Brussels,

DIGITAL EUROPE

Cybersecurity

• EU Agency in charge: ENISA

The European Union (EU) works across multiple fronts to bolster cyber resilience, ensuring secure communication and data protection for individuals, businesses, and public services.

1. Cybersecurity Strategy

Cybersecurity is essential for protecting information systems and networks against theft, damage, and disruption. The European Union (EU) has long recognized the importance of cybersecurity and, in its 2021–2027 long-term budget, has committed significant funding for:

• Research
• Innovation
• Infrastructure
• Cyber Defense
• The Cybersecurity Industry

This reflects the EU’s determination to create a safe and secure digital environment for its citizens and businesses.

A Joint EU Cybersecurity Strategy

In December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a Joint Communication on an EU Cybersecurity Strategy.

The Strategy aims to:

1. Build resilience against cyber threats, ensuring that people and businesses can trust digital technologies.
2. Safeguard a global and open internet with strong protections where there are risks to security and fundamental rights.
3. Promote the EU’s technological sovereignty, harnessing the EU’s resources to respond to cyberattacks collectively and effectively.

Open the eMindMap

Key Goals of the Strategy

1. Protect Essential Services
   • The Strategy covers essential infrastructures such as hospitals, energy grids, and railways, as well as the ever-increasing number of connected objects in homes, offices, and factories.
2. Strengthen Collective Cybersecurity
   • The EU seeks to be technologically sovereign, driving world-class solutions, rules, and standards.
   • National governments, businesses, and citizens all share responsibility for a cyber-secure digital transformation.
3. Foster a Global and Open Cyberspace
   • Collaborate with international partners and organizations to bolster global cybersecurity norms.
   • Support a rules-based international order that promotes security, stability, human rights, and fundamental freedoms online.

Strategic Actions

1. Improving Resilience, Technological Sovereignty, and Leadership
   • Modernizing cyber legislation: The revised NIS Directive (NIS2) aims to increase the cyber resilience of critical public and private infrastructure.
   • Ensuring new rules on network and information system security keep pace with evolving threats.
2. Building Operational Capacity to Prevent, Deter, and Respond
   • A Joint Cyber Unit will enhance cooperation between EU bodies and Member States to detect, deter, and respond to cyber incidents.
   • The EU Cyber Diplomacy Toolbox will be upgraded to prevent, discourage, deter, and respond effectively to malicious cyber activities threatening critical infrastructure, supply chains, and democratic institutions.
3. Advancing a Global and Open Cyberspace through Increased Cooperation
   • International partnerships: Strengthening existing relationships and forging new ones with partners who share EU values of democracy and rule of law.
   • Capacity-building in non-EU countries, as well as cyber dialogues with international organizations and the multi-stakeholder community.

Investing in CybersecurityTo support these goals, the EU’s long-term budget (2021–2027) includes unprecedented investment that quadruples previous levels of cybersecurity funding. This backing aligns with the EU’s broader Digital Decade objectives and the Recovery Plan for Europe, ensuring that cybersecurity underpins:

• Technological and industrial policy development
• The EU’s post-pandemic economic recovery
• The Security Union Strategy (2020–2025)

The EU Cybersecurity Strategy underlines the Union’s commitment to safe digital transformation, protecting essential infrastructures, and promoting a global, open, and secure internet. By reforming cybersecurity legislation, building robust operational capacities, and expanding international cooperation, the EU ensures that citizens and businesses can reap the benefits of the digital age with confidence and trust.

Legal Framework

The European Union has established a legal framework to address cybersecurity threats and promote cybersecurity measures.

Some of the key pieces of legislation in this framework include:

• General Data Protection Regulation (GDPR): This 2016 Regulation sets out basic rules for the protection of personal data of individuals within the EU. It also requires organizations to take appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, or destruction.

​

• NIS2 Directive - The 2022 NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement.
  • Updates and strengthens the first NIS Directive on network and information systems.
  • Requires EU countries to have strong national cybersecurity bodies and to share information on critical threats.
  • Must be fully transposed by October 2024.
  • NIS2 Text

​

• Cyber Resilience Act (CRA) - The 2019 Cyber Resilience Act enhances cybersecurity standards of products that contain a digital component, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products.
  • Sets common standards for products with digital elements.
  • Imposes a duty of care for manufacturers, ensuring secure-by-design hardware and software.
  • Requires automatic security updates and incident reporting.
  • Entered into force on 10 December 2024; main obligations apply from December 2027.

​

• Cybersecurity Act - ​The 2019 Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services. Amended until 2025.
  • Introduces a framework for EU-wide cybersecurity certification.
  • Strengthens ENISA’s role and provides it with a permanent mandate.

​

• ENISA — EU Cybersecurity Agency - The 2019 Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.
  • The European Union Agency for Cybersecurity supports Member States, EU institutions, and businesses in cybersecurity implementation.
  • The EU cybersecurity certification framework

 

• Cyber Solidarity Act - Date of effect: 04/02/2025. The EU Cyber Solidarity Act aims to strengthen capacities in the EU to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks.
  • Proposed on 18 April 2023 to improve EU-wide response to cyber threats.
  • Envisions a European Cybersecurity Shield and a Cyber Emergency Mechanism.

​

• eIDAS Regulation: The 2014 eIDAS Regulation sets out rules for the recognition of electronic identification and trust services across the EU. It provides a legal framework for electronic signatures, seals, timestamps, and electronic delivery services.

These pieces of legislation, along with other EU and national laws, form a comprehensive legal framework for cybersecurity in the EU. The framework seeks to promote cooperation and information-sharing between member states, and to establish minimum security and reporting requirements for organizations operating in the EU.

CyberSecurity Act

In force from 2019 and amended until 2025, as mentioned before, the Regulation on Cybersecurity (also known as the Cybersecurity Act) is a key piece of legislation in the EU legal framework on cybersecurity. It aims to enhance cybersecurity in the EU by establishing a framework for the certification of ICT products, services, and processes. 

Under the Cybersecurity Act, the EU can develop and adopt European cybersecurity certification schemes that apply to specific categories of ICT products, services, and processes. The certification schemes are intended to help build trust in the security of ICT products and services and facilitate cross-border trade within the EU.

The Cybersecurity Act also strengthens the role of the European Union Agency for Cybersecurity (ENISA) in providing technical assistance and support to member states. ENISA is responsible for developing guidelines and recommendations on cybersecurity, providing advice and assistance to member states in the event of cybersecurity incidents, and promoting cooperation and information-sharing among member states and with the private sector.

In addition to the certification schemes and the role of ENISA, the Cybersecurity Act also establishes a framework for a European cybersecurity research and competence center and a network of national cybersecurity coordination centers.

Click to read

Overall, the Cybersecurity Act is an important component of the EU's legal framework on cybersecurity. It seeks to promote a common approach to cybersecurity across the EU, enhance trust and confidence in the security of ICT products and services, and facilitate cross-border trade in the digital single market.

Cyber Resilience Act

In 2024, the European Parliament and the EU Council adopted the Cyber Resilience Act. It is a Regulation proposed by the Commission to strengthen cybersecurity regulations in order to ensure that hardware and software products are more secure.
​
Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.

Two main objectives were identified aiming to ensure the proper functioning of the internal market: 
​

1. create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
2. create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Click to read

Key aspects of the proposal include:
​

1. Security and Update Obligations: Manufacturers are required to provide security support and software updates to address vulnerabilities, ensuring consumer protection and product cybersecurity.
2. Uniform EU Cybersecurity Rules: The act aims to establish a single set of EU-wide rules, reducing cybersecurity incidents and enhancing consumer trust and data privacy.
3. Conformity Assessment and CE Marking: Products with digital elements must undergo a conformity assessment process (self-assessment or third-party assessment, depending on the product category) to demonstrate compliance with cybersecurity requirements, resulting in a CE marking.
4. Lifecycle Obligations and Market Surveillance: The proposal outlines obligations for the design, development, production, and surveillance of these products, including reporting obligations for manufacturers.

Read the Summary of the Opinion of the European Data Protection Supervisor.

Council notably removed the notion of "critical" from products with digital elements  and deleted a substantial number of the products listed in the Annex III. Council introduced three categories of products, critical for essential entities as defined by the NIS2, that would fall under mandatory European cybersecurity certification by means of a delegated act. The Council moved the reporting of cybersecurity incidents and actively exploitable vulnerabilities from ENISA to the national Computer Security Incident Response Teams (CSIRTs) in a two-step process of an initial notification after 24 hours and a second one after 72 hours. Council proposes to postpone the application of the regulation to 36 months.

Cyber Solidarity Act

The European Commission proposed the EU Cyber Solidarity Act on April 18, 2023, to enhance the EU's ability to detect, prepare for, and respond to cybersecurity threats and attacks. Key elements of the proposal include:

​On November 2024, the European Parliament and the EU Conucil reached a compromise on a final text and the Regulation was adopted.

Key objectives of the Regulation:
​

1. European Cyber Shield: A platform connecting national and cross-border Security Operations Centres (SOCs) for improved detection, analysis, and response to cyber threats.
2. Cyber Emergency Mechanism: Aims to bolster preparedness and response to cybersecurity incidents by:
   • Testing readiness in critical sectors for vulnerabilities.
   • Establishing an EU Cybersecurity Reserve of trusted incident response providers, deployable by Member States during significant cybersecurity incidents.
   • Providing financial support for mutual support between Member States.
3. Cybersecurity Incident Review Mechanism: Managed by the EU Cybersecurity Agency (ENISA), this mechanism will assess and review significant incidents and report on lessons learned and recommendations.

The European Cyber Shield and Cyber Emergency Mechanism will be funded by the Digital Europe Programme (DEP), requiring an amendment to the Digital Europe Programme Regulation. The total budget for the Cyber Solidarity Act, including Member States' contributions, could reach €1.1 billion.
​

Click to read

Click to read

Draft Regulation on EU Cybersecurity Certification Schemes

In the past, only ICT products, services, and processes were covered under the Cybersecurity Act. The EU cybersecurity certification framework streamlines the process of certifying ICT products across the EU, fostering trust, reducing market barriers, and ensuring a high level of security for digital products and services.

Now, the certification of managed security services is seen as an effective way to build trust in the quality of those services and facilitate the emergence of a trusted European cybersecurity service industry.

The EU aims to raise the overall level of cybersecurity and encourage the development of trusted cybersecurity service providers to achieve this goal.

This Regulation is in line with the Joint Communication 'EU Policy on Cyber Defence,' which announced the Commission's intention to explore the development of EU-level cybersecurity certification schemes for the cybersecurity industry and private companies.

Click to read

Summary of the EU Cybersecurity Certification Framework
​

1. Unified EU-Wide Certification
   The framework sets out a common approach for certifying the cybersecurity of ICT products, services, and processes throughout the EU. Its goal is to reduce market fragmentation by ensuring that once an ICT product or service is certified, that certification is valid across all Member States.
2. Key Elements of Each Certification Scheme
   • Scope: The categories of products and services covered.
   • Requirements: Relevant security standards or technical specifications.
   • Evaluation Method: Ranging from self-assessment to third-party assessment.
   • Assurance Levels: Basic, substantial, or high—aligned with the product’s risk level.
3. First EU Cybersecurity Certification Scheme on Common Criteria (EUCC)
   • Launch Date: Available from 27 February 2025.
   • Builds on the well-known international Common Criteria standard.
   • Voluntary for vendors, covering a wide range of ICT products (e.g., biometric systems, firewalls, routers, operating systems, smart cards).
4. Union Rolling Work Programme (URWP)
   • Outlines a strategic vision for future EU cybersecurity certification schemes.
   • Takes into account new legislation such as the Cyber Resilience Act and the European Digital Identity Regulation.
   • Identifies potential areas for future schemes (e.g., ID Wallets, managed security services, industrial automation).
5. Governance and Advisory Bodies
   • European Cybersecurity Certification Group (ECCG): Composed of national authorities, ensuring consistent application of the Cybersecurity Act and assisting in the preparation of certification schemes.
   • Stakeholder Cybersecurity Certification Group (SCCG): Advises the Commission and ENISA on strategic issues and helps develop the Union Rolling Work Programme.

The Economic Impact

The economic impact of European certifications, particularly for companies in the cybersecurity sector, can be substantial and multifaceted. Here are some key aspects of this impact:

1. Market Access and Expansion: European certifications can serve as a passport for companies to access and expand within the EU market. These certifications are often recognized across member states, eliminating the need for multiple national approvals.
2. Competitive Advantage: Companies with EU certifications can distinguish themselves from competitors, especially in markets where such certifications are not mandatory but highly valued. This can lead to increased market share and higher profitability.
3. Consumer Trust and Brand Value: Certifications can significantly enhance consumer trust. In industries like cybersecurity, where trust is paramount, this can translate into increased customer loyalty and brand value.
4. Standardization of Quality: European certifications help in standardizing the quality of products and services across the market. This standardization can lead to efficiencies in production and service delivery, potentially reducing costs.
5. Innovation Incentives: The process of obtaining certification often encourages companies to innovate and improve their products and services to meet high standards, fostering a culture of continuous improvement.
6. Reduced Liability and Risk: Compliance with European standards can reduce the risk of cybersecurity breaches and the associated costs, including legal liabilities.
7. Increased Investment: Certifications can make companies more attractive to investors who see certified companies as lower-risk and more likely to yield returns due to their compliance with established standards.
8. Harmonization with International Standards: European certifications often align with international standards, making it easier for companies to compete globally.
9. Economic Growth and Job Creation: As companies grow and expand, they contribute to economic growth and job creation, benefiting the broader economy.
10. Enhanced Cross-Border Collaboration: Certifications can facilitate partnerships and collaborations across borders, as companies with similar standards and practices can work together more seamlessly.

​European certifications can provide significant economic benefits, not only to the companies that obtain them but also to the broader economy through market expansion, innovation, and standardization.

​The Cyber Solidarity Act (see above), proposed in parallel to this Regulation, supports the gradual set-up of the EU-level cybersecurity reserve and the relevant cybersecurity services provided by "trusted providers," which correspond to managed security services in this proposal.
​

Safer Future for Cybersecurity in Europe - eEuropa Blog

The NIS 2 Directive

On 14 December 2022, EU adopted the EU Directive on Cybersecurity NIS 2.

The first EU-wide legislation on cybersecurity was the Directive on Security of Network and Information Systems (NIS Directive), which came into effect in 2016.

The NIS Directive aimed to establish a common level of cybersecurity across the EU and improve the cybersecurity preparedness of operators of essential services and digital service providers. The NIS Directive required EU Member States to implement national cybersecurity rules and to designate national authorities responsible for cybersecurity.

The NIS Directive was later reviewed and updated, resulting in the new Directive on measures for high common level of cybersecurity across the Union, also known as the 

The NIS 2 Directive builds on the NIS Directive and introduces several changes and new provisions.

Click to read

Here are some of the key differences between the NIS Directive and NIS 2:

1. Scope: The NIS 2 Directive extends the scope of the NIS Directive to cover a broader range of entities, including more digital service providers and certain online platforms. It also introduces new provisions for the cybersecurity of certain critical sectors, such as healthcare and transport.

2. Cooperation and information-sharing: The NIS 2 Directive strengthens the cooperation and information-sharing requirements between EU Member States and with the European Union Agency for Cybersecurity (ENISA).

3. Incident reporting: The NIS 2 Directive introduces new incident reporting requirements for digital service providers and certain online platforms. These entities will need to report major cybersecurity incidents to national authorities within specific timeframes.

4. Cybersecurity requirements: The NIS 2 Directive sets out new and more specific cybersecurity requirements for operators of essential services and digital service providers. It also introduces new provisions for the security of the supply chain, including requirements for third-party risk management.

Overall, the NIS 2 Directive aims to further improve the EU's cybersecurity resilience and ensure a high level of cybersecurity across the EU.​
​

Key points of the Directive NIS 2

​The directive applies principally to medium-sized and large entities operating in the following sectors of high criticality as defined in Annex I:

• Energy:
  • electricity, including production, distribution and transmission systems and charging points;
  • district heating and cooling;
  • oil, including production, storage and transmission pipelines;
  • gas, including supply, distribution and transmission systems and storage; and
  • hydrogen.

• Transport by air, rail, water and road.
• Banking and financial market infrastructures such as credit institutions, operators of trading venues and central counterparties.
• Health, including healthcare providers, manufacturers of basic pharmaceutical products and critical medical devices, and EU reference laboratories.
• Drinking water.
• Waste water.
• Digital infrastructure, including providers of data centre services, cloud computing services, public electronic communications networks and publicly available electronic communications services.
• ICT managed services (business-to-business).
• Space.
• Public administration at the central and regional level, excluding judiciary, parliaments, and central banks. However, it does not apply to public administration entities that carry out activities in the areas of national security, public security, defence or law enforcement.

​It also applies to other critical sectors, as defined in Annex II:

• postal and courier services;
• waste management;
• chemical manufacturing, production and distribution;
• food production, processing and distribution;
• manufacturing, specifically medical devices, computer, electronic and optical products, certain electrical equipment and machinery, motor vehicles and other transport equipment;
• digital providers of online marketplaces, search engines and social networks; and
• research organisations.

​Roles and obligation of Member States

Every Member State must adopt a national strategy to achieve and maintain a high level of cybersecurity in the critical sectors, including:
​

• a governance framework clarifying the roles and responsibilities for relevant stakeholders at the national level;
• policy addressing the security of supply chains;
• policy on managing vulnerabilities;
• policy on promoting and developing education and training on cybersecurity; and
• measures to improve cybersecurity awareness among citizens.

Role of the Teams charged on Computer security incident response (CSIRTs)

The Directive sets up a network of national "Computer security incident response teams" ( CSIRTs to promote swift and effective operational cooperation. CSIRTs provide technical assistance to entities, including by:
​

• monitoring and analysing cyber threats, vulnerabilities, and incidents at the national level;
• providing early warnings, alerts, announcements and information to the entities concerned and to other stakeholders on cyber threats, vulnerabilities and incidents, if possible in near-real time;
• responding to incidents and providing assistance where applicable;
• collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness on cybersecurity; and
• providing, on request, proactive network and information system scanning to detect vulnerabilities with a potential significant impact

The European Union Agency for Cybersecurity (ENISA) publishes a map of national Coordinated Vulnerability Disclosure (CVD) policies in the EU Member States and makes recommendations.

Member States are charged to:

• designate one of their CSIRTs to coordinate the disclosure of vulnerabilities discovered in ICT products or services; and
• ensure that people in the Member States are able to report vulnerabilities, anonymously if requested.

Cooperation group

The Directive sets up a cooperation group to support and facilitate strategic cooperation and information exchange. It is composed of representatives of Member States, the European Commission and ENISA. Where appropriate, the cooperation group may invite the European Parliament and representatives of relevant stakeholders to participate in its work.

The European cyber crisis liaison organisation network 

The European cyber crisis liaison organisation network (EU-CyCLONe) is a network comprising representatives of Member State cyber crisis management authorities, as well as the Commission, in cases where a potential or ongoing large-scale cybersecurity incident has or is likely to have a significant impact on the sectors covered by the directive. In other cases, the Commission shall participate in the activities of the network as an observer. The network supports the coordinated management of large-scale cybersecurity incidents and crises at the operational level and ensures the regular exchange of information among Member States and EU institutions, bodies and agencies.
​
The network is tasked, among other things, with:

• coordinating the management of large-scale cybersecurity incidents and crises and supporting decision-making at the political level;
• increasing preparedness;
• developing a shared situational awareness; and
• assessing the consequences and impact of large-scale cybersecurity incidents and crises and proposing possible mitigation measures.

Reporting

Entities must notify their CSIRT or relevant authority of any incident that:

• can cause or is capable of causing severe operational disruption or financial loss for the entity;
• it has affected or could affect others by causing considerable material or non-material damage.

Furthermore, ENISA will produce, in cooperation with the Commission and the cooperation group, a biennial report on the state of cybersecurity in the EU which will also be submitted to the Parliament.

Supervision and enforcement
The directive provides for remedies and sanctions to ensure enforcement.

​Peer reviews
Peer reviews are set up with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, and enhancing Member States’ cybersecurity capabilities and policies necessary to implement this directive. These reviews entail physical or virtual on-site visits and off-site exchanges of information. Participation in these peer reviews is voluntary.

The European Cybersecurity Center

On 22 March 2022, the EU Commission published a Proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

The Commission’s proposal is dealing with the modernisation of the existing legal framework related to CERT-EU (Cybersecurity Emergency Response Team – European Union), to take into account the developments and increase in digitalization in the institutions, bodies, and agencies in recent years, as well as the evolving landscape of cybersecurity threats.

Both phenomena have been further amplified since the beginning of the COVID-19 crisis, while there is a continuous increase in the number of incidents, many of which, increasingly sophisticated, come from a wide range of sources. 

Click to read

The proposal for a Regulation renames CERT-EU from a “computer emergency response team” to a “cybersecurity center” for the Institutions, bodies, and Agencies of the European Union, in line with developments in Member States and globally that see many CERT-EUs rebranded as ‘cybersecurity centers,’ while maintaining the abbreviation CERT-EU for the sake of name recognition.
This new Regulation isn’t just any set of rules. It’s a visionary plan designed to fortify the digital landscape of the EU, aligning perfectly with the EU’s priorities to prepare Europe for the digital era and build an economy ready for the future’s challenges.

EU Parliament voted its position on 22 November 2023. The next step involves a ‘common position’ from the EU ministers, followed by negotiations with the Parliament for a final and definitive drafting before the new Regulation comes into force.

EU Launches Pioneering Cybersecurity Center: A New Era in Digital Defense - eEuropa Blog

Sanctions against cyberattacks

​The Council established a framework which allows the EU to impose targeted sanctions to deter and respond to cyber attacks which constitute an external threat to the EU or its member states.

More specifically, this framework allows the EU for the first time to impose sanctions on persons or entities that are responsible for cyberattacks or attempted cyberattacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on other persons or entities associated with them.
Restrictive measures include:

• a ban on persons travelling to the EU
• an asset freeze on persons and entities

The first ever sanctions for cyberattacks were imposed on 30 July 2020.

• Cyberattacks: Council is now able to impose sanctions (press release, 17 May 2019)
• Sanctions: how and when the EU adopts restrictive measures (background information)