study
Navigating the EU Cybersecurity Policy Ecosystem
A Comprehensive Overview of Legislation, Policies and Actors
Author
Programmes
Published by
Interface
June 27, 2024
The Evolution of EU Cybersecurity Policy
When faced with a large-scale cyber incident, European Union (EU) Member States bear the “primary responsibility for [...] response,” 1 along with their prerogative for national security matters (Art. 4(2) Treaty on the European Union, TEU). At the same time, a “significantly increasing level, complexity and scale of cybersecurity threats” 2 and the “public impact, cross-border nature and spill-over risk of cybersecurity threats” 3 make international cooperation and common approaches vital to address resulting challenges and contribute to a resilient cybersecurity posture across the EU.
Against this backdrop, it is not surprising that a lot has changed since the EU first adopted a Resolution on a common approach and specific actions in the area of network of information security in 2002, which called upon Member States, the European Commission, and industry stakeholders to enhance their efforts directed at increasing information security. For instance, in 2004, the EU established the European Network and Information Security Agency (ENISA), now called the European Union Agency for Cybersecurity; in 2013, the Commission and the EU’s High Representative for Foreign Affairs and Security (HR/VP) published the first EU Cybersecurity Strategy, “An Open, Safe and Secure Cyberspace”; and in 2016, EU Member States and the European Parliament adopted the EU’s first horizontal cybersecurity legislation, the first Network and Information Security (NIS) Directive.
A keyword search in the EU document database EUR-Lex typifies the evolution of EU action on cyber and IT security policy since 1990 (see Figure 1). For 2023 alone, the database provides 1144 results for documents mentioning “cybersecurity”, “cyber security”, or “information (IT) security”. 4
This observable increase in mentions is not only valid for the search within EU documents overall. It is also reflected in an elevated number of EU legal acts touching upon cyber and/or IT security underpinning the EU’s heightened regulatory activity on the matter (see Figure 2). Especially during the 2019-2024 Commission, there has been a notable increase in the number of EU legal acts explicitly mentioning cyber or IT security.
These numbers indicate that the EU has progressively addressed and thus become an important player in the cyber and IT security policy realm, also resulting in an ever-expanding EU cybersecurity regulatory and policy ecosystem.
Not only these abstract numbers but also concrete regulatory and policy developments in various policy areas and sectors showcase the EU’s elevated attention to cyber and IT security. The revised NIS Directive (2023); new legal acts on the resilience of critical entities (CER Directive, 2023), digital operational resilience of financial entities (DORA, 2023), and the cybersecurity of EU Institutions, Bodies, and Agencies (EUIBAs, Regulation 2023/2841); the establishment of a European cybersecurity certification scheme (Cybersecurity Act, 2019); the possibility of controlling the exports of cyber-surveillance tools in specific circumstances (Regulation 2021/821); the initiative for a Cybersecurity Skills Academy (2023); or the revised implementing guidelines of the EU’s Cyber Diplomacy Toolbox (2023) are just a few very prominent cybersecurity-related developments at the EU level during the last few years.
What to Find Where in Compendium
As a side effect of the evolution of EU cybersecurity policy as outlined in Chapter 1, taking stock, monitoring and navigating within the EU cybersecurity policy 5 ecosystem has become an increasingly complex endeavor – for policy and decision-makers in the public and private sector as well as other stakeholders such as civil society and academia alike. The more a policy field evolves, the more important it becomes to maintain a comprehensive overview of efforts in place and underway. A policy field’s cultivation also makes extensive coordination procedures among involved political levels and entities more necessary. Consequently, an overview of the policy and actor landscape is a fundamental prerequisite for effectively implementing and applying cybersecurity-related legislation and policies and informing a smart, structured, and sustainable cybersecurity policy, both at the EU and Member State level. An overview can further contribute to minimizing fragmentation by facilitating common understandings across Member States.
Given the absence of a publicly available comprehensive overview of EU cybersecurity policy, this compendium sets out to take stock and shed light on the current state of EU cybersecurity policy by providing:
-
an explainer of the different types of EU legal acts and policies describing their characteristics (Chapter 3);
-
a tabular overview of cybersecurity-related EU legislation and policies (Chapter 4);
-
a comprehensive substantial review of identified cybersecurity-related EU legislation and policies, the compendium’s centerpiece (Chapters 5-12);
-
26 profiles of actors within the Union’s institutional cybersecurity architecture, specifically EUIBAs and coordination bodies, describing their tasks, activities, and relationships among one another that are of relevance to cyber or IT security (Chapter 13);
-
an overview of relevant EU cybersecurity-related legislative and non-legislative initiatives underway, which have not yet entered into force, also indicating relevant sources for tracking the progress of individual files (Chapter 14).
Within the scope of this compendium are all (i) EU legal acts published in the EU’s Official Journal and (ii) EU policies that were published up until or were in force by May 31, 2024, and contain cybersecurity and/or information security-related components (explicitly or implicitly). 6 Hence, the imperative for inclusion in this compendium is that the legal act or policy touches upon security considerations in relation to network and information systems.
A total of 154 documents 7 were identified that match this scoping. Because EU cybersecurity policy is a dynamic and rapidly evolving field (as discussed in Chapter 1), this compendium highly likely does not yet account for all EU legal acts and policy documents that fall within the delineated scope. Therefore, we greatly appreciate any pointers or suggestions for additional documents to which the scope applies.
Every identified document was assigned to one of eight policy areas, which are each dedicated a chapter within this compendium:
These policy areas reflect the cross-cutting nature of cyber and IT security policy. The assignment of legal acts and policies to these policy areas further builds on the principle of conferral, meaning that the EU needs competence – exclusively or shared with the Member States – to take action in a particular policy field (Art. 5 TEU). In accordance, any competencies not specified in EU primary law “remain with the Member States” (Art. 5(2) TEU). 8 Thus, any EU legal act or EU policy addressing cybersecurity must also be traceable to a specific area in which the EU holds competence. Against this backdrop, each section (except for policy area 1 (overarching policies) and 8 (cybersecurity of EUIBAs)) explains the EU’s mandate and competence in the respective policy area at the outset.
Within each policy area chapter, the review of a legal act or policy is either covered in the form of a dedicated deep dive or in chronological order within issue area-specific sections. The summaries of each legal act or policy’s cybersecurity-related components provide a comprehensive, but not necessarily fully exhaustive overview. Accordingly, the summaries are deliberately not meant to represent a legally authoritative synopsis or guideline but rather seek to highlight areas and aspects of policy relevance and importance. As much as deemed useful, the policy reviews refer to the legal act’s or policy’s original wording. Inherently actor-specific provisions of acts and policies are discussed within the respective actor profiles in Chapter 13.
In addition to these chapters, the compendium’s annex includes
-
a list of relevant EU websites offering information on EU cybersecurity policy and updates on related policy developments (Annex I);
-
an overview of cybersecurity-related definitions used within the identified EU documents (Annex II);
-
and a list of abbreviations used throughout this compendium (Annex III).
Through all of these elements, this compendium can contribute to Member States’ recent call for the need for comprehensible overviews on “the relevant horizontal and sectoral legislative frameworks and their interplay” as well as “the roles and responsibilities of all relevant EU entities, stakeholders and networks [...] active in the cybersecurity domain.” 9 In addition, the compendium is not only of interest to European decision-makers, entities and stakeholders seeking to navigate within the complex legislative and policy environment. It can also assist actors in other parts of the world, such as legislators, regulatory bodies, private sector entities seeking to sell their products in the EU internal market or non-governmental organizations, in better understanding the EU's approach to cybersecurity and its institutional landscape across various policy areas.
EU Legislation and Policies: A Basic Explainer
Before examining what specific legislation and policies say on cyber and IT security (policy), it is important to understand the types of documents covered within this compendium. To this end, this Chapter explains their characteristics, involved actors, and, if applicable, the extent to which the various document types are legally binding.
EU legislation can come in five different types that differ in their application, binding nature and addressee (Art. 288 Treaty on the Functioning of the European Union, TFEU). While Member States hold the primary responsibility for the correct and timely implementation of EU legal acts, the Commission (in its role as the “guardian of the treaties” 10 ) takes on the task of ensuring adherence. 11
Regulations are EU legal acts that “have general application, are binding in their entirety and are directly applicable” 12 in all EU Member States. They do not require national transposition and can be invoked directly before Member States’ national courts.
Directives are EU legal acts that have general application and may be addressed to either one, several, or all EU Member States. Unlike regulations, directives are binding only “as to the result to be achieved,” 13 granting Member States the power and flexibility to “choose the form and methods” 14 for achieving the specified result. Transposition into national law is required before directives become applicable in the Member States to which they are addressed to.
Decisions are EU legal acts that may be of general or specific application and “may have one or more addressees (one or several EU Member States, one or several companies or individuals).” 15 Like regulations, they are binding in their entirety and directly applicable.
These three types of legislation are adopted through one of the EU’s two legislative procedures, the ordinary legislative procedure or the special legislative procedure (Art. 289 and 294 TFEU). The ordinary legislative procedure is the most common legislative procedure of the EU. As co-legislators, the European Parliament and the Council of the EU jointly adopt legislative acts proposed by the European Commission, which is the only EU institution with the power to initiate such acts. 16 The special legislative procedure is only used in certain cases as stipulated in particular treaty provisions. In contrast to the ordinary legislative procedure, the Council acts as the sole legislator. Yet, the Council must either receive consent on the legislative proposal from the European Parliament or consult it. 17
In addition to legal acts adopted through the ordinary or special legislative procedures, which can be categorized as legislative acts, the European Commission, or exceptionally the Council, can adopt non-legislative acts. Delegated and implementing acts, for instance, a delegated regulation or an implementing directive, are the most common of such acts (Art. 291 and 292 TFEU). 18 Delegated acts by the European Commission supplement or amend non-essential parts of legislative acts. They are adopted, for instance, when they are provided for within a particular legal act or when adjustments to legislative acts are necessary to incorporate advancements in technical and scientific fields. Experts from EU Member States are consulted by the Commission before the adoption of such acts. Implementing acts, adopted by the Commission or, in exceptional cases, the Council, establish “uniform conditions for the implementation” 19 of legislative acts. These acts commonly address administrative or technical aspects and are adopted following consultations with committees consisting of technical experts from EU Member States.
In addition to regulations, directives, and decisions, EU legal acts also comprise recommendations and opinions as non-legally binding types of outputs. 20 Recommendations, on the one hand, allow EU institutions to express their views and propose a course of action “without imposing any legal obligation” 21 on the addressee. Opinions, on the other hand, allow EU institutions to articulate statements “without imposing any legal obligation on the subject of the opinion.” 22
Apart from legal acts, the Council of the EU may also articulate its political stance on matters within the EU’s sphere of activity and adopt non-legally binding documents, reflecting “political commitments or positions.” 23 Council conclusions, for instance, may be adopted following a debate in a Council meeting and “contain a political position on a specific topic.” 24 Council resolutions typically outline forthcoming initiatives foreseen in a specific policy domain. While both examples of documents have no legal effect, they may call upon the Commission or other EUIBAs to propose specific measures or pursue further actions.
Moreover, the Commission can publish other types of non-legally binding documents, such as Communications on a specific topic. Sometimes the Commission does so together with the High Representative of the Union for Foreign Affairs and Security Policy / Vice President of the Commission (HR/VP) in the form of Joint Communications.
Table 1: Overview of Types of EU Legal Acts and Policies
|
Adopted by |
Binding Nature |
Addressee |
Cybersecurity-Related Example |
---|---|---|---|---|
Regulation |
|
Binding in their entirety |
All EU Member States |
|
Directive |
Binding as to the result to be achieved |
One, several, or all EU Member States |
||
Decision |
Binding in their entirety |
One or several EU Member States, one or several companies or individuals |
||
Delegated Act (e.g. Delegated Regulation) |
European Commission |
Binding in their entirety |
Depends on the legislative act it amends or supplements |
|
Implementing Act (e.g. Implementing Decision) |
European Commission, in exceptional cases the Council of the EU |
Binding in their entirety |
Depends on the legislative act it aims to implement |
|
Recommendation |
European Commission, other EU institutions e.g. European Parliament, Council of the EU, European Central Bank |
Not binding |
Commission Recommendation on coordinated response to large-scale cybersecurity incidents and crises |
|
Opinion |
Not binding |
NA |
||
Council conclusions |
Council of the EU |
Not binding |
Council Conclusions on a Framework for a Joint EU Diplomatic Response |
|
Council resolution |
Not binding |
|||
Communication |
European Commission (sometimes as a Joint Communication with HR/VP) |
Not binding |
Joint Communication on the EU Policy on Cyber Defence (JOIN(2022) 49 final) |
Tabular Overview of EU Cybersecurity Policy
The following tabular overview lists all the EU legal acts and policies covered within this compendium. The month/year column specifies the date of their respective entry into force (for legal acts) or the date of their publication (for policies). The tables also specify the document’s type as explained in Chapter 3, the policy area assigned to it and lays out in which chapter and section the corresponding policy review can be found. If applicable, the tables also indicate any (repealed) previous legislation of cybersecurity relevance and/or subsequent corresponding legal acts (such as implementing/delegated acts), guidelines or other documents of relevance. In the latter cases, the date displayed in the month/year column specifies the date of the entry into force/publication of the initial document. 25 Drawing on EUR-Lex information, the table also include the “responsible body” in whose purview a particular legal act falls at the bottom of a row, if such an indication was available (e.g. [DG CONNECT]).
Overarching Policies
Internal Market
Month/ Year |
Legal Act/Policy |
Type |
Section |
---|---|---|---|
September 2023 |
[DG CONNECT] |
Regulation |
6.6 General Rules |
July 2023 |
Regulation on machinery (2023/1230) [DG GROW] |
Regulation |
6.3 Product Safety and Market Surveillance |
June 2023 |
Communication |
6.2 Electronic Communications Networks |
|
May 2023 |
Regulation on general product safety (2023/988) [DG JUST] |
Regulation |
6.3 Product Safety and Market Surveillance |
January 2023 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
Previous legislation: Directive concerning measures for a high common level of security of network and information systems across the Union (2016/1148, NIS Directive) [DG CONNECT] |
Directive |
6.1 Deep Dives |
October 2022 |
Council Conclusions |
6.7 Council Conclusions and Resolutions |
|
September 2022 |
Regulation on contestable and fair markets in the digital sector (2022/1925, Digital Markets Act) [DG COMP] |
Regulation |
6.6 General Rules |
June 2022 |
Regulation on European data governance (2022/868, Data Governance Act) [DG CONNECT] |
Regulation |
6.5 Data Protection and Data Economy |
December 2020 |
Council Conclusions on the cybersecurity of connected devices (2020/C 427/04) |
Council Conclusions |
6.7 Council Conclusions and Resolutions |
December 2020 |
Council Resolution |
6.7 Council Conclusions and Resolutions |
|
January 2020 |
Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures Subsequent corresponding legal acts, guidelines or other documents of relevance: |
Publication |
6.2 Electronic Communications Networks |
December 2019 |
Council Conclusions |
6.2 Electronic Communications Networks |
|
December 2019 |
Subsequent corresponding legal acts, guidelines or other documents of relevance: [DG GROW] |
Regulation |
6.3 Product Safety and Market Surveillance |
May 2019 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
Previous legislation: [DG CONNECT] |
Regulation |
6.1 Deep Dives |
March 2019 |
Commission Recommendation Cybersecurity of 5G networks (2019/534) |
Recommendation |
6.2 Electronic Communications Networks |
December 2018 |
[DG CONNECT] |
Directive |
6.2 Electronic Communications Networks |
April 2017 |
Regulation on in vitro diagnostic medical devices (2017/746) [DG SANTE] |
Regulation |
6.3 Product Safety and Market Surveillance |
April 2017 |
Regulation on medical devices (2017/745) Subsequent corresponding legal acts, guidelines or other documents of relevance: [DG GROW] |
Regulation |
6.3 Product Safety and Market Surveillance |
May 2016 |
[DG JUST] |
Regulation |
6.5 Data Protection and Data Economy |
August 2014 |
Subsequent corresponding legal acts, guidelines or other documents of relevance: [DG CONNECT] |
Regulation |
6.4 Electronic Identification |
May 2014 |
Subsequent corresponding legal acts, guidelines or other documents of relevance: [DG GROW] |
Directive |
6.2 Electronic Communications Networks |
Economic, Monetary and Commercial Policy
Internal Security, Justice and Law Enforcement
Month/ Year |
Legal Act/Policy |
Type |
Section |
---|---|---|---|
May 2023 |
[DG JUST] |
Regulation |
8.3 IT Systems of the Area of Freedom, Security and Justice |
January 2023 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
[DG HOME] |
Directive |
8.1 Deep Dive |
June 2022 |
[DG JUST] |
Regulation |
8.3 IT Systems of the Area of Freedom, Security and Justice |
July 2021 |
Regulation establishing the Internal Security Fund (2021/1149) |
Regulation |
8.4 Judicial and Police Cooperation |
February 2021 |
Subsequent corresponding legal acts, guidelines or other documents of relevance: |
Council Conclusions |
8.5 Council Conclusions |
December 2018 |
Regulation on the European Union Agency for Criminal Justice Cooperation (Eurojust) (2018/1727) [DG JUST] |
Regulation |
Covered in Chapter 13 |
December 2018 |
Previous legislation: Regulation establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (1077/2011) |
Regulation |
8.3 IT Systems of the Area of Freedom, Security and Justice |
October 2018 |
Regulation establishing a European Travel Information and Authorisation System (ETIAS) (2018/1240) [DG HOME] |
Regulation |
8.3 IT Systems of the Area of Freedom, Security and Justice |
June 2016 |
Council conclusions on improving criminal justice in cyberspace (10007/16) |
Council Conclusions |
8.5 Council Conclusions |
June 2016 |
Regulation on the European Union Agency for Law Enforcement Cooperation (Europol) (2016/794) [DG HOME] |
Regulation |
Covered in Chapter 13 |
September 2013 |
[DG HOME] |
Directive |
8.2 Cybercrime |
Energy, Transport and Health Policy
Month/ Year |
Legal Act/Policy |
Type |
Section |
---|---|---|---|
October 2023 |
Directive |
9.1 Energy |
|
December 2020 |
[DG MOVE] |
Regulation |
9.2 Civil Aviation |
December 2020 |
[DG MOVE] |
Regulation |
9.2 Civil Aviation |
July 2019 |
[DG ENER] |
Directive |
9.1 Energy |
July 2019 |
Regulation on risk-preparedness in the electricity sector (2019/941) |
Regulation |
9.1 Energy |
July 2019 |
Regulation on the internal market for electricity (2019/943) Subsequent corresponding legal acts, guidelines or other documents of relevance: [DG ENER] |
Regulation |
9.1 Energy |
April 2019 |
Commission Recommendation on cybersecurity in the energy sector (2019/553) |
Recommendation |
9.1 Energy |
February 2019 |
Commission Recommendation on a European Electronic Health Record exchange format (2019/243) |
Recommendation |
9.3 Health |
September 2018 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
[DG MOVE] |
Regulation |
9.2 Civil Aviation |
April 2018 |
Communication |
9.3 Health |
|
December 2017 |
Council Conclusions |
9.3 Health |
|
April 2011 |
Directive on the application of patients’ rights in cross-border healthcare (2011/24) Subsequent corresponding legal acts, guidelines or other documents of relevance:
[DG SANTE] |
Directive |
9.3 Health |
Education, Research and Space Policy
Month/ Year |
Legal Act/Policy |
Type |
Section |
---|---|---|---|
November 2023 |
Recommendation |
10.1 Education |
|
November 2023 |
Recommendation |
10.1 Education |
|
April 2023 |
Communication |
10.1 Education |
|
March 2023 |
Regulation establishing the Union Secure Connectivity Programme for the period 2023-2027 (2023/588) [DG DEFIS] |
Regulation |
10.3 Space |
June 2021 |
Corresponding legal acts, guidelines or other documents of relevance:
[DG CONNECT] |
Regulation |
10.2 Research |
May 2021 |
Subsequent corresponding legal acts, guidelines or other documents of relevance: Previous legislation: Council Decision establishing the specific programme implementing Horizon 2020 - the Framework Programme for Research and Innovation (2014-2020) (2013/743) [DG RTD] |
Decision |
10.2 Research |
May 2021 |
Subsequent corresponding legal acts, guidelines or other documents of relevance: [DG DEFIS] |
Regulation |
10.3 Space |
Foreign and Security Policy
Month/ Year |
Legal Act/Policy |
Type |
Section |
---|---|---|---|
February 2024 |
Prior decisions: [HR/VP, EEAS] |
Council Decision |
11.7 Support to Other International Organizations |
May 2023 |
Council Conclusions |
11.4 Cyber Defence |
|
May 2023 |
Previous documents of relevance:
[HR/VP, EEAS] |
Council Decision |
11.4 Cyber Defence |
May 2023 |
[HR/VP, EEAS] |
Council Decision |
11.4 Cyber Defence |
April 2023 |
Council Decision on a European Union Partnership Mission in Moldova (2023/855) [HR/VP, EEAS] |
Council Decision |
11.4 Cyber Defence |
November 2022 |
Joint Communication on the EU Policy on Cyber Defence (JOIN(2022) 49 final) |
Joint Communication |
11.4 Cyber Defence |
June 2022 |
Council conclusions on a Framework for a coordinated EU response to hybrid campaigns (10016/22) |
Council Conclusions |
11.5 Hybrid Threats and Campaigns |
June 2022 |
[HR/VP, EEAS] |
Council Decision |
11.4 Cyber Defence |
May 2022 |
Council conclusions on the development of the European Union’s cyber posture (9364/22) |
Council Conclusions |
11.1 Strategic Documents |
March 2022 |
Other |
11.1 Strategic Documents |
|
December 2021 |
[HR/VP, EEAS] |
Council Decision |
11.4 Cyber Defence |
December 2021 |
Joint Communication: The Global Gateway (JOIN(2021) 30 final) |
Communication |
11.6 Development Cooperation and Cyber Capacity-Building |
September 2021 |
Other |
11.4 Cyber Defence |
|
June 2021 |
[HR/VP, EEAS] |
Council Decision |
11.7 Support to Other International Organizations |
June 2021 |
Subsequent corresponding legal acts, guidelines or other documents of relevance: [DG INTPA] |
Regulation |
11.6 Development Cooperation and Cyber Capacity-Building |
April 2021 |
Regulation establishing the European Defence Fund (2021/697) Previous legislation: Regulation establishing the European Defence Industrial Development Programme aiming at supporting the competitiveness and innovation capacity of the Union's defence industry (2018/1092) |
Regulation |
11.4 Cyber Defence |
May 2019 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
[HR/VP, EEAS] |
Council Decision |
11.3 Sanctions Regime |
May 2019 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
|
Council Regulation |
11.3 Sanctions Regime |
November 2018 |
EU Cyber Defence Policy Framework (14413/18) Previous framework:
|
Other |
11.4 Cyber Defence |
June 2018 |
Council conclusions on EU External Cyber Capacity Building Guidelines (10496/18) |
Council Conclusions |
11.6 Development Cooperation and Cyber Capacity-Building |
June 2018 |
Joint Communication |
11.5 Hybrid Threats and Campaigns |
|
April 2018 |
Council Conclusions |
11.2 Cyber Diplomacy |
|
December 2017 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
[HR/VP, EEAS] |
Council Decision |
11.4 Cyber Defence |
June 2017
|
Subsequent corresponding legal acts, guidelines or other documents of relevance: |
Council Conclusions
|
11.2 Cyber Diplomacy |
April 2016 |
Joint Framework on countering hybrid threats (JOIN(2016) 18 final) |
Joint Communication |
11.5 Hybrid Threats and Campaigns |
February 2015 |
Council Conclusions |
11.2 Cyber Diplomacy |
Cybersecurity of EU Institutions, Bodies and Agencies
Month/ Year |
Legal Act/Policy |
Type |
Section |
---|---|---|---|
January 2024 |
Prior document providing a basis for CERT-EU: |
Regulation |
12.1 Deep Dive |
June 2023 |
Decision |
12.2 Rules for Particular EUIBAs |
|
January 2017 |
Subsequent corresponding legal acts, guidelines or other documents of relevance:
Previous legislation [not in force anymore]: |
Decision |
12.2 Rules for Particular EUIBAs |
March 2015 |
Commission Decision on Security in the Commission (2015/443) |
Decision |
12.2 Rules for Particular EUIBAs |
Policy Area 1: Overarching Policies
General
— Council Conclusions on the Future of Cybersecurity: Implement and Protect Together
In May 2024, the Council adopted 📄 Council Conclusions on the Future of Cybersecurity: Implement and Protect Together. In its conclusions, the Council sets out by noting the “key role and shared responsibility of Member States, and the EU to set and implement a clear and agile regulatory and policy framework laying down our collective ability to protect, detect, deter and defend against, cyberattacks and recover from them” (p. 5). The conclusions are centered around four elements and highlight the following exemplary issues:
Table 2: Overview of Provisions Contained in Council Conclusions on the Future of Cybersecurity
Elements |
Exemplary Provisions |
---|---|
Focus Areas for Policy-Making |
|
Strengthening the Institutional Framework |
|
Internal/External Nexus for Cybersecurity Policy |
|
Cybersecurity Dimension of Emerging and Disruptive Technologies |
|
The Council concludes by calling for a review of the EU’s Cybersecurity Strategy, particularly inviting both the Commission and the HR/VP “to assess the results and gaps of the current Strategy and its impact, and to present on this basis a revised strategy without undue delay” (p. 24).
— EU Cybersecurity Strategy for the Digital Decade
In December 2020, the Commission and the HR/VP shared the 📄 EU Cybersecurity Strategy for the Digital Decade with the Council and the European Parliament. The document builds on previous EU cybersecurity strategies from 2017 26 and 2013. The Strategy sets out to “ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe” (p. 5), paired with the ambition to “supporting this strategy through an unprecedented level of investment in the EU's digital transition over the next seven years” (p. 5f.). Specifically, it lays out the following areas of EU action, priorities, and measures:
Table 3: Overview of Measures Outlined in the EU Cybersecurity Strategy for the Digital Decade
Area of EU action |
Priorities |
Measures |
|
---|---|---|---|
“Thinking Global, Acting European” |
|||
1: Resilience, technological sovereignty and leadership |
Resilient infrastructure and critical services |
|
|
Building a European Cyber Shield |
|
||
An ultra-secure communication infrastructure |
|
||
Securing the next generation of broadband mobile networks |
|
||
An Internet of secure things |
|
||
Greater global Internet security |
Commission seeks to
|
||
A reinforced presence on the technology supply chain |
|
||
A cyber- skilled EU workforce |
|
||
2: Building operational capacity to prevent, deter and respond |
A Joint Cyber Unit (JCU) |
|
|
Tackling cybercrime |
|
||
EU cyber diplomacy toolbox |
|
||
Boosting cyber defence capabilities |
|
||
3: Advancing a global and open cyberspace |
EU leadership on standards, norms and frameworks in cyberspace |
Stepping up on international standardization |
|
Advance responsible state behaviour in cyberspace |
|
||
Budapest Convention on Cybercrime |
|
||
Cooperation with partners and the multi-stakeholder community |
|
||
Strengthening global capacities to increase global resilience |
|
||
Cybersecurity in the EU Institutions, Bodies and Agencies |
|||
|
The first report on the implementation of the 2020 EU Cybersecurity Strategy was published in June 2021.
The Council reacted to the Strategy by adopting 📄 Conclusions on the EU’s Cybersecurity Strategy for the Digital Decade three months later. The Conclusions welcome the Cybersecurity Strategy and, inter alia, stress “the need to raise more awareness on cyber issues at the political and strategic decision-making levels by providing decision-makers with relevant knowledge and information” (p. 6) and reflect on the strategy’s components. Looking ahead, the Council “encourages the Commission and the High Representative for Foreign Affairs and Security Policy to establish a detailed implementation plan setting the priorities and the schedule of planned actions” (p. 17). The Council itself commits to “monitor[ing] the progress in the implementation of these Conclusions by means of an Action Plan which will be regularly reviewed and updated by the Council in close cooperation with the European Commission and the High Representative” (p. 17). 27
— Security Union Strategy
The EU’s 📄 Security Union Strategy “focuses on building capabilities and capacities to secure a future-proof security environment” (p. 2) for the period 2020-2025. It was published in July 2020. In relation to cybersecurity, the strategy begins by noting that “the ever-increasing ways in which digital technologies benefit our lives ha[ve] also made the cybersecurity of technologies an issue of strategic importance” (p. 3). Specifically, in the context of the strategy’s chapter on a “rapidly changing European security threat landscape” (p. 2-5), it mentions “a wave of cybercrime”, “continued cyber-enabled theft of intellectual property” and “cyber theft of trade secrets” (all p. 3) as cybersecurity-related threats. The Strategy further stresses the need for “economic operators [..to] take greater responsibility for the cybersecurity of products and services they place on the market” and for “individuals [...] to have at least a basic understanding of cybersecurity to be able to protect themselves” (both p. 5). Of cybersecurity relevance are the following strategic priorities and corresponding actions of the strategy:
Table 4: Exemplary Actions Within EU Security Union Strategy
Strategic Priority |
Sub- Priority |
Exemplary Actions |
---|---|---|
“A future- proof security environment” |
Critical infrastructure protection and resilience |
|
Cybersecurity |
|
|
“Tackling evolving threats” |
Cybercrime |
|
“A strong European security ecosystem” |
Cooperation and information exchange |
|
Strengthening security research and innovation |
|
|
Skills and awareness raising |
|
The Commission regularly publishes progress reports on the Security Union Strategy, as listed in the tabular overview contained in Chapter 4.
— Council Conclusions on Cybersecurity Capacity and Capabilities Building in the EU
In March 2019, the Council adopted 📄 Conclusions on cybersecurity capacity and capabilities building in the EU. Within the Conclusions, the Council, inter alia, stresses the following elements (p. 5-6):
Table 5: Overview of Council Conclusions on Cybersecurity Capacity and Capabilities Building in the EU
Vis-à-vis |
Provisions |
---|---|
Member States |
|
EUIBAs |
|
Member States & EUIBAs |
|
Incident and Crisis Response
— Joint Cyber Unit
In June 2021, the Commission issued a 📄 Recommendation on building a Joint Cyber Unit (JCU), which “identif[ies] the actions necessary to coordinate EU efforts to prevent, detect, discourage, deter, mitigate and respond to large-scale cyber incidents and crises through a Joint Cyber Unit” (p. 7).
The Recommendation envisions the participation of the following actors in the JCU:
-
the Commission, EEAS (including EU INTCEN), ENISA, Europol, CERT-EU, CSIRTs Network, EU-CyCLONe as operational participants and
-
the Chairs of the NIS Cooperation Group and HWPCI, EDA and a “representative of the relevant PESCO projects” as supporting participants (p. 8).
The Recommendation assigns a particular role to ENISA within the JCU. The Commission advises to entrust ENISA with “ensur[ing] the coordination and support of Member States and relevant” EUIBAs, inter alia, by assuming the following tasks: “acting as secretariat, organising meetings and contributing to the implementation of actions both at Member State and EU level” (p. 9).
The realization of the JCU shall serve two objectives: (1) “ensur[ing] a coordinated EU response to and recovery from large-scale cyber incidents and crises”, including the coordination of “mutual assistance mechanisms [...] subject to the request from one or more Member States” (p. 8) and (2) “shar[ing] best practices, harness[ing] continuous shared situational awareness, and ensur[ing] necessary preparedness” (p. 8) through a variety of measures, to be ensured/enabled by Member States and EUIBAs:
Table 6: Objectives and Measures of the Joint Cyber Unit
Objective |
Measures |
---|---|
(1) “Coordinated response to and recovery from large-scale incidents and crises” (p. 8) |
|
(2) Provision of “continuous shared situational awareness and preparedness against cyber-enabled crises across cybersecurity communities [1], as well as within those communities” (p. 8f.) |
Supporting operations
[1] Cybersecurity communities are defined as “collaborative civilian, law enforcement, diplomacy and defence groups representing both Member States and relevant EU institutions, bodies and agencies which exchange information in pursuit of shared goals, interests and missions in relation to cybersecurity” (p. 7) |
The Recommendation concludes by specifying “milestones and [a] timeline” (p. 7) for the JCU’s establishment (further specified in the Recommendation’s annex, p. 11-15). Accordingly, it was envisioned that the JCU would have been fully operational by 30 June 2023.
Five months after the Commission published its Recommendation on the JCU, the Council adopted 📄 Conclusions on exploring the potential of the Joint Cyber Unit initiative - complementing the EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises. In its Conclusions, the Council “acknowledges the Commission Recommendation on building a Joint Cyber Unit, as an initiative to be considered in further developing the EU cybersecurity crisis management framework” (p. 8). The Council emphasizes that “an incremental, transparent and inclusive process is essential for enhancing trust and, therefore, critical to the further development of an EU cybersecurity crisis management framework” (p. 8), while it concurrently underlines that “any possible participation in or contributions by Member States to a potential Joint Cyber Unit [would be] of a voluntary nature” (p. 8). Underpinning the Council’s stance in this respect, EU Member States further highlighted “the need to consolidate, as a matter of priority, existing networks and interactions within each community, as well as to establish a thorough mapping of possible information sharing gaps and needs within and across cyber communities and also within and across European [IBAs], and subsequently agree on possible primary objectives and priorities of a potential [JCU]” (p. 10). Hence, with respect to the JCU, the Council “calls for further consideration on a legal basis for the potential Joint Cyber Unit throughout the entire process [... and] further reflection on individual elements of the Recommendation on the Joint Cyber Unit, including with regard to the idea of the EU Cybersecurity Rapid Reaction Teams, and to the EU Cybersecurity Incident and Crisis Response Plan” (p. 11). Looking ahead, the Council “calls upon the EU and its Member States to consider the potential of a Joint Cyber Unit initiative” (p. 11) and commits itself to “provid[ing] further guidance for complementing the EU cybersecurity crisis management framework” (p. 11).
— Council Conclusions on EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises
In June 2018, the Council adopted 📄 Conclusions on EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises. In it, the Council, inter alia, stresses the following elements:
Table 7: Overview of Council Conclusions on EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises
Objectives |
Exemplary Provisions |
---|---|
Fostering the preparedness and crisis prevention (p. 4) |
|
Increasing the situational awareness (p. 4) |
|
Ensuring the effective response (p. 5) |
|
Streamlining the public communication (p. 5f.) |
|
Building on the lessons learned and post incident analysis (p. 6) |
|
Developing a European Cybersecurity Crisis Cooperation Framework (p. 6) |
|
— Commission Recommendation on Coordinated Response to Large-Scale Cybersecurity Incidents and Crises
In September 2017, the Commission issued a 📄 Recommendation on coordinated response to large-scale cybersecurity incidents and crises. It recommends the establishment of “an EU Cybersecurity Crisis Response Framework” (p. 4) on the basis of a Blueprint included in the Recommendation’s Annex. The Blueprint attached to the Recommendation “applies to cybersecurity incidents which cause disruption too extensive for a concerned Member State to handle on its own or which affect two or more Member States or EU institutions with such a wide-ranging and significant impact of technical or political significance that they require timely policy coordination and response at Union political level,” also referred to as a “cybersecurity crisis” (p. 6). The response to cybersecurity crises at the EU level may involve existing crisis management procedures such as the Integrated Political Crisis Response (IPCR) arrangements 28 , the ARGUS rapid alert system, and the EEAS Crisis Response Mechanism (the Blueprint further explains these instruments in p. 19-22). The processes and activities outlined in the Blueprint are based on the principles of proportionality, subsidiarity, complementarity, and confidentiality of information (p. 6f.). The Blueprint is subdivided on the basis of three “objectives of cooperation”: “effective response,” “shared situational awareness,” and “public communication messages” (p. 7f.). For each of these objectives, the Blueprint lists measures to be taken at three different levels, namely the technical, operational, and the “strategic/political level.” 29
Each level shall undertake the following activities:
-
Technical level: “incident handling during a cybersecurity crisis” and “monitoring and surveillance of incident including continuous analysis of threats and risk” (p. 8);
-
Operational level: “preparing decision-making at the political level” and “coordinat[ing] the management of the cybersecurity crisis (as appropriate)” (p. 10);
-
Strategic/political level: “strategic and political management of both cyber and non-cyber aspects of the crisis including measures under the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities” (p. 12).
For every level, the Blueprint suggests potential entities to be involved and lists activities to be undertaken under each of the three priority objectives. A few examples of such activities are listed below:
Table 8: Overview of Blueprint Measures
Objective |
Level |
Exemplary Measures |
---|---|---|
Shared situational awareness |
1: Technical level (p. 9) |
|
2: Operational level (p. 11) |
|
|
3: Strategic/ political level (p. 12) |
|
|
Response |
1: Technical level (p. 9f.) |
|
2: Operational level (p. 11) |
“Upon request from the political level”
|
|
3: Strategic/ political level (p. 12) |
|
|
Public communications |
1: Technical level (p. 10) |
|
2: Operational level (p. 12) |
|
|
3: Strategic/ political level (p. 12) |
|
The Blueprint outlines further how these activities may specifically be integrated in the IPCR based on the IPCR’s Standard Operating Procedures (see further pp. 13-17).
Digital Transformation
— Digital Decade Policy Programme 2030
The 📄 Digital Decade Policy Programme 2030 was established in 2022 to “creat[e] an environment favourable to innovation and investment by setting a clear direction for the digital transformation of the Union and for the delivery of digital targets 30 at Union level by 2030, on the basis of measurable indicators” (Art. 1(1), point (a)). As part of one of its eleven general objectives, the Programme includes cooperation by the European Parliament, the Commission, Council, and Member States on “improving resilience to cyberattacks, contributing to increasing risk-awareness and the knowledge of cybersecurity processes, and increasing the efforts of public and private organisations to achieve at least basic levels of cybersecurity” (Art. 3(1), point (k)), to be facilitated by multi-country projects. On an annual basis, the Commission shall draw up a “report on the state of the Digital Decade,” to be shared with the Council and European Parliament (Art. 6). 31 Member States, on the other hand, shall share with the Commission “national digital decade strategic roadmaps” (by October 2023), which shall comprise, among other things, the “main planned, adopted and implemented policies, measures and actions that contribute to achieving the general objectives and the digital targets” (Art. 7). 32
— Digital Europe Programme
📄 Regulation 2021/694 introduces the Digital Europe Programme for the EU’s budget period until 2027 in an effort to accelerate “the digital transformation of the European economy, industry and society” (Art. 3(1)). The Programme provides a planned funding of over €7.5 billion to support projects in five key areas, with over €1.6 billion allocated to cybersecurity. Funding in the area of cybersecurity shall:
-
“support the building-up and procurement of advanced cybersecurity equipment, tools and data infrastructures” in cooperation with Member States;
-
“support the building-up and best use of European knowledge, capacity and skills related to cybersecurity and the sharing and mainstreaming of best practices”;
-
“ensure a wide deployment of effective state-of-the-art cybersecurity solutions across the European economy” with a particular focus on “public authorities and SMEs”;
-
“reinforce capabilities within Member States and private sector” for compliance with the NIS Directive;
-
“improve resilience against cyberattacks, contribute towards increasing risk-awareness and knowledge of cybersecurity processes, support public and private organisations in achieving basics levels of cybersecurity [...]”;
-
and “enhance cooperation between the civil and defence spheres with regard to dual-use projects, services, competences and applications in cybersecurity [...]” (Art. 6(1)).
The implementation of respective initiatives rests primarily with the ECCC and the Network of NCCs (Art. 6(2)). The Commission adopted the Digital Europe Cybersecurity Work Programme 2023-2024 to specify the cybersecurity-related initiatives under the Digital Europe Programme. 33 The following table provides a non-exhaustive overview of some of the deployment actions, objectives, and sought deliverables of the work programme:
Table 9: Overview of Objectives and Deliverables of the Digital Europe Cybersecurity Work Programme 2023-2024
Deployment Action |
Objectives |
Examples of Sought Deliverables |
---|---|---|
“Security Operation Centres” (pp. 14-27, Work Programme)
|
“support joint actions to create an advanced (state-of-the-art) threat detection and cyber early warning ecosystem” |
The ECCC will work with Member States to
[The Working Programme defines national SOCs as “public entities [which are] given the role at national level to act as clearinghouses for detecting, gathering and storing data on cybersecurity threats, analysing this data, and sharing and reporting Cyber Threat Intelligence (CTI), reviews and analyses” (p. 15)] |
“Support for the Implementation of the proposed Cyber Resilience Act” (pp. 29-33, Work Programme) |
|
|
“Cybersecurity Emergency Mechanism” (pp. 39-41, Work Programme) |
“increase the level of protection and resilience to cyber threats, in particular for large industrial installations and infrastructures, by assisting Member States in their efforts to improve the preparedness for cyber threats and incidents by providing them with knowledge and expertise” |
|
“Standardisation in the Area of Cybersecurity” (pp. 42-43, Work Programme) |
“support further standardisation in the area of cybersecurity, notably in view of the implementation of the proposed” CRA |
|
“Support for Implementation of EU Legislation on Cybersecurity and National Cybersecurity Strategies” (pp. 43-48, Work Programme) |
|
|
Other deployment actions include: deploying the Network of National Coordination Centres with Member States (1.9), the development and deployment of advanced key technologies (1.2), post quantum cryptography (1.4), and the coordination between the cybersecurity civilian and defence spheres (1.6). |
— 2030 Digital Compass: The European Way for the Digital Decade
In March 2021, the Commission published the 📄 2030 Digital Compass: the European way for the Digital Decade. The Digital Compass sets out a vision for 2030 based on four target areas, of which three particularly address cybersecurity-related objectives:
Table 10: Overview of Cybersecurity-Related Objectives of the 2030 Digital Compass
Target Area |
Objective |
---|---|
A digitally skilled population and highly skilled digital professionals |
|
Secure and performant sustainable digital infrastructures |
|
Digitalisation of public services |
|
Emerging Technologies
— Commission Recommendation on a Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography
In April 2024, the Commission published a 📄 Recommendation on a Coordinated Implementation Roadmap for the transition to Post-Quantum Cryptography. The Recommendation, inter alia, advises Member States to “define a ‘Post-Quantum Cryptography [PGC] Coordinated Implementation Roadmap’ aimed at synchronising the efforts of Member States to design and implement national transition plans while ensuring cross-border interoperability” and “support the evaluation and selection of relevant Post-Quantum Cryptography EU algorithms [...] and further adoption of such algorithms as Union standards” (p. 4). As part of the suggested Roadmap, the Commission recommends that Member States set up a dedicated subgroup within the NIS Cooperation Group to draft such a roadmap. This subgroup shall discuss post-quantum cryptography with other stakeholders such as Europol or NATO, as part of its deliberations. After being set up, the PGC subgroup within the NIS Cooperation Group shall strive to adopt the Roadmap after two years to be “followed by the development and further adaptation of Post-Quantum Cryptography transition plans of individual Member States” (p. 5). In turn, the Commission foresees a monitoring and period assessment role for itself. On this basis, the Commission, among other activities, may “determine whether additional actions, including proposing binding acts of Union law, are required” (p. 5). The Recommendation shall be reviewed at the latest in April 2027.
Democratic Processes
— Commission Recommendation on Inclusive and Resilient Electoral Processes in the Union and Enhancing the European Nature and Efficient Conduct of the Elections to the European Parliament
In December 2023, the Commission adopted a 📄 Recommendation on inclusive and resilient electoral processes in the Union and enhancing the European nature and efficient conduct of the elections to the European Parliament. With respect to cybersecurity, the Recommendation notes, for instance, that “in addition to the obligations under [the NIS 2 and CER Directives], where applicable, Member States should strive to ensure a similar level of resilience of entities operating election-related infrastructure, by performing and updating risk assessments, conducting tests, and enhancing support for and the resilience of entities that play a significant role in the conduct of elections” (recital (33)) and carry out “specific measures [...] to further enhance the cybersecurity of voter registration databases, e-voting systems and other information systems used to manage electoral operations” (recital (34). The Recommendation sets out 11 principles, of which two address cybersecurity specifically:
Table 11: Overview of Cybersecurity-Related Provisions Contained in Commission Recommendation 2023/2829
Principles |
Specification |
---|---|
IV. Encouraging election integrity and fair campaigning |
“Political parties and campaign organisations are encouraged to adopt campaign pledges and codes of conduct on election integrity and fair campaigning”, which shall, inter alia, include “active steps to maintain good cyber hygiene, such as regular cybersecurity checks, in order to recognize, deter and prevent attacks” (p. 13 f.) |
VII: Protecting election-related infrastructure and ensuring resilience against cyber and other hybrid threats |
Member States should
|
— European Democracy Action Plan
In December 2020, the Commission put forward a 📄 Communication on the European Democracy Action Plan. In its introduction, as part of a section on the “digital transformation of our democracies”, the Action Plan notes, inter alia, that “digitalisation enabled new ways to finance political actors from uncontrolled sources [and] cyber-attacks can target critical electoral infrastructure” (p. 2). Against this backdrop, the Action Plan lays out the following cybersecurity-related provisions to meet its specified objectives:
Table 12: Overview of Cybersecurity-Related Provisions of the European Democracy Action Plan
Objective |
Specific Objective |
Action |
---|---|---|
Protecting election integrity and promoting democratic participation |
Strengthened cooperation in the EU to ensure free and fair elections |
|
Strengthening media freedom and media pluralism |
Safety of journalists |
|
Countering disinformation |
Improving EU and Member State capacity to counter disinformation |
|
Policy Area 2: Internal Market
Deep Dives: NIS 2 Directive and Cybersecurity Act
— Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS 2)
📄 Directive on measures for a high common level of cybersecurity across the Union (2022/2555) |
---|
Entry into force: 16 January 2023 Deadline for national transposition: 17 October 2024, measures to apply from 18 October 2024 |
Previous legislation: Repeals Directive 2016/1148 (NIS 1) from 18 October 2024 onwards |
Subsequent documents of relevance: |
Objective (Art. 1): “achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market” |
Subject matter (Art. 1): “This Directive lays down:
|
Actors established/regulated by NIS 2 Directive:
|
Deep Dive Structure -> Scope -> Competent Authorities, Single Points of Contacts and CSIRTs -> National Cybersecurity Strategy -> Cyber Crisis Management -> Vulnerability Disclosure -> Cybersecurity Risk Management -> Reporting -> Information-Sharing -> Union-Level Cooperation and State of the Union Report -> Supervision and Enforcement -> Implementing and Delegated Acts -> Review |
Scope
In its application, the NIS 2 Directive distinguishes between essential and important entities. Both types of entities can be public or private. In general, essential entities are subject to more extensive obligations and a higher extent of supervision than important entities.
As a general rule, public or private entities fall in the scope of the NIS 2 Directive when they qualify at least as a medium-sized enterprise, 34 “provide their services or carry out their activities within the Union,” and its type is listed in the NIS 2’s Annex I or II (see further Table 13). Irrespective of the size requirement, the Directive applies to entities on the basis of circumstantial factors. In accordance, an entity is within the NIS 2’s scope if
-
it “is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;”
-
“disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;”
-
“disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;”
-
or “the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State” (Art. 2(2)).
Moreover, it applies to entities when “services are provided by” “providers of public electronic communications networks or of publicly available electronic communications services,” “trust service providers“ and “top-level domain name registries and domain name system service providers” (Art. 2(2), point (a)) as well as “entities providing domain name registration services” (Art. 2(4)). All entities designated as critical entities under the CER Directive are also within the scope of NIS 2 (Art. 2(3)).
An entity is deemed essential when it fulfills any of the following criteria:
-
it qualifies at least a medium-sized enterprise and additionally qualifies as an entity of the type outlined in Annex I (Art. 3(1), point (a));
-
it is a “qualified trust service provider[...,] top-level domain name registr[y … or] DNS service provider[...] (Art. 3(1), point (b));
-
it is a “provider[...] of public electronic communications networks or of publicly available electronic communications services” (Art. 3(1), point (c));
-
it is a “public administration entity [...] of central government as defined by a Member State in accordance with national law”[1];
-
or it is an entity that is designated as a ‘critical entity’ under the CER Directive.
[1] The NIS 2 Directive excludes “public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences” (Art. 2(7)) from its scope of application. It is at a Member State’s discretion to exclude specific entities when they operate in these areas or provide services to the previously enumerated excluded public administration entities from complying with particular obligations (see further Art. 2(8)).
EU Member States may choose to classify previously designated “operators of essential services” in the framework of the NIS 1 Directive as essential entities (Art. 3(1), point (g)). Member States may also designate essential entities based on the circumstantial factors listed above (Art. 3(1), point (e)).
Any other entities of a type listed in Annex I or II that do not qualify as essential under any of the points enumerated above are considered as important entities. In terms of jurisdiction, an essential or important entity falls under the jurisdiction of the particular Member State in which it is established (Art. 26). 35
The following table provides an overview of the (sub)sectors listed in Annex I and II and gives examples of types of entities
36
, subsumed under the respective sectors:
Table 13: Sectors in the Scope of the NIS 2 Directive
“Sectors of high criticality” (Annex I) |
|
---|---|
Energy |
|
Transport |
|
Banking |
|
Financial market infrastructures |
|
Health |
|
Drinking water |
|
Waste water |
|
Digital infrastructure |
|
ICT service management (business-to- business) |
|
Public administration |
|
Space |
|
“Critical sectors” (Annex II) |
|
---|---|
Postal and courier services |
|
Waste management |
|
Manufacture, production and distribution of chemicals |
|
Production, processing and distribution of food |
|
Manufacturing |
|
Digital providers |
|
Research |
|
In the context of their national transposition of the NIS 2 Directive, EU Member States may choose to include “public administration entities at local level” and “education institutions” in their scope of application (Art. 2(5)).
EU Member States have until 17 April 2025 to draw up a list of entities that fall within the scope of NIS 2, which they must subsequently update at least every two years. Until the same date, EU Member States must, via their competent authorities, share “the number of essential and important entities listed [...] for each sector and subsector” with the Commission and the NIS Cooperation Group (Art. 3 (5)).
As a horizontal framework, the NIS 2 Directive also foresees the possibility of sector-specific Union legal acts to act as lex specialis (Art. 4). 37 In cases where “sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply to such entities” (Art. 4(1)). When a sector-specific EU legal act “do[es] not cover all entities in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts” (Art. 4(1)). As instrumental in the determination of whether another legal act meets the equivalence requirement, the NIS 2 Directive lists that any such act shall ensure that the
-
“cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2)”;
-
the respective provisions “provide[...] for immediate access, where appropriate automatic and direct, to the incident notifications by the CSIRTs, the competent authorities or the single points of contact under this Directive;”
-
and “requirements to notify significant incidents are at least equivalent in effect to those laid down in Article 23(1) to (6) of this Directive” (Art. 4(2)).
In September 2023, the Commission published “guidelines clarifying the application of paragraphs 1 and 2,” complying with Art. 4(3)). 38
Who |
What |
When |
Post-Deadline |
Legal Basis |
---|---|---|---|---|
Member States |
Development of a list of essential and important entities as well as entities providing domain name registration services |
17 April 2025 |
Update at least every two years thereafter |
Art. 3(3) |
Member States |
Notification of the number of essential and important entities listed for each sector and subsector -> Commission and NIS Cooperation Group |
17 April 2025 |
Every two years thereafter |
Art. 3(5) |
Member States |
Notification of specified relevant information in relation to essential and important entities -> Commission |
17 April 2025 |
Every two years thereafter |
Art. 3(5) |
Competent Authorities, Single Points of Contacts and CSIRTs
From an institutional perspective, EU Member States must designate (a) competent national authority/ies, that is/are in charge of cybersecurity and the directive’s supervision and enforcement, as well as a single point of contact (SPOC) (Art. 9). Each EU Member State SPOC is tasked to exercise a “liaison function” to ensure cooperation within its national jurisdiction and with other EU Member States, the Commission, or ENISA. The Commission is tasked with publishing a list of all national SPOCs.
Additionally, EU Member States must ensure that they have a computer security incident response team (CSIRT) (Art. 10), inter alia, tasked with
-
“monitoring and analyzing cyber threats, vulnerabilities and incidents at national level;”
-
“providing early warnings, alerts, announcements and dissemination of information to essential and important entities concerned;”
-
and “responding to incidents and providing assistance to the essential and important entities concerned” (Art. 11(3)).
EU Member States can request ENISA’s assistance in setting up their CSIRTs and must ensure their national CSIRTs’ active involvement in the CSIRTs Network (Art. 10(6) and (10). National CSIRTs shall engage with “relevant stakeholders in the private sector” (Art. 11(4). In the context of enforcing such cooperative relationships, they shall also undertake efforts to “promote the adoption and use of common or standardised practices, classification schemes and taxonomies in relation to:
-
incident-handling procedures;
-
crisis management;
-
and coordinated vulnerability disclosure” (Art. 11(5)).
EU Member States shall, in particular, ensure inter-agency cooperation and information-sharing between their competent authorities and CSIRTs under the NIS 2 Directive and their national competent authorities designated pursuant to other EU legal acts, inter alia, in the context of the DORA Regulation and the CER Directive (Art. 13).
National Cybersecurity Strategy
In implementing the NIS 2 Directive, EU Member States are required to “adopt a national cybersecurity strategy that provides for the strategic objectives, the resources required to achieve these objectives, and appropriate policy and regulatory measures” (Art. 7(1)). EU Member States shall include, inter alia, specific policies on the following:
-
“addressing cybersecurity in the supply chain for ICT products and services;”
-
the “inclusion and specification of cybersecurity-related requirements for ICT products and ICT services in public procurement;”
-
and vulnerability management, “encompassing the promotion and facilitation of coordinated vulnerability disclosure” (Art. 7(2)).
The strategy should also
-
specify governance arrangements at the national level, for instance, between competent authorities and single points of contact;
-
include “a mechanism to identify relevant assets and an assessment of the risks in that Member State;”
-
and identify “measures ensuring the preparedness for, responsiveness to and recovery from incidents” (Art. 7(1)).
The strategy should also include “a policy framework for enhanced coordination” (Art. 7(1), point (g)) among EU Member States’ competent authorities under the NIS 2 and the CER Directive.
For a complete list of elements to be included in the national cybersecurity strategy, see further Art. 7. Member States must share their strategies with the Commission at the latest three months after their approval (Art. 7(3)). If necessary, Member States can ask ENISA to provide support “in the development or the update of a national cybersecurity strategy” as well as the identification of “key performance indicators for the assessment of that strategy” (Art. 7(4)).
Who |
What |
When |
Post-Deadline |
Legal Basis |
---|---|---|---|---|
Member States |
Adoption of a national cybersecurity strategy |
Regular assessment |
Assessment at least every five years based on KPIs, update where necessary |
Art. 7(4) |
Cyber Crisis Management
To ensure effective cyber crisis management, EU Member States must additionally have a national competent authority “responsible for the management of large-scale cybersecurity incidents and crises” (Art. 9(1)). Building upon the definition of an incident as “an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems” (Art. 6, point (6)), the NIS 2 Directive defines a large-scale cybersecurity incident as “an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States” (Art. 6, point (7)). To comply with the Directive’s provisions in the area of cyber crisis management, EU Member States must put in place a “national large-scale cybersecurity incident and crisis response plan” and “identify capabilities, assets and procedures that can be deployed in the case of a crisis” (Art. 9(3) and (4)).
NIS 2 requires the national plan to stipulate, in particular:
-
“the objectives of national preparedness measures and activities;
-
the tasks and responsibilities of the cyber crisis management authorities;
-
the cyber crisis management procedures [...];
-
national preparedness measures, including exercises and training activities;
-
the relevant public and private stakeholders and infrastructure involved;
-
[and] national procedures and arrangements between relevant national authorities and bodies to ensure the Member State’s effective participation in and support of the coordinated management of large-scale cybersecurity incidents and crises at Union level” (Art. 9(4) points (a)-(f)).
Once adopted, EU Member States have three months to share their plans with both the Commission and EU-CyCLONe (Art. 9(5)).
Who |
What |
When |
Post-Deadline |
Legal Basis |
---|---|---|---|---|
Member States |
Notification of cyber crisis management authority |
At maximum three months after designation or establishment |
At maximum three months after any subsequent changes to the crisis management authority’s identity |
Art. 9(5) |
Member States |
Submission of “relevant information relating to [...] their national large-scale cybersecurity incident and crisis response plans” -> Commission and EU-CyCLONe |
At maximum three months after adoption |
- |
Art. 9(5) |
Vulnerability Disclosure
Member States shall designate national CSIRT as a national “coordinator for the purposes of coordinated vulnerability disclosure [CVD]” (Art. 12(1)). In implementing a national CVD policy, EU Member States must “ensure that natural or legal persons are able to report, anonymously where they so request, a vulnerability” to the entity assuming the functions of national CVD coordinator (Art. 12(1)). If, upon reporting of a vulnerability, it is determined that it “could have a significant impact on entities in more than one Member State”, national CVD coordinators shall interact with their counterparts in other EU Member States through the framework of the CSIRTs Network (Art. 12(1)).
At the European level, the NIS 2 Directive entrusts ENISA – upon consultation with the NIS Cooperation Group – with the development and maintenance of a “European vulnerability database” (Art. 12(2)). In terms of information provided, the European vulnerability database shall ensure that it includes
-
a description of the vulnerability;
-
“the affected ICT products or ICT services;”
-
“the severity of the vulnerability in terms of circumstances under which it may be exploited;”
-
and “the availability of patches” or relevant mitigatory guidance by national competent authorities or CSIRTs in their absence (Art. 12(2), points (a)-(c)).
Cybersecurity Risk Management
EU Member States must supervise and “ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use [...] and to prevent or minimise the impact of incidents” (Art. 21(1)). These measures shall be endorsed and overseen by an essential or important entities’ management body, which may also be held liable in case of non-compliance (Art. 20(1)). In addition, the NIS 2 Directive stipulates that “Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training” (Art. 20(2)).
To comply with this provision, essential and important entities shall have in place at least the following measures/policies:
-
“policies on risk analysis and information system security;
-
incident handling;
-
business continuity, such as backup management and disaster recovery, and crisis management;
-
supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
-
security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
-
policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
-
basic cyber hygiene practices and cybersecurity training;
-
policies and procedures regarding the use of cryptography and, where appropriate, encryption;
-
human resources security, access control policies and asset management;
-
[and] the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate” (Art. 21(2)).
When EU Member States supervise the implementation of such measures by essential and important entities, they shall take into account “the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact” (Art. 21(1)) to ensure a proportionate application. Pursuant to the Cybersecurity Act (Regulation 2019/881), essential and important entities may be required to “demonstrate compliance” with this provision by exclusively “us[ing] particular ICT products, ICT services or ICT processes [...] that are certified under European cybersecurity certification schemes” (Art. 24(1)).
Reporting
The NIS 2 Directive puts in place reporting obligations for essential and important entities to report when they become subject to a “significant incident” (Art. 23). To determine an incident’s significance, the directive lists two elements that can give rise to a significant incident:
-
a) the incident “has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;” or
-
b) the incident “has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage” (Art. 23(3)).
In reporting a significant incident to the national CSIRT or competent authority, the following specific timelines apply for essential and important entities:
Table 14: Reporting Deadlines and Actions Pursuant to the NIS 2 Directive
I. Action to be taken by essential or important entity |
|||
---|---|---|---|
(a) Without undue delay, >24 hours of “becoming aware” of a significant incident |
(b) Without undue delay, > 72 hours of “becoming aware” of a significant incident |
(c) Upon request by national CSIRT or competent authority |
(d) <1 month after (b) has been submitted |
Submission of an early warning. The warning shall “where applicable, [...] indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.” (Art. 23(4), point (a)) |
Submission of an incident notification. Where applicable, the notification shall update the information provided in the warning of step (a) and “indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise.” (Art. 23(4), point (b)) |
Submission of an intermediate report outlining “relevant status updates.” (Art. 23(4), point (c)) |
Submission of a final report. If the incident is still ongoing at the time, essential and important entities must submit a progress report instead. In the latter case, a final report must also be provided “within one month of their handling of the incident” (Art. 23(4), point (d) and (e)). [The final report is supposed to include (i) “a detailed description of the incident, including its severity and impact”, (ii) “the type of threat or root cause that is likely to have triggered the incident”, (iii) “applied and ongoing mitigation measures”, and (iv) “where applicable, the cross-border impact of the incident” (Art. 23(4), point (d))] |
II. Action to be taken by national CSIRT or competent authority |
|
---|---|
(a) Without undue delay and, where possible, within 24 hours of receiving the early warning |
(b) No specified timeline |
Response to notifying entity that “includ[es] initial feedback on the significant incident and, upon request of the entity, guidance or operational advice on the implementation of possible mitigation measures.” (Art. 23(5)) |
|
When essential or important entities report an incident, EU Member States shall guarantee that the information submitted allows “determin[ing] any cross-border impact of the incident” (Art. 23(1)).
Upon assessing an incident’s significance, EU Member States – acting via their national CSIRT, competent authority, or SPOC – shall, “where appropriate,” inform other EU Member States and ENISA of the incident, especially when the “significant incident concerns two or more Member States” (Art. 23(6)). In any case, national SPOCs must share a “summary report” with ENISA every three months (Art. 23(9)). This report shall include “anonymised and aggregated data on significant incidents, incidents, cyber threats and near misses notified” (Art. 23(9)). In turn, ENISA is tasked with briefing the NIS Cooperation Group and the CSIRTs Network “about its findings on notifications” twice a year (Art. 23(9)). To increase the comparability of the national summary reports, ENISA “may adopt technical guidance on the parameters of the information to be included in the summary report” (Art. 23(9)). On a national level, either the CSIRT or competent authority shall also ensure that “information about significant incidents, incidents, cyber threats and near misses notified [...] by entities [that the CER Directive] identified as critical entities” are shared with the national competent authorities designated under that Directive (Art. 23(10)).
The responsibility of essential and important entities to report incidents not only extends to the respective national authorities, but also to the “recipients of their services that are potentially affected by a significant cyber threat” (Art. 23 (2)). “Where applicable,” essential and important entities shall provide them with “any measures or remedies [they] are able to take in response to that threat” (Art. 23(2)).
In addition to mandatory reporting obligations laid out in Article 23, Member States must ensure that entities can also voluntarily report relevant information in this respect. For essential and important entities, this relates to “incidents, cyber threats and near misses” (Art. 30). EU Member States shall also provide the basis for any other entity, specifically also those not “fall[ing] within the scope of this Directive” to be able to notify national CSIRTs or competent authorities of “significant incidents, cyber threats and near misses” (Art. 30(1), point (b)). The subsequent actions to be taken by national CSIRT or competent authority are the same as outlined in table 14 above. Yet, Member States can decide to take care of mandatory notifications received first.
Who |
What |
When |
Legal Basis |
---|---|---|---|
Member State SPOC |
Submission of summary report of notifications received in accordance with Art. 23 (1) and Art. 30 -> ENISA |
Every three months |
Art. 23(9) |
ENISA |
Briefing about “findings on notification” -> NIS Cooperation Group and CSIRTs Network |
Every six months |
Art. 23(9) |
Information-Sharing
EU Member States shall encourage the voluntary exchange of information 39 among essential and important entities “through cybersecurity information-sharing arrangements in respect of the potentially sensitive nature of the information shared” (Art. 29(2)). The information-sharing is particularly envisioned for scenarios in which the information transmitted, for instance, helps to “prevent, detect, respond to or recover from incidents or to mitigate their impact” or “limit[s...] or imped[es] the ability of [...] threats to spread” (Art. 29(1), point (b)). Essential and important entities shall inform their competent authorities of their participation in or withdrawal from such arrangements (Art. 29(4)). To promote the uptake of such arrangements, ENISA is tasked with assisting their formation through “exchanging best practices and providing guidance” (Art. 29(5)).
Union-Level Cooperation and State of the Union Report
NIS 2 also foresees the voluntary participation in peer reviews where representatives from at least two other EU Member States review, for instance, “the level of implementation of the cybersecurity risk-management measures and reporting obligations laid down in Articles 21 and 23,” “the level of capabilities, including the available financial, technical and human resources, and the effectiveness of the exercise of the tasks of the competent authorities,” or “the operational capabilities of the CSIRTs” of one EU Member State (Art. 19(1)). The Commission and ENISA are involved as observers in individual peer reviews (Art. 19(2)). 40 The NIS Cooperation Group is entrusted with developing a “methodology and [the] organisational aspects of peer reviews” together with the Commission, ENISA, and the CSIRTs Network where helpful (Art. 19(1)).
Every two years, ENISA shall draft a “report on the state of cybersecurity in the Union” for submission and presentation to the European Parliament (Art. 18). This report “shall include particular policy recommendations, with a view to addressing shortcomings and increasing the level of cybersecurity across the Union” and must provide assessments on the
-
“Union-level cybersecurity risk;”
-
the “development of cybersecurity capabilities in the public and private sectors;”
-
the “general level of cybersecurity awareness and cyber hygiene among citizens and entities;”
-
and a “summary of the findings [...] from the EU Cybersecurity Technical Situation Reports on incidents and cyber threats” (Art. 18(1) points, (a)-(c) and Art. 18 (2)).
On an aggregated basis, the report shall also assess “the outcome of the peer reviews” as well as “the level of maturity of cybersecurity capabilities and resources across the Union [... and] the extent to which the Member States’ national cybersecurity strategies are aligned” (Art. 18(1) points (d) and (e)).
Who |
What |
When |
Legal Basis |
---|---|---|---|
NIS Cooperation Group |
Development of a methodology for peer reviews |
17 January 2025 |
Art. 19(1) |
ENISA |
Adoption of a biennial report on the state of cybersecurity in the Union -> European Parliament |
Every two years |
Art. 18(1) |
Supervision and Enforcement
To some extent, the supervisory and enforcement powers of EU Member States vary depending on whether an entity is designated as an essential or important entity. In principle, the pursuit of enforcement measures shall be based on “detailed reasoning” (Art. 32(8)). Before pursuing them, a competent authority shall share respective “preliminary findings” with the entity concerned and provide them with a window for submitting their view (the latter except for “duly substantiated cases [requiring] immediate action”) (Art. 32(8)). Member States shall ensure that their supervisory and enforcement measures, as well as the imposition of administrative fines, are “effective, proportionate and dissuasive, taking into account the circumstances of each individual case” (Art. 32(1), Art. 33 (1) and Art. 34 (1)).
The NIS 2 Directive foresees at least the following supervisory and enforcement powers for national competent authorities:
Table 15: Supervision and Enforcement Powers
Supervision |
|
---|---|
Essential or important entity |
|
Art. 32(2) & Art. 33(2)
|
|
Essential entity |
Important entity |
Art. 32(2)
|
Art. 33(2)
|
Enforcement |
|
---|---|
Essential or important entity |
|
Art. 32(4) & Art. 33(4)
|
|
Essential entity |
Important entity |
Art. 32(4), Art. 32(5) & Art. 34(4)
Ultima ratio enforcement powers [1]:
[1] A Member State shall provide for these powers in cases where particular previous enforcement measures did not produce the desired outcome and an entity has also not complied with requested actions in a subsequently specified timeframe (Art. 32(5)). |
Art. 33(4) & Art. 34(5)
|
When an essential entity is also designated as a critical entity under the CER Directive, the competent authorities under the NIS 2 Directive shall cooperate and inform those designated under the CER Directive of their intent to pursue supervisory or enforcement measures (Art. 32(9)). In addition, with respect to both essential and important entities, the national competent authorities under the NIS 2 Directive and the DORA Regulation shall cooperate and exchange information (Art. 32(10) and Art. 33(6)). For instance, when an essential or important entity classified under NIS 2 also represents a critical ICT third-party service provider under the DORA Regulation, Member States must ensure that they inform the Oversight Forum established in the latter regulation “when exercising their supervisory and enforcement powers” (Art. 33(6)). In cases where an entity is the provider of services in at least one Member State or uses “network and information systems” that are located in more than one Member State, the NIS 2 Directive mandates the respective national competent authorities to cooperate with each other (Art. 37). This cooperation involves the sharing of information when supervisory or enforcement activities, the provision of mutual assistance 41 , and “joint supervisory actions” (Art. 37(2)) at the end of the spectrum.
Who |
What |
When |
Post-Deadline |
Legal Basis |
---|---|---|---|---|
Member State |
Notification of rules on penalties applicable to infringements -> Commission |
17 January 2025 |
Notification of any subsequent amendment to these rules must be notified without delay |
Art. 36 |
Implementing and Delegated Acts
The NIS 2 Directive outlines various areas where the Commission either shall or may adopt implemented or delegated acts to specify particular provisions further. Areas for such subsequent non-legislative acts relate to:
Table 16: Implementing and Delegated Acts Foreseen Under the NIS 2 Directive
Implementing Acts |
Delegated Acts [1] |
---|---|
|
|
[1] The NIS 2 Directive initially foresees that the Commission can exercise this power until 16 January 2028. Either the Council or the European Parliament may withdraw the delegation of power “at any time” (Art. 38(3)). In such a scenario, any delegated acts adopted before the withdrawal remain valid. When drafting a delegated act, the Commission shall consult with Member State representatives. The European Parliament or the Council may object to the entry into force of a particular delegated act (see further Art. 38). [2] These entities are DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers. [3] When drafting either implementing act B or C, the Commission shall “to the extent possible, follow European and international standards, as well as relevant technical specifications” (Art. 21(5)) and collaborate with both the NIS Cooperation Group and ENISA. [4] These entities are DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers. [5] When drafting either implementing act E or F, the Commission shall collaborate with the NIS Cooperation Group (Art. 24(11)). |
Review
Who |
What |
When |
Post-Deadline |
Legal Basis |
---|---|---|---|---|
Commission |
Review of NIS 2 functioning and report to “be accompanied, where necessary, by a legislative proposal” -> European Parliament and Council |
17 October 2027 |
Every 36 months thereafter |
Art. 40 |
— Regulation on ENISA and on Information and Communications Technology Cybersecurity Certification (Cybersecurity Act)
📄 Regulation on ENISA and on information and communications technology cybersecurity certification (2019/881) |
---|
Entry into force: 27 June 2019 Date of application: 28 June 2021 |
Previous legislation: Repealed Regulation (EU) No 526/2013 since 27 June 2019 |
Subsequent documents of relevance:
|
Objective (Art. 1): “ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the Union” |
Subject matter (Art. 1): “This Regulation lays down:
|
Actors established/regulated by the Cybersecurity Act:
|
Provisions setting out the mandate and objectives as well as the organization of ENISA (Art. 3-45) are discussed in the actor profile of ENISA.
The Cybersecurity Act sets up a European cybersecurity certification framework. The framework’s objective is to provide for a “harmonised approach at Union level [...] with a view to creating a digital single market for ICT products 42 , ICT services 43 and ICT processes 44 ” (Art. 46(1)) by putting in place a procedure for European cybersecurity certification schemes. 45 In general, these schemes are voluntary for manufacturers and providers of ICT products, services, and processes unless a particular EU legal act stipulates them as binding in order to “demonstrate the presumption of conformity with [the legislation’s] requirements” (Art. 54(3)). Once issued in any Member State, certificates and statements of conformity are valid in all Member States for their respectively foreseen duration.
The Commission adopts a “rolling work programme” identifying “strategic priorities for future European cybersecurity certification schemes,” to be updated at least every three years (Art. 47). In drafting the work programme, the Commission shall consider the views of the European Cybersecurity Certification Group (ECCG) and the Stakeholder Certification Group (SCCG) (Art. 47(4)). The current work programme can be found here.
Work programmes shall propose the inclusion of particular ICT products, ICT services, or ICT processes, for instance, based on at least one of the following considerations:
-
(a) whether a national cybersecurity certification scheme on the specific category already exists or is being developed;
-
(b) “relevant Union or Member State law or policy;”
-
(c) “market demand;”
-
and (d) “developments in the cyber threat landscape” (Art. 47(3)).
The standard procedure then foresees that the Commission can either request the preparation of a candidate scheme or the review of an existing European scheme when it falls inside the scope laid out in the work programme. When the particular schemes do not form part of the work programme, the Commission or ECCG may request preparation or review only in exceptional cases. ENISA may refuse preparing a scheme upon request by the ECCG but must provide reasons for doing so.
The establishment of a European cybersecurity certification scheme ensues from the following steps:
Table 17: Adoption Steps of a European Cybersecurity Certification Scheme
Step 1 |
Step 2 |
Step 3 |
Step 4 |
Step 5 |
---|---|---|---|---|
Request of preparation or review of a (candidate) certification scheme by the Commission or ECCG (Art. 48) |
Preparation of a candidate scheme by ENISA, including
(Art. 49(1)-(5)) |
Submission of a candidate scheme by ENISA -> Commission (Art. 49(6)) |
Adoption of implementing act by Commission stipulating the provision of a particular European cybersecurity certification scheme [2] (Art. 49(7)) |
Review of adopted European cybersecurity certification schemes every five years by ENISA (Art. 49(8)) |
[1] The composition of ad hoc working groups includes “experts from Member States’ competent authorities” (Art. 20(4)). [2] The first scheme adopted concerns Common Criteria (Commission Implementing Regulation laying down rules for the application of Regulation 2019/881 as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (2024/482)). Other schemes currently under review relate to Cloud Services and 5G (ENISA: Developing Certification Schemes). |
Upon the Commission’s adoption of an implementing act specifying a particular European certification scheme, any existing national certification schemes on the same matter shall cease to exist (Art. 57(1)). 46 If a Member State aims to establish any new national cybersecurity certification scheme, it shall inform the Commission and the ECCG of its intention (Art. 57(4)).
In order to make it to stage four and be adopted as a European cybersecurity certification scheme, any scheme must specify particular elements. These elements include
-
“evaluation criteria and methods [...] to demonstrate [achievement of…] security objectives;”
-
information on whether the scheme assigns any assurance level and whether a scheme permits conformity self-assessments;
-
a specification on how long issued certificates under the scheme are valid;
-
and “rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with” (see further Art. 54(1)).
Among a scheme’s minimum security objectives feature:
-
the protection of “stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure [and “accidental or unauthorised destruction, loss or alteration or lack of availability”] during the entire life cycle of the ICT product, ICT service or ICT process;”
-
the “identif[ication] and document[ation] of known dependencies and vulnerabilities;”
-
the “verif[ication] that ICT products, ICT services and ICT processes do not contain known vulnerabilities;”
-
and that ICT products, services, or processes are “secure by default and by design” (see Art. 51 for a complete list).
In addition, a scheme can include the provision of assurance levels, which the Cybersecurity Act defines as “a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme” (Art. 2, point (21)). An assurance level specifies the degree of evaluation at a given time. Yet, it does not and does not aim to “measure the security of the ICT product, ICT service or ICT process concerned” (Art. 2, point (21)).
The Cybersecurity Act stipulates the following three assurance levels, which shall be assigned in proportion “with the level of the risk associated with the intended use of the ICT product, ICT service or ICT process, in terms of the probability and impact of an incident” (Art. 52(1)):
Table 18: Overview of Assurance Levels
‘basic’ Art. 52(5) |
‘substantial’ Art. 52(6) |
‘high’ Art. 52(7) |
---|---|---|
Minimum evaluation: |
||
review of technical documentation |
“review [...] the absence of publicly known vulnerabilities and testing to demonstrate [...] correct[...] implement[ation of] the necessary security functionalities” |
“testing to demonstrate that the ICT products, ICT services or ICT processes correctly implement the necessary security functionalities at the state of the art; and an assessment of their resistance to skilled attackers, using penetration testing” |
Requirements: “meet the corresponding security requirements, including security functionalities” |
||
+ “evaluat[ion] at a level intended to minimise the known basic risks of incidents and cyberattacks” |
+ “evaluat[ion] at a level intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources” |
+ “evaluat[ion] at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources” |
For ICT products, services or processes that fall in the category of the ‘basic’ assurance level, the Cybersecurity Act also foresees an exception by providing the (voluntary unless legally provided for) opportunity for conformity self-assessments by the manufacturer (Art. 53). It is the responsibility of the manufacturer to share the EU statement of conformity and relevant documentation with its national cybersecurity certification authority. A copy of the statement must also be submitted to ENISA.
As part of seeking certification under a European cybersecurity certification scheme, an ICT product, service, or process manufacturer/provider must also provide additional information publicly, including, for instance, “the period during which security support will be offered to end users, in particular as regards the availability of cybersecurity related updates” (Art. 55(1), point (b)). An ICT product, service, or process manufacturer/provider must also, either toward the respective national cybersecurity certification authority or the conformity assessment body, forward information on “any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, ICT service or ICT process that may have an impact on its compliance with the requirements related to the certification” (Art. 56(8)).
To implement the Cybersecurity Act, each EU Member State must designate at least one national cybersecurity certification authority for the purposes of issuing certificates and supervising a scheme’s compliance (Art. 58). To ensure compliance, a national cybersecurity certification authority may, for instance, “carry out investigations, in the form of audits, of conformity assessment bodies, 47 European cybersecurity certificates’ holders and issuers of EU statements of conformity” (Art. 58(8), point (b)). National cybersecurity certification authorities shall actively participate in the ECCG (Art. 58(6)). National cybersecurity certification authorities must share a report outlining actions on specific activities with ENISA and the ECCG on an annual basis (Art. 58(7), point (g)). On the Union level, national cybersecurity certification authorities shall collaborate with their counterparts in other Member States as well as the Commission, especially in relation to “exchanging information, experience and good practices” (Art. 58(9)). To contribute to a harmonious application of European cybersecurity certification schemes, the activities and processes of a national cybersecurity certification authority may be reviewed by their peers (at least two national cybersecurity certification authorities of other Member States, Art. 59). A year after the adoption of a European cybersecurity certification scheme, the Commission is tasked with publishing a list of all EU-wide conformity assessment bodies (Art. 61(2)).
On a regular basis and at least every two years, the Commission shall “assess the efficiency and use of the adopted European cybersecurity certification schemes” (Art. 56(3)). This should also include evaluating “whether a specific European cybersecurity certification scheme is to be made mandatory through relevant Union law to ensure an adequate level of cybersecurity of ICT products, ICT services and ICT processes in the Union and improve the functioning of the internal market” (Art. 56(3)). 48
Review
Who |
What |
When |
Post-Deadline |
Legal Basis |
---|---|---|---|---|
Commission |
Evaluation of
|
28 June 2024 |
Every five years thereafter |
Art. 67(1) |
Commission |
Submission of a report on the evaluation, with the findings to be publicized -> European Parliament, Council and ENISA’s Management Board |
28 June 2024 |
Every five years thereafter
|
Art. 67(4) |
Electronic Communications Networks
— 5G-Related Policies
In March 2019, the Commission published its 📄 Recommendation on the cybersecurity of 5G networks 49 , inter alia, recommending the establishment of a dedicated NIS Cooperation Group work stream and laying the basis for the adoption of subsequent EU policies in the area of 5G. In October 2019, the NIS Cooperation Group published an EU coordinated risk assessment of the cybersecurity of 5G networks, which builds upon prior national risk assessments shared by EU Member States. The 5G risk assessment identifies five main risk categories and nine related particular risk scenarios:
Table 19: Risks and Risk Scenarios Relating to 5G [this table reproduces Table 1 contained within the EU Toolbox of risk mitigating measures (p. 5)]
Category of Risk |
Risk Scenario |
---|---|
Insufficient security measures |
1: Misconfiguration of networks |
2: Lack of access controls |
|
5G supply chain |
3: Low product quality |
4: Dependency on any single supplier within individual networks or lack of diversity on nation-wide basis |
|
Modus operandi of main threat actors |
5: State interference through 5G supply chain |
6: Exploitation of 5G networks by organised crime or organised crime group targeting end-users |
|
Interdependencies between 5G networks and other critical systems |
7: Significant disruption of critical infrastructures or services |
8: Massive failure of networks due to interruption of electricity supply or other support systems |
|
End user devices |
9: Exploitation of IoT, handsets or smart devices |
In December 2019, the Council adopted 📄 Conclusions on the significance of 5G to the European Economy and the need to mitigate security risks linked to 5G, which call upon “Member States and the Commission with the support of ENISA to take all necessary measures within their competences to ensure the security and integrity of electronic communication networks, in particular 5G networks” (p. 9). Subsequently, in January 2020, the NIS Cooperation Group adopted a 📄 “EU Toolbox of risk mitigating measures” in relation to the cybersecurity of 5G networks. 50 The Toolbox was subsequently endorsed by both the Commission and the European Council. Building upon the risks identified in the coordinated risk assessment, the Cybersecurity 5G Toolbox outlines a catalog of 19 either strategic or technical mitigation measures, which are complemented by ten supporting actions. 51 Strategic measures, inter alia, include the expansion of national regulatory powers and the strengthening of domestic resilience. 52 On a technical level, the Toolbox stipulates concrete measures that involve, for example, the “application of baseline security requirements”, an “evaluati[on of] the implementation of security measures in existing 5G standards” and the enhancement of “software integrity, update and patch management” (p. 12). 53 The measures are particularly aimed at mobile network operators and telecom equipment manufacturers and are envisioned for implementation by both Member State entities and EUIBAs. It is at a Member State’s discretion “to assess whether it has the resources to enforce the measure or if there is a need to cooperate with other Member States or at EU level” (p. 16). The Toolbox comprises two aspects: First, it describes the various measures, specifies which of the nine identified risk scenarios it serves to mitigate and designates which actors 54 may be involved in their implementation (see further Table 1 in Annex 1). In the second step, the Toolbox draws up risk mitigation plans for each of the nine risk scenarios. Such a risk mitigation plan stipulates each, which of the 19 measures are “most relevant/high-impact,” evaluates their “expected effectiveness” ranging from very high to low, includes potential positive and negative “implementation factors,” and concludes with an “indicative timeframe” for the implementation of each measure (see further Table 3 on page 15 and Table 2 in Annex 1).
In June 2023, the Commission followed up with a 📄 Communication on the implementation of the 5G cybersecurity toolbox. In its Communication, the Commission, inter alia, highlights that it “considers [...] decisions adopted by Member States to restrict or exclude Huawei and ZTE [as] justified and compliant with the 5G Toolbox” (p. 3), since these suppliers would “in fact [represent] materially higher risks than other 5G suppliers” (p. 3). In taking stock of the status quo of the Toolbox’s implementation, the Commission “urges Member States that have not yet implemented the Toolbox to adopt urgently relevant measures as recommended in the EU Toolbox” (p. 4). Looking inward, the Commission also announced that it would itself initiate measures to “avoid exposure of its corporate communications to mobile networks using Huawei and ZTE as suppliers”, for instance, by “mak[ing] sure that those suppliers are progressively phased out from existing connectivity services of the Commission sites” (p. 4). Further, the Commission recommends other EUIBAs to do the same.
— Radio Equipment Directive
📄 Commission Delegated Regulation 2022/30 supplements the 📄 Radio Equipment Directive (RED, 2014). The Directive “establishes a regulatory framework for the making available on the market and putting into service in the Union of radio equipment” 55 (Art. 1(1) RED), and the Delegated Regulation further specifies particular essential requirements for radio equipment. Their specification is of cybersecurity relevance, as the “protection of the network or its functioning from harm [Art. 3(3), point (d) RED], protection of personal data and privacy of the user [Art. 3(3), point (e) RED] and of the subscriber and protection from fraud [Art. 3(3), point (f) RED] are [considered as] elements that support protection against cybersecurity risks” (recital (1), Commission Delegated Regulation 2022/30). Against this backdrop, the Delegated Regulation extends the scope of these requirements to “any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment” (Art. 1(1)). The essential requirements contained in the RED create obligations for economic operators. For instance, manufacturers must guarantee that both their design and radio equipment manufacturing comply with these requirements (Art. 10(1) RED). Member States, in turn, are tasked with “tak[ing] appropriate measures to ensure that radio equipment is made available on the market only if it complies with this Directive” (Art. 6 RED) when implementing and applying the RED.
— Electronic Communications Code
The 📄 Directive on the European Electronic Communications Code (2018) outlines rules for electronic communication networks and services. Among other things, it establishes that Member States must “ensure that providers of public electronic communications networks or of publicly available electronic communications services take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services” (Art. 40(1)). 56 Such measures should mainly aim at “prevent[ing] and minimi[zing] the impact of security incidents 57 on users and on other networks and services” (Art. 40(1)). To contribute to the similarity of specific requirements throughout the EU, ENISA is tasked with supporting coordination among Member States. In addition to taking risk management measures, the providers in the scope of the Electronic Communications Code must also, “without undue delay,” notify a Member State’s respective competent authority of a “security incident that has had a significant impact on the operation of networks or services” (Art. 40(2)). To decide whether a security incident is significant, the Directive lists five parameters for consideration:
-
the “number of users affected;”
-
“duration;”
-
“geographical spread of the area affected;”
-
“extent to which the functioning of the network or service is affected;”
-
and “extent of impact on economic and societal activities” (Art. 40(2)).
Member States, via their competent authorities, shall inform each other and ENISA of such incidents if necessary. On an annual basis, the competent authorities must share with the Commission and ENISA a “summary report [...] on the notifications received and the action taken” (Art. 40(2)). To ensure supervision and compliance with this Directive, Member States shall, inter alia, equip their competent authorities with the powers to “issue binding instructions” to providers, for instance, on “measures required to remedy a security incident” (Art. 41(1)), requiring the provision of information by providers (Art. 41 (2)) and receiving support from the national CSIRT (Art. 4(4)). Competent authorities designated under both the Electronic Communications Code and the NIS 2 Directive shall “consult and cooperate” with each other “where appropriate” (Art. 41(5)).
Product Safety and Market Surveillance
— Regulation on General Product Safety
The 📄 Regulation on general product safety (2023) “lays down essential rules on the safety of consumer products placed or made available on the market” (Art. 1(2)). Its objective is to ensure a “high level of consumer protection” (Art. 1(1)). As a general rule, “only safe products 58 ” may be placed or made available in the internal market (Art. 5). In order to be considered safe, a product must “under normal or reasonably foreseeable conditions of use, including the actual duration of use, [...] not present any risk or only the minimum risks compatible with the product’s use, [be] considered acceptable and consistent with a high level of protection of the health and safety of consumers” (Art. 3, point (2)). With respect to cybersecurity, the determination of a product’s safety may include assessing whether, “when required by the nature of the product, the appropriate cybersecurity features necessary to protect the product against external influences, [...] where such an influence might have an impact on the safety of the product” (Art. 6(1), point (g)) were accommodated. The Regulation further notes in its recital that “specific cybersecurity risks affecting the safety of consumers [...] can be dealt with by sectoral legislation” (recital (26)).
— Regulation on Machinery
The 📄 Regulation on machinery (2023) defines “health and safety requirements for the design and construction of machinery [...] to allow them to be made available on the market or put into service while ensuring a high level of protection of the health and safety of persons” (Art. 1). In relation to cybersecurity, the Regulation establishes links with EU cybersecurity certification schemes, as these may be used to demonstrate conformity with the requirements specified in the Regulation (Art. 20(9)). At the same time, the Regulation stresses in its recital that it “does not preclude the application to products within the scope of this Regulation of other Union legal acts specifically addressing cybersecurity aspects” (recital (25)).
— Regulation on Medical Devices & Regulation on in Vitro Diagnostic Medical Devices
The 📄 Regulation on medical devices (2017) and the 📄 Regulation on in vitro diagnostic medical devices (2017) “lay[...] down rules concerning [their] placing on the market, making available on the market or putting into service [...] in the Union” (Art. 1(1), Regulation 2017/746 and Art. 1(1) Regulation 2017/745). Both, inter alia, specify safety requirements for “electronic programmable systems”, defined as “devices that incorporate electronic programmable systems and software that are devices in themselves” (Annex I). In this respect, the regulations stipulate that “the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation” (Annex I, 16 Regulation 2017/746 and Annex I, 17 Regulation 2017/745). In addition, manufacturers must comply with “set[ting] out minimum requirements concerning [...] IT security measures” (Annex I, 16.4 Regulation 2017/746 and Annex I, 17.4 Regulation 2017/745). The Regulation on medical devices mandated the development of a European database on medical devices (Euramed), on whose rules the Commission adopted 📄 Implementing Regulation 2021/2078. The Implementing Regulation stipulates that in relation to IT security and as a general rule, Euramed must adhere to Commission Decision 2017/46. 59 Inter alia, the Commission must provide a document that specifies “information security requirements for data exchange” (Art. 10(1)). Moreover, the Implementing Regulation lays out that when faced with a potentially harmful IT security incident, risk, or threat, the Commission may decide to suspend access to or functionalities of Euramed (Art. 10(3) and (4)).
— Regulation on Vehicle Type-Approval
The 📄 Regulation on vehicle type-approval (2020) determines that particular categories of vehicles must meet outlined requirements, for instance, when it comes to “on-board instruments, electrical system, vehicle lighting and [their] protection against unauthorised use including cyberattacks” (Art. 4(5) (d)). In the area of cybersecurity, vehicle manufacturers must meet the requirements specified in UN Regulation No 155, setting out “uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system”.
Electronic Identification
— eIDAS Regulation
The 📄 Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation, 2014) together with a 📄 2024 Regulation establishing the European Digital Identity Framework and a complementing 📄 Commission Implementing Regulation 2015/1502 provide rules for attaining “an adequate level of security of electronic identification 60 means 61 and trust services 62 used across the Union” (Art. 1). To this end, the Regulation, inter alia, lays down rules for European Digital Identity Wallets 63 and electronic identification schemes. Such schemes are “system[s] for electronic identification under which electronic identification means are issued to natural or legal persons or natural persons representing other natural persons or legal persons” (Art. 3, point (4)) 64 which shall specify levels of assurance levels, such as low, substantial or high (Art. 8). As part of an electronic identification scheme, the Regulation foresees the creation of European Digital Identity Wallets. The Regulation tasks Member States to “provide at least one European Digital Identity Wallet” within a specified timeframe (following the adoption of implementing acts by the Commission) in order to “ensur[e] that all natural and legal persons in the Union have secure, trusted and seamless cross-border access to public and private services, while having full control over their data” (Art. 5a(1)). In addition to use cases for users and technical specifications, the Regulation stipulates that “European Digital Identity Wallets shall ensure security-by-design” (Art. 5a(12)) and “Member State shall inform users, without delay, of any security breach that could have entirely or partially compromised their European Digital Identity Wallet or its contents” (Art. 5a(6)). When they concern cybersecurity, European Digital Identity Wallets shall be certified in the framework of European cybersecurity certification schemes as provided for by the Cybersecurity Act (Art. 5c(2)). In cases such a scheme(s) “do not, or only partially, cover those cybersecurity requirements [...] Member States shall establish national certification schemes” (Art. 5c(3)). The Commission is tasked with “establish[ing] a list of reference standards and, where necessary, establish specifications and procedures for the certification of European Digital Identity Wallets” (Art. 5c(6)) by 21 November 2024. In terms of review, the Regulation mandates the Commission to assess, “within 24 months after deployment of the European Digital Identity Wallets,” the “demand for, and the availability and usability of, European Digital Identity Wallets” (Art. 5f(5)). The Regulation determines that not only the European Digital Identity Wallets but also the “conformity of electronic identification schemes to be notified with the cybersecurity requirements laid down in this Regulation [...] shall be certified by conformity assessment bodies designated by Member States” (Art. 12a(1)). In principle, such certification “shall be carried out under a relevant cybersecurity certification scheme pursuant to [the Cybersecurity Act] or parts thereof, insofar as the cybersecurity certificate or parts thereof cover those cybersecurity requirements” (Art. 12a(3)). Once provided, respective certifications shall have a temporal validity of five years, on the condition that “a vulnerability assessment is carried out every two years” (Art. 12a(3)). 65
The Regulation further designates how Member States have to act in instances of security breaches for electronic identification schemes 66 in general and European Digital Identity Wallets in particular 67 .
Table 20: Actions to Be Taken by Member States Following Security Breaches
|
Electronic Identification Schemes (Art. 10) |
European Digital Identity Wallet (Art. 5e) |
---|---|---|
When |
“breached or partly compromised in a manner that affects the reliability of the cross-border authentication of that scheme” (Art. 10(1)) |
“breached or partly compromised in a manner that affects their reliability or the reliability of other European Digital Identity Wallets” (Art. 5e(1)) |
General |
|
Art. 5e (1):
|
No remediation within three months of suspension/revocation |
|
Art. 5e (2):
|
Remediated breach or incident |
|
Art. 5e (3):
|
The Regulation also defines security requirements for trust service providers. In accordance, both “qualified and non-qualified trust service providers shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide” (Art. 19(1)) referencing the cybersecurity risk management measures contained in the NIS 2 Directive (Art. 19a(1), point (a) and Art. 20(1), see further Art. 21 Directive).
The Regulation further specifies reporting requirements on these trust service providers when “any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein” (Art. 19(2)) occurs. The Regulation foresees the following actions to be taken by trust service providers and supervisory authorities:
Table 21: Reporting Requirements by Trust Service Providers and Notified Supervisory Authorities
Tasks to Be Undertaken by Trust Service Providers |
Tasks to Be Undertaken by Notified Supervisory Authorities |
---|---|
Art. 19(2):
|
|
Member States are required to publicize, inter alia, statistics on “significant security incidents, data breaches and affected users of European Digital Identity Wallets or of qualified trust services” in “an open and commonly used, machine-readable format” (Art. 48a(2), point (e)).
With regard to governance, the Regulation directs Member States to designate supervisory authorities for the supervision of the European Digital Identity Framework and trust services (Art. 46a and 46b). Among their tasks is informing the competent authorities designated pursuant to the NIS 2 Directive “of the Member States concerned of any significant security breaches or loss of integrity of which they become aware in the performance of their tasks” and, “in the case of a significant security breach or loss of integrity which concerns other Member States,” informing the respective SPOCs designated pursuant to the NIS 2 Directive and this Regulation in the Member States affected (Art. 46a(4), point (c) and Art. 46b(4), point (a)). Member States shall further determine a “single point of contact [SPOC] for trust services, European Digital Identity Wallets and notified electronic identification schemes” (Art. 46c). This SPOC is tasked with “exercis[ing] a liaison function to facilitate cross-border cooperation between the supervisory bodies for trust service providers and between the supervisory bodies for the providers of European Digital Identity Wallets and, where appropriate, with the Commission and European Union Agency for Cybersecurity (ENISA) and with other competent authorities within its Member State” (Art. 46c(2)). The Regulation also provides a legal basis for the provision of mutual assistance among Member States (Art. 46d) and establishes the European Digital Identity Cooperation Group 68 (Art. 46e).
Data Protection and Data Economy
— General Data Protection Regulation
The 📄 General Data Protection Regulation (GDPR, 2016) outlines conditions and limits for the lawfulness of processing data. It creates obligations for controllers and processors of data located within the EU “regardless of whether the processing [itself] takes place in the Union or not” (Art. 3(1)). As one of its six overarching general principles, the Regulation stipulates that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)” (Art. 5(1), point (f)). In further detail, the GDPR also includes a provision outlining security requirements for the processing of data (Art. 32). Accordingly, controllers and processors of personal data must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (Art. 32(1)). As examples of such measures, the GDPR lists:
-
“the pseudonymisation and encryption of personal data;”
-
“the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;”
-
“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;”
-
and “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing” (Art. 32(1)).
When a controller experiences a breach in relation to the personal data it processes, it “shall without undue delay and, where feasible, not later than 72 hours after having become aware of it” report it to its respective supervisory authority, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (Art. 33). EU Member States are, inter alia, responsible for monitoring the application and compliance of controllers and processors with the GDPR and are tasked with “promot[ing] public awareness and understanding of the risks, rules, safeguards and rights in relation to processing” (Art. 57).
— Data Governance Act
The 📄 Regulation on European data governance (Data Governance Act, 2022), inter alia, establishes the European Data Innovation Board. Tasks of the Board comprise “advis[ing] and assist[ing] the Commission with regard to developing consistent guidelines for cybersecurity requirements for the exchange and storage of data” (Art. 30, point (e)) and “propos[ing] guidelines for common European data spaces, namely purpose- or sector-specific or cross-sectoral interoperable frameworks of common standards and practices to share or jointly process data [...] addressing [...] adherence to cybersecurity requirements in accordance with Union law” (Art. 30, point (h)). ENISA is among the Board’s members. Further, in relation to non-personal data, the Regulation specifies that “data intermediation services provider[s] shall take necessary measures to ensure an appropriate level of security for the[ir] storage, processing and transmission” and, concerning “competitively sensitive information,” highlights that “data intermediation services provider[s] shall [...] ensure the highest level of security for the[ir] storage and transmission” (Art. 12).
General Rules
— Chips Act
The 📄 Chips Act (2023) provides “a framework for strengthening the semiconductor ecosystem at Union level” (Art. 1(1)). It addresses cybersecurity considerations in so far that the established Chips for Europe Initiative also includes the construction of chips based upon security-by-design principles among its operational objective 1 (“building up advanced design capacities for integrated semiconductor technologies,” Art. 5(a), point (ii)), as this can “provide protection against cybersecurity threats” (Art. 4(1)).
— Digital Markets Act
The 📄 Digital Markets Act (2022) specifies “harmonised rules ensuring for all businesses, contestable and fair markets in the digital sector across the Union where gatekeepers are present, to the benefit of business users and end users” (Art. 1(1)). To this end, it lays down obligations for so-called gatekeepers, which are defined as “an undertaking providing core platform services” (Art. 2, point (a)) and further meet specific characteristics such as having “a significant impact on the internal market” (Art. 3(1), point (a) and further specified in Art. 3(2)). Gatekeepers shall, inter alia, ensure that when meeting their obligations under the Digital Markets Act Articles 5-7, the “implementation of those measures complies with [...] legislation on cyber security” (Art. 8(1)). The power to “monitor the effective implementation and compliance with [these] obligations” (Art. 26(1)) rests with the Commission.
Council Conclusions and Resolutions
— Council Conclusions on ICT Supply Chain Security
The 📄 Council conclusions on ICT supply chain security (October 2022) highlight various cross-sectoral and cyber-specific instruments as well as supporting mechanisms to increase the security of ICT supply chains, inter alia, in an effort to seek “strategic autonomy while preserving an open economy” (p. 5). The Conclusions note the need for an “all-hazard approach [...] in securing ICT assets” (p. 4). It classifies ICT supply chain security to include the “protection of ICT products and services produced, delivered, procured and used in ICT supply chains, including by means of protecting individual components and transmitted data” (p. 4). Among the cross-sectoral instruments and approaches, Member States delineate the “avoidance of vendor lock-in and the diversification of ICT suppliers as one of the important components for ensuring stability and security of the internal market” (p. 7) and take further note that the “EU’s Foreign Direct Investment Screening mechanism 69 [...] could also be applied as a useful tool for safeguarding security and resilience of the ICT supply chain” (p. 8). The Conclusions also refer to public procurement as a possible tool and therefore invite the Commission, inter alia, to “develop methodological guidelines [...] to encourage the contracting authorities to put appropriate focus on the cybersecurity practices of tenderers and their subcontractors” (p. 7). As part of the cyber-specific instruments, Member States refer to the EU 5G Toolbox, 70 existing horizontal and sector-specific legislation, respective legislative initiatives such as the Cyber Resilience Act and efforts underway to develop cybersecurity certification schemes. EU Member States further encourage ENISA to perform three specific tasks: conducting a best practices stocktaking exercise on supply chain risk management (supported by the NIS Cooperation Group), developing “methodological guidelines” on that basis, as well as “monitor[ing of] investments in the ICT supply chain security of the entities regulated under the forthcoming NIS 2 Directive” (p. 11). EU Member States further express the invitation to the NIS Cooperation Group (supported by the Commission and ENISA) “to develop a toolbox of measures for reducing critical ICT supply chain risks” on the basis of “strategic threat scenarios identified for ICT supply chains” (p. 13) – the ICT Supply Chain Toolbox. With respect to the mandate of other actors at EU level, the Conclusions “invite[...] the ECCC to take into account the ICT supply chain security aspects, including, for instance, secure software development, into their Strategic Agenda” (p. 14). Finally, as so-called supporting mechanisms, the Conclusions, for example, list “boosting financial support incentives related to measures aimed at strengthening ICT supply chain security” (p. 15), for instance, in the framework of Digital Europe 71 or Horizon Europe 72 and leveraging, at the global level, “digital partnerships, cyber dialogues and other relevant EU initiatives, [...] for the promotion of risk-based evaluations of ICT product suppliers and ICT services providers” (p. 16).
— Council Conclusions on the Cybersecurity of Connected Devices
The 📄 Council conclusions on the cybersecurity of connected devices (December 2020), inter alia, stress the necessity of “a high level of complementarity and comparability of security functionalities of ICT systems and ICT components, which are used in many different sectors of the Digital Single Market” (p. 4) and take positive note of “current developments at Union level to raise the level of cybersecurity of connected devices” (p. 4), for instance, via the Radio Equipment Directive or the development of cybersecurity certification schemes. In order to elevate the level of cybersecurity across connected devices, the Conclusions “call [...] for coordination and close cooperation with all relevant public and private stakeholders, also in view of a possible future horizontal legislation” (p. 5). Specifically with respect to cybersecurity certification, EU Member States underline “the need to establish cybersecurity norms, standards or technical specifications for connected devices” (p. 5) and encourage further respective activities by European Standards Organisations, such as the European Telecommunications Standards Institute (ETSI). The Conclusions further invite “the Commission to consider a request for a candidate cybersecurity certification schemes for connected devices and related services” (p. 6) and note their appreciation for “a discussion on how the goal of cybersecurity could be anchored in a future horizontal legislation that covers cybersecurity risks related to connected devices” (p. 6).
— Council Resolution on Encryption
The 📄Council Resolution on Encryption (November 2020) calls for adherence to “the principle of security through encryption and security despite encryption [...] in its entirety” (p. 4). The Resolution highlights the need for striking a balance on the basis of “necessity, proportionality and subsidiarity” between “protecting the privacy and security of communications through encryption” on the one and “upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organized crimes and terrorism, including in the digital world, and upholding the rule of law” on the other hand (p. 4). The Resolution further notes the possibility of exploring the development of a dedicated EU-wide regulatory framework in this regard (p. 5). EU Member States also stress their support for further promoting and developing encryption as “an anchor of confidence in digitalisation and in protection of fundamental rights” (p. 4), for instance, by engaging in “active discussion” (p. 4) and cooperation with the tech industry.
Policy Area 3: Economic, Monetary and Commercial Policy
Deep Dive: Digital Operational Resilience Act (DORA)
📄 Regulation on digital operational resilience for the financial sector (2022/2554) |
---|
Entry into force: 16 January 2023 Date of application: 17 January 2025 |
Previous legislation: NA |
Subsequent documents of relevance [for other non-legislative acts under preparation pursuant to DORA, see further Chapter 14]: |
Objective (Art. 1(1)): “achieve a high common level of digital operational resilience” |
Subject matter (Art. 1): “This Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities as follows:
|
Actors established/regulated by the DORA Regulation:
|
Deep Dive Structure -> Scope -> Competent Authorities -> ICT Risk Management by Financial Entities -> ICT-related Incident Management, Classification and Reporting -> Digital Operational Resilience Testing -> ICT Third-Party Risk Management -> Supervision and Enforcement -> Regulatory and Implementing Technical Standards -> Review |
Scope
DORA places information and cybersecurity-related obligations on financial entities, for instance, credit institutions, payment institutions, or investment firms, to attain a “high common level of digital operational resilience” (Art. 1(1)). 73 The Regulation defines digital operational resilience as “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions” (Art. 3, point (1)). It applies the NIS 2 Directive’s definition of security of network and information systems. For financial entities that are also designated as essential or important entities under the NIS 2 Directive, DORA functions as “a sector-specific Union legal act” (Art. 1(2)). The DORA Regulation lays down a ‘proportionality principle,’ according to which the implementation of rules on ICT risk management (Chapter II) and the application of provisions on (a) ICT-related incident management, classification and reporting (Chapter III); (b) digital operational resilience testing (Chapter IV); and (c) ICT-third party risk management (Chapter V, Section I) shall either “take into account” or “be proportionate” to the financial entities’ “size and overall risk profile, and the nature, scale and complexity of their services, activities and operations” (Art. 4(1) and (2)).
Competent Authorities
The competent authorities for supervising compliance with the DORA Regulation depend on the type of financial entity and further applicable legal bases. They shall closely cooperate with each other (Art. 48(1)). For instance, for credit institutions, this is the competent authority designated under Directive 2013/36 (for a complete list of entities and their competent authorities see Art. 46). To ensure cooperation, both the European Supervisory Authorities (ESAs) 74 and the competent authorities “may participate in the activities of the [NIS] Cooperation Group for matters that concern their supervisory activities in relation to financial entities” and “may request to be invited to participate in the activities of the [NIS] Cooperation Group for matters in relation to essential or important entities [...] that have also been designated as critical ICT third-party service providers” within the DORA Regulation (Art. 47(1)). Article 47 also provides a basis for consultations and information-sharing among the DORA’s competent authorities with the SPOCs and CSIRTs designated under the NIS 2 Directive (Art. 47(2)). Competent authorities under the DORA Regulation “may request any relevant technical advice and assistance” on the part of NIS 2’s competent authority and both may formalize their cooperation through “cooperation agreements” (Art. 47(3)). Furthermore, the competent authorities shall engage in close cooperation and “exchange information to carry out their duties pursuant to Articles 47 to 54” with the ESAs and the European Central Bank (ECB) (Art. 48(2)). To ensure cooperation across the financial sector, the DORA Regulation foresees that the ESA Joint Committee (JC) together with the Member States’ competent authorities and other actors may “establish mechanisms to enable the sharing of effective practices across financial sectors to enhance situational awareness and identify common cyber vulnerabilities and risks across sectors” as well as “develop crisis management and contingency exercises involving cyber-attack scenarios with a view to developing communication channels and gradually enabling an effective coordinated response at Union level” (Art. 49(1)).
ICT Risk Management by Financial Entities
The DORA Regulation defines ICT risk as “any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment” (Art. 3, point (5)). To counter respective circumstances, financial entities are required to have an “internal governance and control framework that ensures an effective and prudent management of ICT risk” (Art. 5(1)), for whose development and implementation a financial entity's management body holds responsibility (Art. 5(2)). In addition to ensuring compliance with these governance-related ICT risk management requirements, DORA further requires that financial entities have a “sound, comprehensive and well-documented ICT risk management framework [in place] as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience” (Art. 6(1)). This comprises, inter alia, at least “strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets” (Art. 6(2)), which must be documented. In relation to strategies, financial entities must adopt a digital operational resilience strategy “setting out how the framework shall be implemented” (Art. 6(8)). As part of the strategy, financial entities shall, for instance, specify “clear information security objectives, including key performance indicators and key risk metrics” and elaborate on “different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it” (Art. 6(8), points (c) and (e)). Financial entities shall review the framework annually or upon major incidents, supervisory instructions, or other relevant information (Art. 6(5)).
The ICT risk management framework further encompasses the following elements:
Table 22: Overview of ICT Risk Management Framework Elements
Elements |
Examples |
---|---|
ICT systems, protocols, and tools (Art. 7) |
|
Identification (Art. 8) |
|
Protection and prevention (Art. 9) |
|
Detection (Art. 10) |
|
Response and recovery (Art. 11) |
|
Backup policies and procedures, restoration and recovery procedures and methods (Art. 12) |
|
Learning and evolving (Art. 13) |
|
Communication (Art. 14) |
|
For specific types of entities, the requirement of a “simplified ICT risk management framework” applies (see further Art. 16). As a contribution to the harmonization of ICT risk management tools, methods, processes and policies as part of the ICT risk management framework, DORA tasks the ESAs together with ENISA to “develop common draft regulatory technical standards” in various areas and elements of the simplified framework by 17 January 2024 (Art. 15 and 16). 75 DORA further provides a foundation for financial entities to “exchange amongst themselves cyber threat information and intelligence” when such exchange meets specific objectives and is conducted based on “information-sharing arrangements” (Art. 45(1)). Financial entities shall inform their competent authority of their participation or withdrawal from these arrangements (Art. 45(3)).
ICT-Related Incident Management, Classification and Reporting
In order to “detect, manage and notify ICT-related incidents”, financial entities must put in place an “ICT-related incident management process” and ensure a recording of “all ICT-related incidents and significant cyber threats” (Art. 17). The Regulation defines an ICT-related incident as “a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity” (Art. 3, point (8)). A significant cyber threat is defined as a “cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident 76 or a major operational or security payment-related incident” (Art. 3, point (13)). 77 Requirements of Articles 17-22 are also applicable to “operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions” 78 (Art. 23).
A financial entities’ ICT-related incident management process, shall include the following elements:
-
existence of “early warning indicators;”
-
establishment of “procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted;”
-
designation of “roles and responsibilities that need to be activated for different ICT-related incident types and scenarios;”
-
development of communication plans as specified in Article 14 and plans for client notification, “internal escalation procedures” and information-sharing with counterparts;
-
guarantee that “relevant senior management” are reported to and the management board is being informed of “at least major ICT-related incidents [...] explaining [to them] the impact, response and additional controls to be established as a result of such ICT-related incidents;”
-
and establishment of “ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner” (Art. 17(3)).
Moreover, financial entities are required to classify ICT-related incidents and evaluate their impact, inter alia, based on these considerations:
-
“number and/or relevance of clients or financial counterparts affected;”
-
“duration of the ICT-related incident;”
-
“geographical spread;”
-
involved “data losses [...] in relation to availability, authenticity, integrity or confidentiality of data;”
-
“criticality of the services affected;”
-
and “economic impact” (Art. 18(1)).
The ESAs, upon consultation with the ECB and ENISA, are tasked with further specifying these criteria, among other aspects, by “develop[ing] common draft regulatory technical standards” (Art. 18(3)).
When a major ICT-related incident occurs, financial entities shall notify them to their respective competent authority (Art. 19(1)). 79
Table 23: Overview of DORA’s Incident Reporting Obligations