European Union: Cybersecurity Awareness Month: Stay Compliant In An Evolving Cybersecurity Legal Landscape

Cybersecurity should be one of the core parts of business strategies. Strong cybersecurity can help businesses to protect their systems, networks and data from cyberattacks, and to prevent financial loss, reputational damage, and disruption to their operations.

On the occasion of the cybersecurity awareness month, we present some key European Union (EU) cybersecurity laws that businesses should be aware of in order to devise and implement strong and legally-compliant cybersecurity strategies.

EU NIS2 Directive

The EU NIS2 Directive is part of the EU's Cybersecurity Strategy, and it establishes measures for a common high level of cybersecurity for critical infrastructures across the EU. It entered into force on January 16, 2023 and it is an update to the EU NIS Directive. EU Member States have until October 17, 2024 to transpose the EU NIS2 Directive into their national laws.

The EU NIS2 Directive applies to "Essential" and "Important" entities within the European Economic Area. These are entities that are considered critical for the EU economy and society. It applies to a broader range of sectors compared to the EU NIS Directive and it provides detailed risk-management measures, obligations for senior management, timeframes for the reporting of cybersecurity incidents and administrative fines in case of non-compliance. In addition, the EU NIS2 Directive mandates the European Union Agency for Cybersecurity (ENISA) with the task to set up and maintain a database which will include information regarding publicly known vulnerabilities of products and services.

EU Cybersecurity Act & European Cybersecurity Certification schemes

The EU Cybersecurity Act was adopted on March 12, 2019, and entered into force on June 27 of the same year.

The EU Cybersecurity Act strengthens the role of ENISA by granting to the agency a permanent mandate, defining its objectives, tasks and organization, reinforcing its financial and human resources and overall enhancing its role in supporting the EU to achieve a common and high-level cybersecurity. In addition, the EU Cybersecurity Act lays down the first EU-wide cybersecurity certification framework to ensure a common cybersecurity certification approach in the European internal market and ultimately to improve cybersecurity in a broad range of ICT products, services and processes.

On April 18, 2023, the European Commission proposed a targeted amendment to the EU Cybersecurity Act with the aim of enabling the adoption of EU Cybersecurity Certification schemes for "managed security services" covering areas such as incident response and security audits.

In addition, on October 3, 2023 the European Commission issued a draft Implementing Regulation with the view to establish the roles, rules, obligations, and the structure of the European Common Criteria-based cybersecurity certification scheme (EUCC). This voluntary scheme will introduce a set of security requirements for ICT security products such as firewalls, encryption devices, electronic signature devices, and ICT products with an inbuilt security functionality such as routers, smartphones and bank cards. The draft Implementing Regulation is open to public consultation, and stakeholders can submit their feedback until October 31, 2023.

The final version of the Implementing Regulation is expected in the fourth quarter of 2023, and it will become applicable 12 months after its entry into force. Once the EUCC is applicable, all national cybersecurity certification schemes and the related procedures for ICT products and processes that are covered by the EUCC shall no longer produce effects to the extent that they apply to the evaluation standards and the specific evaluation criteria and methods enshrined in the EUCC.

EU Cyber Resilience Act

On September 15, 2022, the European Commission proposed the EU Cyber Resilience Act, which aims to set common standards for the cybersecurity of products with digital elements.

The EU Cyber Resilience Act requires that products with digital elements will only be made available on the market if they meet specific essential cybersecurity requirements. It applies both to tangible digital products, such as connected devices, and to non-tangible digital products, such as software products embedded into connected devices, and it requires manufacturers to factor cybersecurity from the design and development phase and through the products' life cycle.

The EU Cyber Resilience Act exempts from its scope connected devices that are already covered from sectoral legislation such as medical devices, certain vehicles and their trailers and aviation. In addition, it does not apply to software-as-a-service unless it is part of integral remote data processing solutions for a product with digital elements and to free open-source software developed or supplied outside the course of a commercial activity.

The EU Cyber Resilience Act divides the products that fall within its scope into different classes based on their cybersecurity risk level, and imposes different compliance obligations for each of them. Among others, it provides for detailed rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products, essential requirements for the design, development and production of such products and obligations for economic operators in relation to the cybersecurity of these products, essential requirements for the vulnerability management with regards to cybersecurity and rules on market surveillance and enforcement of the above-mentioned rules and requirements.

On September 13, 2023 the European Parliament confirmed the Committee's on Industry, Research and Energy (ITRE) decision to enter in interinstitutional negotiations. Earlier, on July 19, 2023 the Council of the European Union obtained its negotiating mandate. The EU Cyber Resilience Act will now enter the trilogue stage of the legislative process, which entails that there will be interinstitutional negotiations between representatives of the European Commission, the European Parliament and the Council of the European Union, during which the final wording of the Regulation will be agreed.

If adopted, the EU Cyber Resilience Act would complement existing cybersecurity legislation, including the EU NIS2 Directive. When the proposed EU Cyber Resilience Act enters into force, software and products connected to the internet would bear the CE marking to indicate they comply with the new standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.