Privacy and information security are some of the core concerns in the design, development, and operation of IT systems. With recently published solid evidence from Europol [2016 and 2017; Internet Organised Crime Threat Assessment (IOCTA)], the size and intensity of the problem facing Europe is well documented. It was in May and June 2017 that waves of serious attacks based on exploits leaked after the intrusion of secret service systems (EternalBlue 2017) have again shown the need for a concerted action against these now very dangerous attacks (National Audit Office 2017). With new legislation in both areas, privacy protection [General Data Protection Regulation (GDPR), Regulation (European Union [EU]) 2016/679] (European Parliament and Council of the EU 2016a), and critical infrastructure security [NIS Directive, Directive (EU) 2016/1148] (European Parliament and Council of the EU 2016b), the EU is now countering the growing danger on a strategic level. These two pieces of legislation are a direct consequence of the European cybersecurity strategy (EU 2013), which paved the way for a now far more integrated approach.