According to a recent study by Cloudflare focused on cybersecurity in Europe, 40% of organizations experienced a cybersecurity incident in the last 12 months and 84% of that group reported that the frequency of these events has increased over the same period.

Most also expect this trend to continue. 64% of surveyed European business leaders said they expect a cybersecurity incident in the next 12 months, and only 29% feel highly prepared to defend against them.

Since individuals, businesses, and public institutions across the EU are increasingly subject to and impacted by cyber attacks, cybersecurity is a key agenda item for the EU. Below we’ll briefly cover the history of cybersecurity regulation in the EU as well as the latest laws that have been passed.

A brief history of cybersecurity regulation in the EU

The EU began formalizing its approach to cybersecurity in the early 2000s with the recognition of the growing importance of digital infrastructure. Early initiatives focused on awareness and foundational security principles. However, the last decade has witnessed a surge in regulations, reflecting the increasing sophistication and frequency of cyberattacks.

Major milestones in EU cybersecurity include:

• 2004: Establishment of the European Network and Information Security Agency (ENISA) to provide expertise and support for EU Member States.
• 2013: Introduction of the EU Cybersecurity Strategy, which set the groundwork for pan-European cooperation on cyber defense.
• 2016: Adoption of the Network and Information Security (NIS) Directive, the first EU-wide legislation on cybersecurity, and the General Data Protection Regulation (GDPR), a landmark data privacy and security law. 
• 2017: Establishment of the Trusted Information Security Assessment Exchange (TISAX), a globally recognized information security assessment for the automotive industry. 
• 2019: Adoption of the EU Cybersecurity Act (CSA), which created an EU-wide cybersecurity certification framework for ICT products, services, and processes and made ENISA a permanent EU agency for cybersecurity.
• 2021: Agreement reached on new cybersecurity directives and acts, including the NIS2 Directive and Digital Operational Resilience Act (DORA), to further improve the resilience and incident response capacities of EU entities, including financial entities, and the EU as a whole. 
• 2022: Adoption of NIS2, a revision of the original NIS Directive that aims to harmonize cybersecurity requirements and implementation of cybersecurity measures in different Member States. 
• 2024: Adoption of the Cyber Resilience Act, a new law on cybersecurity requirements for products with digital components, such as IoT products, to ensure they are safe before being placed on the market.

Cybersecurity regulations and initiatives in the EU

The European commission, working with governments and the private sector, has presented and adopted regulations, strategies, and other measures to strengthen cybersecurity. Let’s take a look at some of the most important regulatory developments and initiatives in the EU. 

EU Cybersecurity Strategy

The EU Cybersecurity Strategy was introduced in 2013 and updated in 2020 to address new challenges. It aims to create a secure and trusted digital environment, foster resilience to cyber threats, and promote collaboration across Member States.

Key highlights include:

• Aims to strengthen cybersecurity coordination between EU countries and also international partners
• Focus on improving cybersecurity and response capabilities for essential services and critical infrastructure
• Another key aim is to achieve strategic autonomy to strengthen the EU's digital leadership

EU Cybersecurity Act (CSA)

In addition to upgrading ENISA to a permanent EU agency for cybersecurity, CSA also launched an EU-wide cybersecurity certification framework for ICT products, services, and processes. For most businesses, certification is optional. But businesses that choose to certify their ICT offerings can attain a recognised certificate that holds validity across the EU, which will help businesses expand across borders and build trust with users.

Key highlights include:

• Introduces a system of EU-wide certification schemes 
• Certification is voluntary unless otherwise specified in EU law or Member States' law
• Strengthens ENISA by making it a permanent EU agency for cybersecurity and giving it new tasks

Digital Operational Resilience Act (DORA)

DORA is designed to ensure the operational resilience of EU financial entities against cyber threats. It mandates stringent requirements for risk management, incident reporting, operational resilience testing, and third-party risk monitoring,

Key highlights:

• Applies to financial entities, including banks, investment firms, and insurance companies
• Aims to improve the digital operational resilience of the EU's financial sector
• Introduces oversight mechanisms for critical ICT providers

General Data Protection Regulation (GDPR)

GPDR is designed to protect the personal data and privacy of EU residents. It is widely considered the most significant data privacy laws in recent history, with major implications for how companies can handle European Union residents’ personal data.

Key highlights include:

• While GDPR is EU law, it applies to any organization that processes the personal data of EU residents or offers goods and/or services to EU residents
• Harsh penalties for GDPR violations, with fines reaching the tens of millions of euros
• Inspired similar data privacy laws around the world, most notably the California Consumer Privacy Act (CCPA)

NIS2 Directive

The NIS2 Directive, replacing the original NIS Directive, expands the scope of cybersecurity requirements for essential and important entities, imposing stricter obligations and enforcing tougher penalties for noncompliance. It aims to harmonize cybersecurity practices across the EU, improve incident reporting, and enhance supply chain security.

Key highlights include:

• Broader coverage of sectors, including transport, financial market infrastructures, digital infrastructure, pharma and medtech, chemical manufacturers, digital service providers, public administration, and managed service providers
• Mandates stricter incident reporting requirements, including that organizations must notify authorities of significant incidents within 24 hours of discovering them
• Heavy penalties for non-compliance, similar to GDPR

Cyber Resilience Act

The Cyber Resilience Act addresses the security of connected devices and software, aiming to minimize vulnerabilities. This regulation is especially relevant as IoT devices proliferate across sectors.

Key highlights include:

• Establishes comprehensive cybersecurity requirements for hardware and software products
• Helps consumers to take cybersecurity into account when selecting and using products with digital elements
• Mandates vulnerability handling requirements to improve cybersecurity throughout a product’s lifecycle
• Empowers market surveillance authorities to enforce penalties for non-compliance to encourage adherence

Trusted Information Security Assessment Exchange (TISAX)

Established in 2017 by the German Association of the Automotive Industry, TISAX provides a standardized approach to ensuring that organizations within the automotive supply chain meet stringent information security requirements. 

Key highlights include:

• A globally recognized information security assessment designed specifically for the automotive sector
• Uses a maturity model with three assessment levels with varying information security requirements, depending on the sensitivity of the data and the role the organization plays within the automotive supply chain
• Any organization that works with a European automotive company and deals with sensitive information could be asked to comply, even if based outside of EU

EU cybersecurity organizations

Below are the key players in EU cybersecurity regulation and enforcement. 

European Commission

The European Commission has increasingly stepped up its efforts and investment in cybersecurity, starting with the adoption of the EU Cybersecurity Strategy in 2013. Since then, it has adopted a set of legislative proposals around cybersecurity, earmarked hundreds of millions of euros for research and innovation in cybersecurity projects, and fostered cooperation within the EU and with partners on the global stage to strengthen cyber resilience. 

European Union Agency for Cybersecurity (ENISA)

ENISA was established in 2004 and reformed under the EU Cybersecurity Act in 2019. As the EU agency for cybersecurity, it is responsible for contributing to EU cyber policy, enhancing the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperating with Member States and EU bodies, and more.

Here’s a look at some of its key roles:

• Developing guidelines and best practices for cybersecurity
• Facilitating cooperation among Member States and industry stakeholders
• Supporting incident response efforts through expert guidance and tools
• Managing the EU Cybersecurity Certification Framework for ICT products and services

Computer Emergency Response Team (CERT-EU)

Established in 2017, the CERT-EU is a permanent inter-institutional arrangement covering all the EU's institutions, bodies, and agencies. Designed to ensure a coordinated EU response to cyber attacks against its institutions, this arrangement marked an important step in strengthening the cooperation of EU institutions in the fight against cyber attacks.

The Europol’s Cybercrime Centre (EC3)

Set up by Europol, EC3 is designed to strengthen the law enforcement response to cybercrime in the EU in order to help protect European citizens, businesses, and governments, particularly against cyber-dependent crime, child sexual exploitation, and payment fraud.

How Secureframe can help simplify EU cybersecurity and compliance

The EU's proactive approach to cybersecurity underscores the importance of safeguarding its digital ecosystem. With evolving regulations like the NIS2 Directive, DORA, and the Cyber Resilience Act, organizations based in the EU or hoping to move into that market must stay ahead to achieve and maintain compliance and improve their cyber resilience. 

Secureframe simplifies this process, offering tailored solutions to navigate the complexities of EU cybersecurity and ensure businesses are both secure and compliant, including:

• Automated compliance management: Secureframe simplifies adherence to regulations like NIS2 and DORA with automated workflows for evidence collection, risk assessments, policy management, continuous monitoring, and more.
• Comprehensive framework support: Secureframe supports 40+ regulatory and security standards out of the box, including ISO 27001, NIS2, DORA, Cyber Essentials, TISAX, and GDPR — more than any other solution on the market. 
• Automated control testing: Secureframe automates the testing of EU cybersecurity framework requirements through integrations with your existing tech stack, ensuring continuous compliance without the manual burden. 
• Policies developed by experts: Secureframe offers policies and procedure templates, developed and vetted by compliance experts for NIS2, DORA, and other EU-specific frameworks. You can easily publish this documentation, assign them to owners, and track policy acceptance and regular review within Secureframe.
• European Data Center: Secureframe customers in Europe have the flexibility to choose where their data is stored and processed so they can further ensure data privacy of their customers, and easily achieve and maintain compliance with privacy standards like GDPR.
• Expert and EU-based support: Our team of compliance managers and former auditors provide essential support to help you navigate EU cybersecurity requirements effectively and implement best practices to enhance your cybersecurity posture. We also have a dedicated support team in the EU to ensure that you receive timely and localized assistance.

For more information on how Secureframe can help you navigate the complexities of EU cybersecurity regulations, request a demo.