These four European laws are relevant to cybersecurity
The number of regulatory initiatives around digitalisation that the EU is planning over the next five years can literally no longer be counted on one hand. Cybersec Netherlands 2024 gave an insight into which EU laws are most relevant to cybersecurity today.
TEXT: WILLIAM VISTERIN IMAGE: SHUTTERSTOCK
The overview was given by Jeremy Rollison, head of EU policy at Microsoft. Rollison is based in Brussels, and he managed to quip that ‘any excuse is good to get out of Brussels for a while.’
Rollison must be working hard in his job at Microsoft, given the number of areas where EU digitalisation legislation is being considered or has already been enacted. From AI (with the implementation of the Artificial Intelligence Act, or AI Act), sustainability (the Circular Economy Act, among others), connectivity (the Digital Networks Act, among others), privacy (GDPR, cookies), cloud (Data Act), consumer law (Digital Advertising Act) and content moderation (CSAM).
Jeremy Rollison, head of EU Policy at Microsoft.
But in terms of cybersecurity, Rollison singled out these four legislative initiatives. ‘These are currently the most operative for cybersecurity, and therefore the most relevant, although there are many others.’
NIS2
The directive aims to improve the digital and economic resilience of European member states. ‘The legislation affects 18 sectors. The biggest impact of NIS2 for organisations revolves around cybersecurity risk management measures and incident reporting,’ Rollison notes.
Timing: 17 October 2024. As the target date for implementation into national legislation was little time ago (and only two countries (Belgium and Croatia) have met this deadline), it is also the most well-known directive in this review.
Cyber Resilience Act
Actually, this EU regulation is not about the cyber resilience of (all) organisations, but about hardware and software products. It sets binding cybersecurity requirements for digital products sold in the EU, such as software and IoT devices. ‘All products that are directly or indirectly connected to a network are covered, with only a few exceptions.’
Timing: Unlike NIS2, the Cyber Resilience Act is not for the near future: while the regulation came into force on 11 December 2024, its introduction and application is scheduled for 2026 and 2027.
DORA
DORA, which stands for Digital Operational Resilience Act, is focused on the financial sector. ‘A sector that, by definition, is already highly regulated,’ notes Rollison. It is a European regulation aimed at strengthening the operational resilience of financial organisations and their services.
But it is not just about financial firms. ‘Dora also imposes requirements on third-party IT providers, with a focus on cloud computing to support critical functions.’
Timing: early next year, and more specifically: 17 January 2025
EU Cloud Certification Scheme
The EUCS is a framework for certifying the cybersecurity of cloud service providers. It is part of the Cybersecurity Act 2019, or CSA. ‘Cybersecurity schemes like the EUCS are not mandatory. Although they may become mandatory in the future,’ he explains. ‘It covers all types of cloud services: from infrastructure to applications.’
Timing: The European Commission’s draft proposal was submitted to the 27 member states for review in recent months. The EUCS is not yet complete.
