The European Union demonstrated its commitment to fighting cybercrime early in 2001 when it joined the Budapest Convention on Cybercrime. The approach got a better structure when the EU Cybersecurity Strategy for the Digital Decade was laid out in 2010.
However, to contend with the fast evolution of technology and the blitzkrieg approach of cybercriminals, the members of the EU needed a proactive and collective stance. Hence, the EU Cyber Resilience Strategy was adopted in 2013 with more comprehensive plans for risk assessment, incident response, and capacity building. This was followed by the NIS Directive 2016, the GDPR, and now, the NIS2 Directive 2022.
Any company that conducts business within the EU or with the EU member countries at present is bound to comply with one or more cyber security regulation(s). The first step toward forming these compliances is building awareness.
The European Commission has been consistently active in building a common high-level security framework for essential services and commercial outfits across the continent. This post covers 13 cyber security regulations and laws in the European Union that affect most businesses conducted within and with the EU member states.
The 13 cybersecurity regulations in the EU you need to know
- Directive on Security of Network and Information Systems (NIS Directive)
- General Data Protection Regulation
- Electronic Identification, Authentication and Trust Services (eIDAS)
- Payment Services II Directive (PSD2) and Regulatory Technical Standards for Secure Customer Authentication (RTS SCA)
- eInvoicing Directive
- Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)
- Digital Services Act
- Digital Markets Act
- Data Governance Act
- Data Act
- Cybersecurity Act
- Cyber Resilience Act
- AI Act (PROPOSED)
The sections that follow will briefly elucidate the mentioned cybersecurity acts and regulations along with the impact of these regulations on different state-run and corporate entities.
Directive on Security of Network and Information Systems (NIS Directive) 2016
The NIS Directive was adopted in 2016 to improve cybersecurity across the EU. It set minimum cybersecurity requirements for operators of essential services (OES) and digital service providers (DSPs). The impacted sectors included energy, transport, healthcare, and banking.
The NIS Directive mandated OES and DSPs to
- Implement appropriate technical and organizational measures for managing cybersecurity risks.
- Report security incidents to national authorities within a stipulated timeline.
- Ensure cooperation among states in cross-border cybersecurity incidents.
The Impact of the NIS Directive
- Reduction of the risk of major disruptions in essential services like energy, transport, healthcare, and finance.
- Increased investment in cybersecurity systems and personnel.
- Reduced disparities in regulations across the EU states.
The European Union General Data Protection Regulation (GDPR)
The General Data Protection Regulation is one of the key regulations that govern data protection and privacy in the European Union and European Economic Areas (EEA).
The GDPR aims to give citizens control over their data while simplifying the regulatory environment for international business through the implementation of unified regulations across the European Union.
The GDPR applies to any organization that:
- Offers goods or services to people in the EU, regardless of the organization’s location.
- Monitors the behaviour of people in the EU, regardless of the organization’s location.
- Processes the personal data of EU residents.
It also gives the citizens certain rights including but not limited to
- The right to access their data
- The right to have their personal data rectified
- The right to data portability
- The right to object to the processing of their personal data
- The right to erase their personal data
Payment Services II Directive (PSD2) and Regulatory Technical Standards for Secure Customer Authentication
The PSD2 is a European regulation for securing electronic payments. This regulation came into force in 2019. It impacts banks, financial technology companies, and other businesses that use payment data. The PSD2 is an enhancement of the first Payment Services Directive 2007.
- The PSD2 necessitates security requirements for initiating and processing electronic payments.
- It encourages banks to share customer data securely with third-party providers
- It facilitates a more competitive payment market while allowing customers to access and aggregate their banking data.
Electronic Identification, Authentication and Trust Services
The eIDAS is a European regulation designed to make electronic transactions between businesses safer. It created a single framework for the 27 EU member states to share. This framework promotes interoperability among European states and ensures that businesses operating in different countries recognize each other’s electronic ID schemes.
- It aims to reduce the administrative burden of business-level transactions
- Gives legal certainty to transactions
- Efficient task completion and shorter process cycles are additional benefits
eInvoicing Directive
The eInvoicing Directive or Directive 2014/55/EU came into force on April 16, 2019. According to this directive, all European public administrators must be able to accept electronic invoices from their suppliers. This allows suppliers to electronically negotiate with the purchasers. The European Commission launched a survey to evaluate the effect of the eInvoicing Directive in 2023.
Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)
The NIS2 modernizes the existing legal framework of the NIS Directive to keep up with the evolving cyber threat landscape and to unify the European front against cybercrime.
It addresses certain gaps in the NIS Directive and brings more sectors and entities under its effect. The NIS2 Directive has 4 focus areas – risk management, corporate accountability, business continuity and reporting obligations.
Enforcement of the NIS2 Directive is currently underway and member states have until October 17, 2024, to adopt the directive into national law.
Basic requirements for affected entities according to NIS2 Directive
- Each member state needs to be equipped with a Computer Security Incident Response Team (CSIRT) and a national Network and Information Systems (NIS) authority.
- Facilitating the exchange of information among member states is an important aspect of the NIS2. Member states need to create a cooperation group for strategic cooperation and exchange of information.
- It promotes a security-first culture in essential sectors like energy, transport, water and banking.
Laws pertaining to cybersecurity passed in the European Union (EU)
The European Parliament along with the European Commission has been committed to laying out well-paved legal pathways towards building more secure organizations, governments, and nations. Here are short discussions of some of the acts passed and proposed in the European Parliament pertaining to cyber security in the EU.
Digital Services Act
The Digital Services Act or DSA was adopted in April 2022 and it came into force on November 16, 2022.
The DSA applies to
- Social media platforms
- Online marketplaces
- Search engines
It’s a far-reaching, landmark piece of legislation the impact of which is yet to be understood fully. Some of the obligations imposed by the DSA on different digital platforms include
- Taking down illegal content promptly
- Identifying and mitigating risks of illegal content
- Providing transparent reporting on their content moderation practices
- Cooperating with national authorities
It also introduces certain rules pertaining to advertising
- It bans targeted advertising based on sensitive personal data like race, religion, and sexual orientation
- It strengthens the users’ right to know how their data is used for advertising.
Digital Markets Act
The Digital Market Act identifies the “gatekeepers” of the digital market – organizations with vast influence and major market share – and regulates them to level the playing field for other organizations. The gatekeepers include app stores, search engines, and social media platforms. The DMA also gives the European Commission the power to penalize non-compliant organizations with fines up to 10% of global turnover.
The Data Governance Act works in tandem with the DSA and the DMA to ensure secure data sharing and data availability and build accountability and transparency in the European Data space.
European Union Cybersecurity Act
The Cybersecurity Act strengthens the EU Agency for Cybersecurity (ENISA) by giving it a permanent mandate as opposed to the previously followed five-year renewal scheme and also by making more funds and other resources for its tasks.
With the capacity to lay out long-term plans and being endowed with more resources, the ENISA is now responsible for
- Helping member states with cyber incidence response and capacity building
- Creating pan-European cybersecurity exercises and simulations
- Maintaining the European cybersecurity certification framework
A proposed amendment to the EU Cybersecurity Act will enable managed security service providers to adopt the schemes in the EU cybersecurity certification framework.
European Union Cyber Resilience Act
The Cyber Resilience Act was proposed in 2022 and it is still under development. This act aims to dive deeper into the technical aspect of cybersecurity across Europe.
Some of the key goals of the Cyber Resilient Act would be
- Setting minimum security requirements for hardware and software products
- Establishing a harmonized EU-wide cybersecurity certification scheme
- Introducing stricter oversight and enforcement mechanisms
The European Union Artificial Intelligence Act is also under development. It delves into the safe, ethical, and transparent development of AI and the prohibition of certain high-risk initiatives in the field of AI. The act is expected to come into force by 2025.
Interesting developments in the EU cybersecurity space
The European Commission has dedicated a budget of €84 million to support the activities of Security Operation Centres towards the development of novel technologies.
Detection speed is key to effectively respond to cyber threats. That is why we want to invest in novel AI applications and other enabling technologies to strengthen our European SOC infrastructure and achieve a true European cyber shield.
Thierry Breton, Commissioner for Internal Market
Proposals are invited for projects that would facilitate the implementation of the Cyber Resilience Act and help Europe transition into post-quantum cryptography.
With the magnitude of cyber threats increasing exponentially, cybersecurity is a must-have. This call for supporting technologies will help the EU invest to protect us as citizens, our societies, and our economy.
Margrethe Vestager, Executive Vice-President for a Europe fit for the Digital Age
Overall, the European Commission is determined to take the fight to the cybercriminals through its legislative powers and we are poised to see more meaningful additions to this list.