European Internal Security Strategy (Protect EU) - Encryption
DATE OF UPDATE:
26 May 2025
LINKS
Commission unveils ProtectEU – a new European Internal Security Strategy
CURRENT STATUS
The Centre for Democracy & Technology Europe, alongside 88 civil society organisations, companies, and cybersecurity experts published a joint letter to the European Commission.
The letter raises urgent concerns about the potential impact of the European Internal Security Strategy (Protect EU) (Strategy) on the future of end-to-end encryption in Europe.
The Strategy, announced in April, is designed to support Member States (MSs) and bolster the EU's security for its citizens.
WHY IS THIS APPLICABLE TO CLIENTS?
The Strategy contains several initiatives to foster a change of culture on internal security, with a whole-of-society approach involving citizens, businesses, researchers, and civil society.
It requires MSs to fully implement the Critical Entities Resilience Directive (Directive (EU) 2022/2557) and the NIS 2 Directive (Directive (EU) 2022/2555), proposes a new Cybersecurity Act, and new measures to secure cloud and telecom services and developing technological sovereignty.
NEXT STEPS
The letter calls on the Commission to recognise strong encryption as a critical pillar of Europe's cybersecurity strategy, reframe its approach to the encryption roadmap, and involve a diverse set of experts and civil society voices in shaping future policy.
NIS 2 Directive - Guidance
DATE OF UPDATE:
15 May 2025
LINKS
Handbook for Cyber Stress Tests | ENISA
The Network and Information Security (NIS2) Directive
CURRENT STATUS
The European Union Agency for Cybersecurity (ENISA) has published a Handbook for Cyber Stress Tests. It has been developed as guidance for national or sectoral authorities overseeing cybersecurity and resilience of critical sectors, at the national level, regional or EU level, under the NIS 2 Directive (and possibly also the Digital Operational Resilience Act or the Critical Entities Resilience Directive).
WHY IS THIS APPLICABLE TO CLIENTS?
According to ENISA cyber stress tests are becoming a new lightweight and targeted mechanism for assessing critical sector resilience. For clients within scope of NIS 2, the handbook will offer an insight into how cyber stress tests might be conducted by the National Cyber Security Centre.
NIS 2 Directive - European Vulnerability Database
DATE OF UPDATE:
13 May 2025
LINKS
Consult the European Vulnerability Database to enhance your digital security! | ENISA
CURRENT STATUS
The European Union Agency for Cybersecurity (ENISA) has developed the European Vulnerability Database - EUVD as provided for by the NIS2 Directive.
WHY IS THIS APPLICABLE TO CLIENTS?
The database is accessible to the public at large to obtain information related to vulnerabilities impacting IT products and services. It is also addressed to suppliers of network and information systems and entities using their services.
NIS2 Directive - Transposition
DATE OF UPDATE:
7 May 2025
IMPLEMENTATION/ DEADLINE DATE:
Member States had to transpose the NIS2 Directive into national law by 17 October 2024.
LINKS
Are you Cyber Ready? Key Points of the NIS2 DirectiveCommission Letter signed 23/07/2024
CURRENT STATUS
The European Commission decided to send a reasoned opinion to 19 Member States, to include Ireland, for failing to notify full transposition of the NIS2 Directive.
The legislation is required to: designate certain sectoral regulators as the competent authorities for the purpose of implementing NIS2; establish offences and fines at national level (which could be up to 1.4% of total annual worldwide turnover or 7 million euro or 2% of total annual worldwide turnover or 10 million euro); establish a register of entities which are within the scope of the proposed legislation; and establish the basis for issuing penalties (including in respect of the personal liability of management bodies).
WHY IS THIS APPLICABLE TO CLIENTS?
By now, organisations within the critical sectors identified in the NIS 2 Directive will have ascertained whether their activities fall within the scope of the Directive. If they do, those entities will next identify whether they constitute an "important" entity or an "essential" entity and implement appropriate compliance measures.
NEXT STEPS
To date, the Irish government has published the General Scheme for the National Cyber Security Bill 2024 to transpose the NIS 2 Directive but has not as of May 2025, introduced it to the legislative process in the form of Cyber Security Bill.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
