Module 2: Core Legal Standards – Security-by-Design, Reasonable Security, and Accountability - Global Cybersecurity Law and Regulatory Landscape

Step 1 – Why these three standards matter everywhere

In Module 1 you mapped the global cybersecurity law landscape. This module zooms in on three core standards that appear again and again in different laws and guidance:

Security-by-design / privacy-by-design
Reasonable security / risk-based security
Accountability, governance, and documentation

Across very different regimes—like the EU GDPR (in force since 2018), NIS2 (adopted 2022, applies from October 2024), and the U.S. FTC Act Section 5 enforcement—regulators keep asking similar questions:

Did you build security into the system from the start?
Are your protections reasonable for your risks?
Can you prove, with documentation and governance, that you did the right things?

Think of these three standards as a triangle:

One side: design (security/privacy-by-design)
One side: substance (reasonable, risk-based security)
One side: proof (accountability and documentation)

This module helps you:

Define each standard in legal-regulatory terms
Compare how they show up in GDPR, NIS2, and U.S. FTC practice
Translate them into internal policies, controls, and records you’d expect in an organization

Step 2 – Security-by-design and privacy-by-design in law

1. Core idea

Security-by-design means integrating security from the earliest stages of system and product development, not bolting it on at the end. Privacy-by-design applies the same idea to personal data and privacy risks.

2. Key legal anchors (as of early 2026)

EU GDPR (since 2018)
Art. 25 – Data protection by design and by default
Controllers must implement appropriate technical and organizational measures (TOMs) both at the time of the determination of the means for processing and at the time of the processing itself.
Examples: data minimization, pseudonymization, user-friendly privacy settings.
Art. 32 – Security of processing connects design to actual security controls (confidentiality, integrity, availability, resilience).

EU NIS2 Directive (adopted 2022, applies from Oct 2024)
Focuses on essential and important entities (e.g., energy, transport, digital infrastructure).
Requires “appropriate and proportionate technical, operational and organizational measures” for cybersecurity risk management, which must be integrated into governance and development (e.g., supply chain security, secure development practices).

U.S. FTC Act Section 5 (unfair or deceptive practices)
No single statute saying “security-by-design,” but FTC enforcement actions and orders effectively require it.
The FTC criticizes companies that launch products without baseline protections or that ignore known security design flaws.
Recent FTC orders often require secure software development life cycle (SSDLC) practices.

3. What security-by-design looks like in practice

Think of a software development lifecycle (SDLC) with built-in security checkpoints:

Requirements phase

Identify data types, threat models, legal requirements (GDPR, sector laws).
Decide on data minimization and access control before coding.

Design phase

Use secure architecture patterns (e.g., layered defenses, least privilege).
Choose privacy-enhancing techniques (pseudonymization, differential access).

Implementation phase

Secure coding standards, code reviews, static analysis tools.
Secrets management (no credentials in code repos).

Testing and deployment

Security testing (penetration tests, fuzzing).
Privacy impact assessments (e.g., GDPR DPIA when high risk to rights and freedoms).

Operations and maintenance

Patch management, vulnerability disclosure policy.
Logging, monitoring, and regular security reviews.

Legally, regulators don’t prescribe one methodology, but they expect documented, systematic security-by-design practices, not ad hoc fixes.

Step 3 – Example: Security-by-design vs. security-after-the-fact

Imagine a startup building a fitness tracking app that collects location and health data.

Scenario A – Security-after-the-fact (non-compliant behavior)

The team rushes to launch with default public profiles.
All data is stored unencrypted in a single cloud database.
No access control model; all developers can query production data.
Only after a security incident do they add encryption and restrict access.

Legal/regulatory view:

Under GDPR Art. 25 & 32, this is problematic: they didn’t consider data protection by design or implement appropriate measures from the start.
Under FTC Section 5, this could be seen as unreasonable security, especially if the company claimed to be “secure” in marketing.

Scenario B – Security-by-design (more compliant behavior)

During requirements, they classify data as sensitive (health + location).
They design role-based access control so only specific backend services can read raw data.
They configure encryption in transit and at rest from day one.
They set privacy-by-default: user profiles are private unless explicitly changed.
Before launch, they perform a DPIA (GDPR context) and document risks and mitigations.

Legal/regulatory view:

This aligns with security-by-design and privacy-by-design principles.
If an incident still occurs, regulators will look at the documented process to judge whether the company acted responsibly.

The contrast shows that design decisions + documentation significantly influence legal exposure, even when both apps might suffer some vulnerabilities.

Step 4 – What is “reasonable security” and risk-based security?

1. Why laws use flexible terms

Most laws avoid listing a fixed set of security controls. Technology, threats, and best practices change too fast. Instead, they use phrases like:

“Appropriate technical and organizational measures” (GDPR, NIS2)
“Reasonable security procedures and practices” (common in U.S. state laws, e.g., California)
“Reasonably designed” security programs (FTC settlements)

These terms all point to a risk-based approach: security should be proportionate to the risks created by your data, systems, and business model.

2. Key legal references

GDPR Art. 32

Controllers and processors must ensure a level of security “appropriate to the risk”, considering:

State of the art
Implementation costs
Nature, scope, context, and purposes of processing
Risks to rights and freedoms of natural persons

NIS2

Requires risk-management measures that are appropriate and proportionate. It lists areas like:

Policies on risk analysis and information system security
Incident handling
Business continuity and crisis management
Supply chain security
Secure development and vulnerability handling

U.S. FTC (Section 5)

The FTC evaluates whether a company’s practices are “reasonable” in context. Examples of unreasonable practices from past cases:

Storing passwords in plain text
Using default or hard-coded credentials
Failing to patch known, exploitable vulnerabilities
Collecting sensitive data without adequate access controls

3. Risk-based approach in practice

A simple 4-step risk-based approach:

Identify assets and data

What systems and data are you protecting? (e.g., personal data, payment data, OT systems)

Assess threats and vulnerabilities

Who might attack (insiders, criminals, state actors)?
What weaknesses exist (unpatched servers, poor access control)?

Estimate impact and likelihood

What happens if data is breached or systems go down?
Consider legal, financial, operational, and human rights impacts.

Select controls proportionate to risk

Higher risk → stronger controls (e.g., MFA, segmentation, encryption, formal incident response).
Document why some controls were not adopted (cost, feasibility, alternative safeguards).

Regulators don’t require perfect security; they expect a defensible, well-documented risk-based program.

Step 5 – Thought exercise: Is this security “reasonable”?

Consider a small online bookstore that stores:

Customer names and addresses
Purchase history
Hashed passwords
No payment card data (outsourced to a PCI-compliant payment processor)

They currently:

Use HTTPS for all traffic
Store passwords using a modern hashing algorithm with salt
Have daily backups, but backups are not encrypted
Do not use multi-factor authentication (MFA) for admin accounts
Patch servers irregularly, sometimes months late

Your task (reflect, maybe jot notes):

Which controls look reasonable for their risk profile?
Which practices are likely unreasonable, especially under GDPR Art. 32 or FTC standards?
If you had to fix two things first, what would they be and why?

Use these prompts:

Risk to individuals: What could go wrong for customers?
State of the art: Are there widely accepted, affordable best practices they’re ignoring?
Documentation: How would you justify their current setup to a regulator after a breach?

You don’t need a single “correct” answer; the goal is to apply the risk-based reasoning regulators use.

Step 6 – Accountability, governance, and documentation

1. Accountability: the legal idea

Accountability means an organization must not only comply with the law, but also be able to demonstrate that compliance.

Under GDPR (Art. 5(2)), the controller is responsible for, and must be able to demonstrate compliance with data protection principles.
Under NIS2, management bodies (e.g., boards) have explicit responsibility and oversight duties; they can face sanctions for non-compliance.
Under FTC practice, companies are expected to implement, monitor, and update security programs, and to keep records that show what they actually did.

2. Governance structures regulators look for

Common expectations across regimes:

Clear roles and responsibilities
Who is responsible for cybersecurity? (CISO, DPO, security lead)
Who reports to the board or top management?

Policies and procedures
Written information security policy
Access control policy
Incident response plan
Vendor / supply chain security policy

Training and awareness
Regular training for employees, tailored to roles.
Records of who was trained and when.

Monitoring and improvement
Periodic risk assessments and audits
Metrics and KPIs (e.g., patching timelines, phishing click rates)
Management review and follow-up actions

3. Documentation duties (what to write down)

Examples of documents that show accountability:

Risk assessments and DPIAs (where required)
Records of processing activities (GDPR Art. 30)
Security policies and standards
Incident logs: what happened, detection, response, lessons learned
Vendor due diligence records (questionnaires, contracts, security addenda)
Board/management minutes discussing cybersecurity and approving budgets

From a legal perspective, “not written = didn’t happen”. Good documentation can significantly reduce regulatory penalties after an incident, because it shows you acted responsibly and systematically.

Step 7 – How these standards shape internal policies and controls

Let’s translate the three standards into concrete internal artifacts you’d expect to see in an organization.

1. Security-by-design → Development and product practices

Secure SDLC policy
Requires security requirements in design documents.
Mandates threat modeling for new high-risk features.
Requires security testing before production releases.

Privacy-by-design guidelines
Checklist for product teams: data minimization, default privacy settings, transparency.
Template for Data Protection Impact Assessments (DPIAs).

2. Reasonable, risk-based security → Technical and organizational controls

Access control and authentication standard
MFA for admins and remote access.
Role-based access control aligned with least privilege.

Vulnerability and patch management procedure
Timeframes: e.g., critical patches within 7 days.
Documentation of exceptions and risk acceptance.

Backup and recovery policy
Frequency, encryption, and periodic restore tests.

3. Accountability → Governance and documentation

Information Security Policy approved by top management.
Formal assignment of roles (e.g., CISO, DPO, incident response lead).
Training records and annual policy review logs.
Incident response runbooks and after-action reports.

#### Visualizing it (text-based diagram)

```text

[Law/Regulation]

| (standards: security-by-design, reasonable security, accountability)

[Internal Governance]

Policies (security, privacy, incident response)
Roles (CISO, DPO, IT ops)
Risk assessments & oversight

[Controls in Practice]

Secure coding, MFA, logging, backups
Vendor security, training, monitoring

[Documentation]

Evidence that all of the above actually happens

```

When analyzing any security program, you can map each policy or control back to one or more of the three standards.

Step 8 – Quick check: Security-by-design vs. reasonable security

Answer this question to test your understanding of the distinction.

Which statement best captures the relationship between **security-by-design** and **reasonable security**?

Security-by-design is about building security into systems from the start; reasonable security is about choosing controls proportionate to risk.
Security-by-design is only about encryption; reasonable security is only about physical security.
Security-by-design and reasonable security mean exactly the same thing in all laws and can always be used interchangeably.

Show Answer

Answer: A) Security-by-design is about building security into systems from the start; reasonable security is about choosing controls proportionate to risk.

Security-by-design focuses on *when and how* you integrate security (early, systematically, throughout the lifecycle). Reasonable security focuses on *what level and type of controls* are appropriate given your risks. They are closely related but not identical concepts.

Step 9 – Quick check: Accountability in practice

Test your understanding of accountability and documentation.

Which of the following best illustrates **accountability** under GDPR and similar regimes?

Having strong technical controls but no written policies or records of decisions.
Being able to show documented risk assessments, policies, and decisions that explain why specific controls were chosen.
Relying on a vendor’s marketing claims about security without any due diligence.

Show Answer

Answer: B) Being able to show documented risk assessments, policies, and decisions that explain why specific controls were chosen.

Accountability is not just about having controls; it’s about being able to **demonstrate** through documentation and governance that you identified risks, chose controls, and monitored them in a structured way.

Step 10 – Review key terms

Flip these cards (mentally or in notes) to reinforce the core concepts from this module.

Security-by-design: An approach where security considerations are integrated from the earliest stages of system and product design through deployment and maintenance, rather than added as an afterthought.
Privacy-by-design: A principle (explicitly in GDPR Art. 25) requiring controllers to embed data protection and privacy safeguards into the design of processing activities and systems, including privacy-friendly defaults.
Reasonable security: A flexible legal standard requiring security measures that are appropriate and proportionate to the risks, considering state of the art, costs, context, and potential impact on individuals and operations.
Risk-based approach: A method of designing security by identifying assets and threats, assessing likelihood and impact, and selecting controls proportionate to the level of risk.
Accountability (GDPR Art. 5(2)): The obligation of controllers to comply with data protection principles and to be able to demonstrate that compliance, typically through governance structures and documentation.
Technical and organizational measures (TOMs): A broad category of security and governance measures—both technical (e.g., encryption, access control) and organizational (e.g., policies, training)—used to protect data and systems.
NIS2 Directive: An EU directive (adopted 2022, applicable from October 2024) that strengthens cybersecurity requirements for essential and important entities, emphasizing risk management, governance, and reporting.
FTC Act Section 5 (security context): The U.S. Federal Trade Commission’s authority to act against unfair or deceptive practices, including unreasonable cybersecurity practices or misleading security/privacy claims.

Step 11 – Mini-application: Draft a one-paragraph policy snippet

To connect law to practice, draft a short policy snippet (4–6 sentences) for an imaginary company’s “Security-by-Design and Accountability Policy.”

Include at least:

A sentence committing to security-by-design (when in the lifecycle security must be considered).
A sentence about risk-based, reasonable security (how controls are chosen).
A sentence about accountability and documentation (records, reviews, responsibility).

Example structure (do NOT just copy; adapt in your own words):

> Our organization integrates security and privacy considerations into all stages of system and product development. We select and maintain technical and organizational measures proportionate to the risks associated with our data and services, taking into account state of the art and implementation costs. Responsibilities for cybersecurity and data protection are clearly assigned, and we maintain written records of risk assessments, design decisions, and security controls to demonstrate compliance with applicable laws.

Activity:

Write your own version in your notes.
Underline or highlight which sentence maps to security-by-design, which to reasonable security, and which to accountability.

This exercise mirrors what junior professionals often do in real organizations: turning abstract legal standards into clear, internal policy language.

Key Terms

GDPR: The EU General Data Protection Regulation, in force since 2018, setting comprehensive rules for personal data protection and including explicit requirements for security and accountability.
NIS2: The second EU Directive on Security of Network and Information Systems, adopted in 2022 and applicable from October 2024, strengthening cybersecurity obligations for essential and important entities.
Accountability: The obligation of organizations to comply with legal requirements and to be able to demonstrate that compliance through governance, processes, and documentation.
FTC Act Section 5: A provision of U.S. law that prohibits unfair or deceptive acts or practices in or affecting commerce; used by the FTC to enforce against inadequate or misleading data security practices.
Privacy-by-design: A principle requiring that privacy and data protection are embedded into the design and operation of IT systems, business practices, and services, with privacy-friendly defaults.
Security-by-design: An approach to system and product development where security is considered and integrated from the earliest design stages through deployment and maintenance.
Reasonable security: A legal standard requiring security measures that are appropriate and proportionate to the risks, considering state of the art, implementation costs, context, and potential impact.
Risk-based approach: A method of planning and implementing security by analyzing risks (likelihood and impact) and tailoring controls to those risks instead of applying the same controls everywhere.
DPIA (Data Protection Impact Assessment): A structured process under GDPR to assess and document the risks of processing operations that are likely to result in high risk to individuals’ rights and freedoms, and the measures to address those risks.
Technical and organizational measures (TOMs): The combined set of technical controls (e.g., encryption, access control) and organizational practices (e.g., policies, training, governance) used to protect data and systems.