New legal study by emergenCITY researchers warns that one of the most critical concepts in European IT security law is being used inconsistently — and risks becoming an empty slogan.
“Resilience” may be the most usedand least defined word in European cybersecurity today. Once a concept borrowed from ecology and materials science, it has since been stretched across political speeches, EU regulations, and national strategies until a precise meaning has all but dissolved. A new legal study by the emergenCITY researchers Gerrit Hornung and Lars Pfeiffer now asks the question: if nobody agrees on what resilience means, how can it be the foundation of Europe’s digital security framework?
Prof. Dr. Gerrit Hornung, Head of the Department of Public Law, IT Law, and Environmental Law at the University of Kassel, Lars Pfeiffer, and Paul Zurawski published on 9 January 2026 in the Zeitschrift für das Recht der digitalen Wirtschaft (ZfDR), a leading German journal for digital and IT law, the article “Resilience as a Complement to IT Security: On the Semantic and Normative Value of the Concept of Resilience in IT Law”. It exposes a striking inconsistency in the use of the term resilience at the heart of EU IT security regulation.
Through a systematic analysis of over 30 EU legal acts, German cybersecurity strategies, and annual reports of the Federal Office for Information Security (BSI) dating back to 2005, the authors show that “resilience” went from virtually absent in German-language policy before 2016 to appearing over 80 times in the BSI’s 2024 report alone. Yet this explosion in usage of the term came without a clear or consistent definition. Across eleven EU legal acts, the same English word “resilience” was translated into German in at least six different ways — including Widerstandsfähigkeit, Abwehrfähigkeit, and Robustheit — while French versions consistently used résilience. The three flagship EU regulations on resilience — the CER Directive, DORA, and the Cyber Resilience Act — each define it differently, or not at all.
With Germany still in the process of transposing the CER Directive into national law, this conceptual disorder is not just an academic concern — it creates real legal uncertainty for organisations operating across sectors, leaving them unable to determine whether different regulations are actually demanding the same things of them.
The authors argue that true resilience goes far beyond resistance or robustness. It means not just “bouncing back” after a crisis, but “bouncing forward” — adapting, learning, and emerging stronger. This dynamic, process-oriented understanding is precisely the meaning of resilience that emergenCITY’s research is built on, and what the authors call on European and German legislators to adopt as a single, unified standard across all EU IT security law before the window of opportunity closes.
Resilienz als Ergänzung von IT-Sicherheit. Zum semantischen und normativen Mehrwert des Resilienzkonzepts im IT-Recht
By Prof. Dr. Gerrit Hornung, Lars Pfeiffer, and Paul Zurawski. In: ZfDR 2026, 75.
