
- A Human Factors-Cyber-Safety Framework for Risk and Requirements in Critical Infrastructure
- Cognitive Load and Compliance: A Human-Centric Framework for NIS2 in Latvian SMEs
- Eye tracking study to analyze context encoding during phishing decision making
- Enhancing Cybersecurity Learning Through Online Platforms and Gamified Approaches
- Privileged Learning for Instance Representation in Cognitive Models of Phishing Decisions
- Calibrating Trust in AI-Driven Cyber Defenses: Human Reliance, Resistance, and Decision Dynamics
- Assessing Trust in Digital Service Engineering: An Empirical Case Study of Public CCTV Analytics in Germany
- Simulating the Threat: A Phishing Campaign to Enhance Cyber Resilience in a Large Organization
- Micro-Decisions Under Time Pressure and Dark Patterns in Digital Interfaces
- Designing an AI-Driven Framework for Human-Centered Cybersecurity Practices
- Beyond Security Awareness: A Scoping Review of Human Factors in SME Cyber Resilience Frameworks (2018-2026)
- The Human Factor in Cyber Resilience: Behavioural, Organisational and Sociotechnical Perspectives


AHFE Open Access