EU Cybersecurity: Legislative Developments for the Region
Publication | 05.14.24
Cybersecurity plays a key role in various legal instruments of the European Union. It frequently appears as a specific duty or as a necessary element for establishing trust with the public.
At the center of cybersecurity in the EU is Directive (EU) 2022/2555 (NIS 2). The NIS 2 entered into force on January 16, 2023, replacing the former NIS Directive. NIS 2’s goal is to strengthen cybersecurity by laying down measures that establish a high common level of cybersecurity across the EU. NIS 2 expands the scope of cybersecurity requirements to include both “essential” and “important” entities across various sectors, including energy, transportation, banking, health, digital infrastructure, and others. It sets thresholds based on the size of the entity, and noncompliance can result in significant penalties. EU member states have until October 2024 to implement NIS 2 in their respective jurisdictions.
In a similar vein, the Directive on the resilience of critical entities (Critical Entities Directive) and the Regulation on digital resilience for the financial sector (DORA) also entered into force in 2023. The Critical Entities Directive requires EU Member States to take specific measures to ensure that services essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner and to enhance the resilience of critical entities providing such services. The law also requires Member States to identify critical entities and to support those entities in meeting the new cybersecurity obligations. DORA establishes uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.
Also in 2023, the European Union has made significant advancements in cybersecurity legislation, focusing on enhancing security across various sectors and reinforcing the resilience of digital products and services. Key developments include the proposed amendment to the Cybersecurity Act, the proposal for a Cyber Solidarity Act, and the agreement on the text of the Cyber Resilience Act.
The European Union Agency for Cybersecurity (ENISA) plays a crucial role in establishing and maintaining the EU cybersecurity certification framework. Currently, this framework includes certification schemes for ICT products, services, and processes. A targeted amendment to the EU Cybersecurity Act proposed in April 2023 will further enable the adoption of EU certification schemes for managed security services, covering areas like incident response and security audits.
In April 2023, the European Commission proposed the Cyber Solidarity Act, which seeks to further improve the response to cyber threats across the EU. The proposal includes a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism to create a better cyber defense method.
Lastly, most recently on November 30, 2023, the European Commission, Council, and Parliament reached an agreement on the text of the Cyber Resilience Act (original proposal), which is considered a major step toward ensuring the security of products with digital elements. The European Parliament approved the Cyber Resilience Act on March 12, 2024. Once formally adopted by the Council, the text will be published in the Official Journal of the European Union. The Regulation is expected to enter into force in early 2024 and to become applicable within 21 months (for reporting certain incidents and vulnerabilities) to 36 months after its entry into force.