Cybersecurity is a crucial aspect of protecting systems and networks from information theft, damage, and disruption. The European Union has prioritized cybersecurity for many years and has allocated significant funding in its long-term budget for the 2021-2027 period to support:
The EU Cybersecurity Strategy aims to build resilience to cyber threats and ensure citizens and businesses benefit from trustworthy digital technologies. In December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy have presented a Joint Communication on EU Cybersecurity Strategy aimed at ensuring a global and open internet with strong safeguards where there are risks to security and the fundamental rights of people in Europe. |
Overall, the EU's commitment to cybersecurity is reflected in its long-term budget, strengthened legislation, and comprehensive cybersecurity strategy. The EU aims to enhance its cybersecurity capabilities to ensure a safe and secure digital environment for its citizens and businesses by:
|
As mentioned before, the Regulation on Cybersecurity (also known as the Cybersecurity Act) is a key piece of legislation in the EU legal framework on cybersecurity. It aims to enhance cybersecurity in the EU by establishing a framework for the certification of ICT products, services, and processes.
Under the Cybersecurity Act, the EU can develop and adopt European cybersecurity certification schemes that apply to specific categories of ICT products, services, and processes. The certification schemes are intended to help build trust in the security of ICT products and services and facilitate cross-border trade within the EU. The Cybersecurity Act also strengthens the role of the European Union Agency for Cybersecurity (ENISA) in providing technical assistance and support to member states. ENISA is responsible for developing guidelines and recommendations on cybersecurity, providing advice and assistance to member states in the event of cybersecurity incidents, and promoting cooperation and information-sharing among member states and with the private sector. In addition to the certification schemes and the role of ENISA, the Cybersecurity Act also establishes a framework for a European cybersecurity research and competence center and a network of national cybersecurity coordination centers. |
On October 11, 2024, the European Parliament and the EU Council adopted the Cyber Resilience Act. It is a Regulation proposed by the Commission to strengthen cybersecurity regulations in order to ensure that hardware and software products are more secure.
Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021. Two main objectives were identified aiming to ensure the proper functioning of the internal market:
|
The European Commission proposed the EU Cyber Solidarity Act on April 18, 2023, to enhance the EU's ability to detect, prepare for, and respond to cybersecurity threats and attacks. Key elements of the proposal include:
The European Cyber Shield and Cyber Emergency Mechanism will be funded by the Digital Europe Programme (DEP), requiring an amendment to the Digital Europe Programme Regulation. The total budget for the Cyber Solidarity Act, including Member States' contributions, could reach €1.1 billion. In the European Parliament, the proposal has been assigned to the Committee on Industry, Research and Energy (ITRE), with Lina Gálvez Muñoz appointed as rapporteur. The European Economic and Social Committee (EESC) adopted its opinion on the Act on July 13, 2023. The Rapporteur's draft report, published on September 4, 2023, emphasizes:
|
On 18 April 2023, the Commission proposed a targeted amendment to the EU CyberSecurity Act (EU) 2019/8811 to allow for the adoption of European cybersecurity certification schemes for managed security services.
Member states’ representatives (Coreper) reached a common position on the proposed targeted amendment of the EU’s Cybersecurity Act (CSA) of 2019. Currently, only ICT products, services, and processes are covered under the Cybersecurity Act. The certification of managed security services is seen as an effective way to build trust in the quality of those services and facilitate the emergence of a trusted European cybersecurity service industry. The EU aims to raise the overall level of cybersecurity and encourage the development of trusted cybersecurity service providers to achieve this goal. The proposed amendment is in line with the Joint Communication 'EU Policy on Cyber Defence,' which announced the Commission's intention to explore the development of EU-level cybersecurity certification schemes for the cybersecurity industry and private companies. |
On 14 December 2022, EU adopted the EU Directive on Cybersecurity NIS 2.
The first EU-wide legislation on cybersecurity was the Directive on Security of Network and Information Systems (NIS Directive), which came into effect in 2016. The NIS Directive aimed to establish a common level of cybersecurity across the EU and improve the cybersecurity preparedness of operators of essential services and digital service providers. The NIS Directive required EU Member States to implement national cybersecurity rules and to designate national authorities responsible for cybersecurity. The NIS Directive was later reviewed and updated, resulting in the new Directive on measures for high common level of cybersecurity across the Union, also known as the The NIS 2 Directive builds on the NIS Directive and introduces several changes and new provisions. |
On 22 March 2022, the EU Commission published a Proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
The Commission’s proposal is dealing with the modernisation of the existing legal framework related to CERT-EU (Cybersecurity Emergency Response Team – European Union), to take into account the developments and increase in digitalization in the institutions, bodies, and agencies in recent years, as well as the evolving landscape of cybersecurity threats. Both phenomena have been further amplified since the beginning of the COVID-19 crisis, while there is a continuous increase in the number of incidents, many of which, increasingly sophisticated, come from a wide range of sources. |