These Four European Laws Are Relevant for Cybersecurity

Event | Cybersec Netherlands 2024
The number of regulatory initiatives around digitization that the EU plans to implement over the next five years is literally too numerous to count. Cybersec Netherlands 2024 provided insight into which EU legislation is most relevant for cybersecurity today.

It was Jeremy Rollison, Head of EU Policy at Microsoft, who offered the overview. Rollison, based in Brussels, humorously noted that “any excuse is a good one to step outside of Brussels for a bit.”

Rollison appears to have a busy job at Microsoft, given the breadth of areas in which the EU is drafting or has already established legislation regarding digitization. These include AI (with the implementation of regulations like the Artificial Intelligence Act), sustainability (e.g., the Circular Economy Act), connectivity (e.g., the Digital Networks Act), privacy (GDPR, cookies), cloud (Data Act), consumer rights (Digital Advertising Act), and content moderation (CSAM).

However, for cybersecurity, Rollison highlighted four legislative initiatives that stand out. “These are the most active and relevant for cybersecurity at the moment, though there are many others,” he remarked.

NIS2
This directive focuses on improving the digital and economic resilience of European member states. “The legislation impacts 18 sectors. The most significant impact of NIS2 for organizations involves measures related to cybersecurity risk management and incident reporting,” Rollison noted.

Timing: October 17, 2024. Due to the recent implementation deadlines for national legislation (and the fact that only two countries, including Belgium, met the timeline), this directive is currently the most well-known in this overview.

Cyber Resilience Act
This EU regulation does not concern the cybersecurity resilience of (all) organizations but rather the hardware and software products. It sets binding requirements for the cybersecurity of digital products sold in the EU, such as software and IoT devices. “All products, with few exceptions, directly or indirectly connected to a network are covered.”

Timing: Unlike NIS2, the Cyber Resilience Act is not imminent; implementation is planned for 2026 and 2027.

DORA
DORA, the Digital Operational Resilience Act, focuses on the financial sector, “a sector that is, by definition, already highly regulated,” Rollison observed. This European regulation aims to strengthen the operational resilience of financial organizations and their services.

However, it does not solely target financial companies. “DORA also imposes requirements on third-party ICT providers, with a focus on cloud computing supporting critical functionalities.”

Timing: Early next year, specifically January 17, 2025.

EU Cloud Certification Scheme (EUCS)
EUCS is a framework for certifying the cybersecurity of cloud service providers. It is part of the 2019 Cybersecurity Act (CSA). “Cybersecurity schemes like EUCS are not mandatory, but they may become mandatory in the future,” he noted. “It covers all types of cloud services, from infrastructure to applications.”

Timing: The European Commission’s draft concept has been submitted to the 27 member states for review in recent months. EUCS is not yet finalized.

Source: Computable.nl