The rapid increase of cybersecurity challenges in recent years, such as growing ransomware attacks, has forced the US to devise new mandatory regulations. These requirements are aimed to help combat cybercrime by increasing organizations’ level of cybersecurity capabilities.
Complying with these regulations is necessary to keep organizations accountable for their mandatory security posture. More importantly, organizations need to stay up to date with the ever-changing landscape of the law to maintain an effective cybersecurity strategy.
This crucial obligation to constantly keep track of updated cybersecurity laws and information security standards can be difficult and time-consuming for cybersecurity experts. So it’s often overlooked, or experts are forced to prioritize local regulation news.
However, foreign cybersecurity regulations like in the European Union also greatly impact organizations, companies, and institutions worldwide – especially those in the financial and healthcare industries. This is why it’s important to be properly informed and updated on the latest in cybersecurity outside the US as well.
Cyber Organizations, Communities, and Groups
Before introducing the regulations, it’s crucial to understand the important groups, organizations, teams, institutions, and collaborations between cybersecurity communities within the EU. This will give you more context and understand the EU regulations discussed below.
ENISA/EU Agency for Cybersecurity
ENISA (‘European Union Agency for Cybersecurity’) provides support to EU member states, businesses, and institutions in the cybersecurity sector and delivers solutions and improvements to the EU’s cybersecurity framework. Its role is to promote and support member states, businesses, and EU institutions in dealing with cyber attacks.
ENISA shouldn’t be confused with the organization it replaced, which was called ‘the European Union Agency for Network and Information Security’ and bore the same acronym.
Unlike its predecessor, thanks to the EU Cybersecurity Act, ENISA has been granted a permanent mandate with more power, more resources, and new responsibilities:
- establishing a cybersecurity certification framework for products and services;
- creating and outlining best practices for cybersecurity and laying out steps against ransomware;
- promoting cyber resilience;
- increasing operational cooperation to help EU Member States with handling cybersecurity incidents;
- and supporting the coordination of the EU in case of major cross-border cyberattacks and cybersecurity crises.
EE - ISACs
The EE (European Energy) - Information Sharing and Analysis Centers (ISACs) of Europe are non-profit organizations that operate as information and resource gathering centers, established to aid in thwarting cyber threats.
EE - ISA centers function as two-way information sharing organizations that provide both the public and private sectors with important news, solutions, and utilities on cyber resilience, along with the methods that can be used to strengthen the EU Power Grid’s cyber security.
Being closely tied with the European Commission and ENISA, they work together with both of these institutions to develop ISACs on both EU and national levels, promote new ISACs in new sectors, as well as empower new consortiums that are supervised by the Commission to provide legal and technical support for ISACs.
Established in 2016, the European Cyber Security Organization (ECSO) is a relatively new, self-financed non-profit organization from Belgium.
With more than 250 members that belong to the cybersecurity industry, it acts as a privileged partner and counterpart of the European Commission in a contractual public-private partnership for cybersecurity.
ECSO is recognized within the European institutional landscape, has cross-sectoral partnerships, and federates the European Free Trade Association (EFTA).
More importantly, it covers Horizon Europe, a research funding program that plays a big part in funding the EU’s cybersecurity resilience, projected with a budget of €95.5 billion until 2027.
Often used interchangeably, Computer Security Incident Response Teams (‘CSIRTs’) and Computer Emergency Response (or ‘Readiness’) Teams (‘CERTs’) deal with cybersecurity incidents on the spot and cooperate with other CSIRT networks to:
- Monitor vulnerable cybersecurity networks and incidents;
- Provide early warnings, alerts, predictions, and announcements about cyber risks;
- Respond to cybersecurity incidents;
- And offer dynamic risk and incident analysis and situational awareness.
Both CERTs and CSIRTs (Computer Security Incident Response Teams) are implemented under the NIS Directive. It’s mandatory that every EU member state have CSIRT/CERT squads to provide the designated state’s digital communication and telecommunication with cybersecurity coverage.
Although not entirely purposed for cybersecurity, the Joint Research Center (JRC) of the European Commission is a valuable and active contributor to the field.
For example, one major JRC contribution to cybersecurity is the center’s work on developing tools like the Cybersecurity Taxonomy. This useful glossary of terminology offers a better overview of the EU’s cybersecurity field, including insights, history of attacks and changes, task lists, and more.
Cybersecurity Regulations in the European Union
The EU has been actively working on strengthening cybersecurity and the safeguarding of communication and data in multiple fields, including politics, energy, economy, healthcare, and the financial sectors, for quite some time now. These sectors have become increasingly dependent on digital technologies.
However, the complex, overlapping legislative systems across these sectors could still prove ineffective for the growing concerns of modern cybersecurity in the future. This, along with the COVID-19 crisis and the ongoing Russia/Ukraine conflict, has prompted the need for an even more comprehensive cybersecurity regulative framework.
Below is a list of all the regulations the EU has adopted in response to these issues for a more clear overview of the newest updates regarding cybersecurity.
The list consists of:
- cybersecurity regulations in the EU;
- cybersecurity policies and guidelines;
- cybersecurity communities;
- compliance resources;
- funding and research programs affecting cybersecurity;
- details with a timeline of legislative changes
Let's take a look at how the EU promotes cyber resilience.
The European General Data Protection Regulation (GDPR)
Introduced and passed in 2016 and in effect as of May 2018, the General Data Protection Regulation (GDPR) is one of the most crucial and far-reaching legislative pieces for organizations operating within the EU.
The GDPR’s main tasks and obligations concern data privacy, cybersecurity, and breach management. It aims to:
- standardize data protection regulation in the EU;
- protect personal data and privacy for EU citizens;
- simplify regulation processes for international organizations.
Additionally, it aims to encourage controllers and processors to follow relevant protocols, implement data privacy measures, and ensure that data is collected with consent before becoming publicly available.
The GDPR applies to all institutions and organizations that handle personal data and operate within the EU and companies that deal business (sell goods to) with the EU. Most importantly, financial institutions that handle, control, and process large amounts of data are highly impacted by the GDPR’s regulations.
The EU Cybersecurity Strategy
At the end of 2020, in order to strengthen cybersecurity, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy from the European External Action Service (EEAS) presented and adopted a new EU Cybersecurity Strategy.
As a crucial part of shaping Europe’s ‘Digital Future,’ the conclusions in the EU cybersecurity strategy emphasize the importance of setting key objectives for preserving an open economy while the membering countries maintain an autonomous approach in their cybersecurity measures.
This new EU Strategy calls for enhancing the cyberspace security of fundamental services across Europe like healthcare, energetics, and infrastructure, as well as the ever-increasing number of devices and networks in homes and properties.
The strategy consists of two straightforward legislative proposals for more efficient regulations and policies that address:
- the need for updates of the cybersecurity directive for networks,
- and the protection of critical entities.
The Network and Information Systems Directive (NIS Directive)
Along with the General Data Protection Regulation (GDPR), the Security of Network and Information Systems Directive (NIS Directive) is the most important segment of non-sector-specific legislation for the finance sector.
As of 2022, it has already been implemented by all EU countries as part of the EU Cybersecurity strategy proposed by the European Commission.
The NIS Directive was the first ever EU-wide cybersecurity and resilience directive that was made to enhance cybersecurity across the EU and increase cooperation between EU member states on the issue.
The NIS Directive laid down tasks and security obligations for operators of essential services (OES). These directives are divided into three crucial parts:
- National capabilities, which require EU member states to have certain cybersecurity means and resources for properly implementing CSIRTs, data protection, IoT and smart infrastructure, cyber threat and risk management, cyber exercises, etc.
- Cross-border collaboration, which encourages EU countries to collaborate within a designated CSIRT network, as well as other cooperation groups.
- National monitoring of important sectors that forces member states to conduct cybersecurity monitoring of market operators in critical sectors like finance, energy, transport, healthcare, and the overall digital infrastructure, ex-post supervision for important digital service providers, etc.
Revision of the NIS Directive (New NIS Directive)
In order to strengthen EU cybersecurity, the European Commission proposed a revised NIS directive, the NIS2, on 16 December 2020, which acts as a new and better replacement for the old 2016 NIS Directive.
This new proposal addressed the strengthening of the evolving cyber threat landscape and the ongoing digital transformation galvanized by the COVID-19 crisis.
The NIS2 Directive focuses on high-level cybersecurity measures across the European Union. It effectively encourages government bodies in the EU to supervise cybersecurity in their own country while collaborating with other member states.
In May 2022, the Council and the European Parliament reached a provisional agreement for the new legislative cybersecurity measures, which calls for stronger risk and incident management and cooperation while widening the rules and regulations that fall within its scope.
Given that cybersecurity threats are almost always cross-border, cyberattacks on one country’s critical facilities may affect the EU as a whole.
The EU Cybersecurity Act
Introduced in June, 2019, the Cybersecurity Act strengthens the role of ENISA by giving the agency a permanent mandate and more financial and human resources.
The Cybersecurity Act unifies the EU’s cybersecurity into a single framework, with ENISA as its main core. What this means is that ENISA can now contribute in operational cooperation and crisis management across the EU with an EU-wide certification scheme that will:
- build trust
- increase the growth of the cybersecurity market
- ease trade across the EU
The EU-Wide Cybersecurity Certification Scheme
Cybersecurity certification is crucial in maintaining high cybersecurity standards for Information and Communications Technology (ICT) products, services, and processes.
The EU cybersecurity certification framework has the sole purpose of establishing and maintaining trust and security in cybersecurity products or services.
With various EU member countries using different cybersecurity certification schemes, this is very hard because there are regulatory barriers and market fragmentation.
Thanks to the Cybersecurity Act and the new European cybersecurity certification framework, companies and organizations that are doing business with the EU can benefit from having their ICT products certified only once and recognized across the EU.
ENISA’s New Mandate
Under new certification schemes, ENISA, the EU Agency for Cybersecurity has been granted a permanent mandate by the EU Cybersecurity Act, with greater responsibilities, and additional funding.
This means that ENISA will be in charge of running the EU’s certification framework and keeping the public updated on the latest news regarding certification schemes and issued certificates.
ENISA is also mandated to encourage operational cooperation with any EU member states that request handling cyber security incidents and cross-border cyberattacks.
This mandate is grounded on the fact that ENISA now effectively functions as the secretariat of the national Computer Security Incidents Response Teams (CSIRTs) Network, established by the Directive on Security of Network and Information Systems (NIS Directive).
Stakeholder Cybersecurity Certification Group
Following the Cybersecurity Act, the European Commission launched a call for applications to form the Stakeholder Cybersecurity Certification Group (SCCG) with selected members, as the first stakeholder expert group responsible for cybersecurity certification. The group’s first meeting was on 24 June 2020.
The SCCG’s main obligations will be advising the Commission and ENISA to facilitate solutions to strategic issues regarding cybersecurity certification while assisting the Commission in preparing the Union rolling work program, as referred to in Article 47 of the Cybersecurity Act.
Back in 2013, the implementation of the first cybersecurity strategy of the EU marked ‘cybersecurity’ as an official, brand new policy area in the EU.
Since then, the EU has introduced lots of changes regarding cybersecurity guidance and risk management policies in the case of cyber attacks. Let’s explore them in more detail.
Blueprint for Coordinated Response to Major Cyber-Attacks
The blueprint’s main purpose is to set out objectives and cooperation modes between member states and EU Institutions in case of such incidents and crises.
Additionally, it shows how current crisis management mechanisms in the EU have an advantage in using existing cybersecurity entities with advanced technical levels of response.
According to the blueprint, there are three modes of cooperation:
- Technical; or pertaining to how the incident is handled, surveillance and monitoring of the incident, risk analysis, etc.
- Operational; which includes cross-border decision-making, management coordination (if required), assessing the damages, and proposing how to mitigate the damages of the cyber attack.
- Political; which is the strategic managing of non-cyber measures under the framework for a joint EU diplomatic response to malicious cyber activities.
Joint Cyber Unit
The Joint Cyber Unit is a broad crisis management platform that ensures an EU-wide response to larger-scale cyber attacks and incidents while aiding member states to recover from such cyber attacks.
Securing the Electoral Process
Elections are a common and frequent target for cyber attacks. Digital technology has been at the forefront of EU elections and is used for:
- Confidential communications between EU politicians and political parties;
- Political campaigns;
- Media communication
- Electoral register;
- Vote casting;
- Vote counting;
- Dissemination of the end-results
In the sight of the 2019 European elections, the European Parliament, the member states, the Commission, as well as ENISA carried out a live cybersecurity test to identify, respond to, and prevent potential cybersecurity incidents during the electoral process and related to digital voting.
So European organizations are implementing concrete measures for addressing such potential threats against digital voting.
Cybersecurity of Critical Digital Infrastructure
According to experts’ projections and growing trends, the IoT will reach over 22.3 billion devices that are network-linked across the globe by 2024, at the very least.
The Internet of Things (IoT) is a term that encompasses devices, machines, networks, and electronic products that can be connected to a network (not necessarily the internet).
The European Council has stayed mindful of the importance of the rising number of connected devices with a number of regulations pertaining to this kind of digital infrastructure.
IoT and Securing Connected Devices
In December 2020, the European Council adopted conclusions by a written procedure that acknowledged that the ever-increasing number of IoT consumer products are threatened by the emergence of new cybersecurity risks, information security, and privacy threats.
The conclusions helped set priorities and underlined the importance of:
- Reviewing long-term horizontal legislation to address the issue of IoT devices
- Brainstorming ways to boost cybersecurity of IoT devices
- Improving cybersecurity resilience to boost the EU’s IoT industry standards
Securing 5G Network Deployment in the EU
The coming of 5G networks, with estimated worldwide 5G revenues at €225 billion in 2025, opens a whole new dimension in cybersecurity threats.
Apart from the fact they’re vital to improving digital communication, 5G networks are valuable for critical sectors in the EU such as energy, healthcare, transport, and finance.
This means that this new internet technology grants attackers potential entry points due to the less-centralized 5G architecture and dependency on newer software and more antennas.
So, in January 2020, the EU deployed the EU Toolbox; a legislative package that identifies possible security measures for 5G networks, and its aim is to:
- implement a robust framework of security requirements for 5G networks.
- provide guidance for telecommunication vendors,
- apply relevant restrictions for high-risk suppliers
- mitigate the main cybersecurity risks of 5G networks,
- and ensure the diversification of vendors.
Funding and Research Regulations (Support for Research and Innovation)
With increased cyber attacks reported during the COVID-19 lockdown, cybersecurity has been one of the European Commission’s biggest priorities.
Since 2014, there have been many investment plans and funding programs for supporting research and innovation in cybersecurity.
Recovery Plan for Europe
The Recovery Plan for Europe agreement, also known as NextGenerationEU, is the European Commission’s recovery instrument that boasts the largest stimulus package for rebuilding a post-COVID-19 Europe.
Besides climate change, agriculture, and biodiversity, this includes a multitude of investments in cybersecurity, including:
- cybersecurity research and innovation via Horizon Europe;
- the Just Transition Fund, which promotes green and digital transitions and climate and biodiversity measures;
- and the Digital Europe Program.
Digital Europe Program
The Digital Europe Program (DIGITAL) is one of the EU’s newest investment programs.
Between 2021 - 2027, the EU is planning to invest €7.5 billion into cybersecurity capacity, deployment of cybersecurity infrastructures, and digital technologies, which will help businesses, citizens, and public administrations.
The Digital Europe program will fund projects in five important sectors:
- AI (artificial intelligence);
- Cybersecurity and trust;
- Advanced digital skills;
- Upgrading computing technologies;
- Enhanced digital capacities and interoperability.
Support for Cyber Capacities and Deployment (CEF and InvestEU)
Another one of the European Commission’s important funding plans is the Connecting Europe Facility (CEF), an infrastructure investment funding program that was planned for the period of 2014-2020.
This digital infrastructure investment aimed to enhance cybersecurity capabilities and cross-border collaboration within the EU and support the implementation of the EU Cybersecurity strategy.
The funding program also supports the following cyber security incident response teams:
- OES (operators of essential services)
- DSPs (digital service providers)
- SPOC (single points of contact)
- And NCAs (national competent authorities)
While not directly linked to the reforms in EU cybersecurity, InvestEU is another similar funding program. InvestEU uses public funding in order to secure investment for the EU’s private sector, which supports important chains in cybersecurity.
Horizon 2020 and Contractual Public-Private Partnership (CPPP) Horizon Europe
One of the EU’s most important research funding projects for innovative cyber defense solutions is the Horizon Europe funding framework program and its predecessor Horizon 2020, brought by the European Commission and the European Cyber Security Organization (ECSO).
Horizon 2020 has been in the works since 2016, as a contractual public-private partnership (cPPP) for cybersecurity, with members recruited from the cyber industry, academia, and public administrations.
In May 2020, the EU and the Commission co-funded nearly €50 million for this project in order to boost research for cybersecurity preparedness and innovation.
This program is planned to take effect from 2021 to 2027, and has the following objectives:
- Supporting cybersecurity for small and medium businesses
- Cybersecurity simulations and preparedness
- Data protection in critical sectors
The Horizon 2020 program facilitates collaboration between countries, aims to achieve the UN’s Sustainable Development Goals, tackle climate change, as well as strengthen EU’s competitiveness and economic growth.
European Cybersecurity Industrial, Technology, and Research Competence Center and Atlas
In December 2020, the European Council and the European Parliament agreed to a proposal for setting up the European Cybersecurity Industrial, Technology and Research Competence Center.
This center aims to amass experts, organizations, and teams required for the development and deployment of cybersecurity technology across countries.
Involving more than 170 partners, its aim is to collaborate with the industry and with academic communities so that they may agree on a mutual agenda for investment priorities in the field of cybersecurity through Horizon Europe and the Digital Europe programs.
Backed by multiple national coordination centers, this new Competence Center is expected to:
- Improve cyber resilience,
- contribute to the development and deployment of the latest cybersecurity technology,
- enhance cybersecurity research and innovation,
- work with academic communities in the EU to schedule an investment agenda for cybersecurity,
- support cybersecurity start-ups and SMEs,
- and attempt to close the ‘cybersecurity skills gap’.
Additionally, the European Commission has developed a comprehensive platform called the Cybersecurity Atlas. This is a mappable knowledge management platform designed to provide a better overview of cybersecurity incidents and categorization of malware and boost collaboration between cybersecurity experts as part of the Digital Strategy programs.
Cyber Diplomacy, Sanctions, and Other Policies for Cybersecurity
To protect itself against cyber criminals from outside its borders, the EU is making efforts to improve cyber diplomacy, updating restrictive measures, and imposing sanctions against cyberattacks.
Improving Cyber Diplomacy
Since December 2020, the Commission, in collaboration with the European External Action Service (EEAS), and EU member states, worked on implementing a joint diplomatic response to malicious cyber activities, also called the ‘cyber diplomacy toolbox’.
This response was created as a way of protecting the EU against cyber threats from third countries’ malicious cyber activity and aims to:
- Strengthen diplomatic cooperation and dialogue
- Construct and implement preventative measures against cyberattacks
- And impose sanctions against those involved in cyberattacks that threaten the stability of the EU.
The Commission is responsible for assisting the EU in making decisions on how to respond to cyber threats, and it funds the EU Cyber Diplomacy Support Initiative.
Restrictive Measures and Sanctions Against Cyberattacks
In May 2019, the European Council set up a framework to allow the sanctioning of cyber attackers and threats against the EU or its member states. The council prolonged the sanctions regime, so it will be in effect until 18 May 2025.
Within the scope of this new regime, the sanctions target those that have carried out significant cybersecurity impact, or more specifically, threats that:
- originate or are carried out from outside the EU;
- use any form of infrastructure outside the EU to carry out attacks;
- are carried out with the support of persons or entities operating outside the EU.
This sanctions regime also targets attempted cyber attacks that have caused potentially moderate damages, that is, attacks that have a potentially significant effect.
For the first time, with this framework, the EU has the ability to impose sanctions on targets who are indirectly involved and who finance or support these types of attacks. Additionally, these sanctions may incriminate other targets who are associated with them.
Besides sanctions, the restrictive measures may ban a person from entering the EU or freeze the assets of potential targets and entities.
On 30 July 2020, the Council imposed the first-ever sanction for cyberattacks on six individuals and three entities.
They were responsible for (or involved in) cyber-attacks, and malicious cyber activities against member states - the attempted cyber operation against the Organisation for the Prohibition of Chemical Weapons, Operation Cloud-Hopper, as well as the infamous WannaCry and NotPetya attacks.