Cybersecurity Regulations in Europe: What’s Happening – & What’s Coming?
Things are changing quickly in cybersecurity regulation in Europe. Here’s a list of the existing regulations, plus some information about what’s to come!
Cybersecurity Regulations in Europe
Digital Operational Resilience Act (DORA) (EU)
Industry: Financial Sector
Recently, the EU has worked on developing a framework to bolster the resilience of financial systems operating within the EU. The culmination of this was the approval by the EU Parliament in December 2022 of the Digital Operational Resilience Act (DORA), which looks to harmonise approaches on tackling digital operational resilience and IT security across the financial sector as a whole.
It seeks to:
- expand on the current ICT risk management rules
- create more governance around incident classification and reporting
- equip organisations to get on top of their operational resilience testing to further strengthen gaps that may exist and
- bring third-party providers into the regulatory perimeter
DORA applies to the financial services ecosystem. There is an exhaustive list of covered entities, including payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions.
DORA introduces five core sets of obligations on financial entities to mitigate the risk of exposure to cyber disruptions and threats which are:
- the implementation of a risk management framework and governance to detect, prevent and manage IT risks;
- the management, classification and reporting of ICT incidents;
- the performance of resilience testing;
- the sharing of information and intelligence within the sector; and
- the sound management of ICT third-party risk.
DORA – What’s coming?
DORA has a two-year implementation period, and will apply from 17 January 2025. In the interim, we are awaiting more guidance from regulators (much expected by mid-January) around:
- the contents for inclusion in ICT security policies, procedures, protocols and tools;
- the elements to be included in ICT risk management frameworks;
- the criteria for determining which types of ICT incidents are reportable, and the content of those reports / when reports must be provided;
- the contents of the policy regarding contractual arrangements on the use of ICT services; and
- designation of the critical ICT third-party providers who will be directly regulated.
We expect financial entities and their IT suppliers to engage more closely with the regulation in Q1 2024, and organisations that are proactive in taking steps to uplift their compliance will be placed at a significant competitive advantage.
For more information, read this blog series:
- Part 1: overview
- Part 2: ICT incident management, classification and reporting
- Part 3: managing ICT third party risk
- Part 4: DORA for IT suppliers
Industry: ‘Internet of Things’ Devices and other products with digital elements.
In September 2022, the European Commission released a proposed regulation on horizontal cybersecurity requirements for products with digital elements (“Products”) – from baby-monitors to smart-watches. It applies to all products connected directly or indirectly to another device or network except for specified exclusions such as open-source software or services that are already covered by existing rules, which is the case for medical devices, aviation and cars.
The Cyber Resilience Act aims to safeguard consumers and businesses buying or using Products. It also aims to avoid overlapping requirements stemming from different pieces of legislation in EU member states and will affect a range of economic actors who are developing, manufacturing, marketing, importing and distributing connectable Products.
The proposal entails significant obligations for manufacturers, importers and distributors of Products.
The Cyber Resilience Act will guarantee:
- harmonised rules when bringing to market products or software with a digital component;
- a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain;
- an obligation to provide duty of care for the entire lifecycle of such products.
On 30 November 2023, the final text of the Cyber Resilience Act was agreed by the EU Commission, Parliament and Council. Key areas of negotiation included:
- The body (or bodies) to which security incidents and vulnerabilities must be reported,
- The period during which manufacturers must guarantee security updates; and
- The approach to open-source software and critical product categories.
The Cyber Resilience Act is now subject to formal approval by the European Parliament and Council. Once adopted, the Act will enter into force 20 days after it is published in the Official Journal. The majority of the obligations set out in the Cyber Resilience Act become effective 3 years after it enters into force (excluding manufacturers’ reporting obligation, which will apply after 21 months).
The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) entered into force on 16 January 2023.
The aim of the NIS 2 Directive is to enhance the overall level of cybersecurity in the EU and reflects a considerable broadening of scope versus the NIS 1 Directive, bringing a large number of new industry sectors (and therefore, new types of entities) within scope of the obligations – including e.g. wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration.
New measures under the NIS 2 Directive include:
- imposing direct obligations on management in respect of an organisation’s compliance, and onerous penalties where those are not complied with;
- requiring all covered organisations to put in place cyber risk management measures;
- acknowledging the importance of security at all levels in supply chains and supplier relationships;
- clarifying and strengthening incident reporting requirements;
- providing supervisory authorities with a greater ability to supervise companies; and
- increasing the sanctions for non-compliance.
Member States have until 17 October 2024 to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State. Some territories (e.g. Germany) have already issued their implementing legislation; we expect a flurry more in Q1/2 2024.
Industry: ICT Products and Services
The Cybersecurity Act, which came into force in June 2021, established a framework for the cybersecurity certification for ICT products, processes and services (ICT Services). Certification is key to ensure high level of quality and reliability of these highly critical and sensitive cybersecurity services which assist companies and organisations to prevent, detect, respond to or recover from incidents.
In April 2023, the European Commission released a proposed amendment to the EU Cybersecurity Act to add managed security services to the types of ICT Services that can receive certification. ‘Managed security services’ covers areas such as incident response, penetration testing, security audits and consultancy.
Separately, in October 2023, the European Commission undertook public consultation on a draft implementing regulation to establish the European Common Criteria-based cybersecurity certification scheme (EUCC). If implemented, the EUCC will operate under the Cybersecurity Act and replace all relevant national cybersecurity certification schemes in the EU.
The amendment to add managed security services to the Cybersecurity Act will soon be the subject of trilogues between the European Parliament, Council and Commission to agree the final text. The amendment will likely be agreed and adopted in the coming months. The final version of the regulation establishing the EUCC is due to be released by the end of 2023 and will apply12 months after it comes into force.
Following the most recent review of the UK NIS Regulations, the UK Government released a proposal for extensive reforms in January 2022 and a response to public consultation on that proposal in November 2022.
The changes contemplated are wide-ranging. Managed service providers would be brought directly within the scope of the UK NIS Regulations for the first time. Critical relevant digital service providers (a type of entity regulated by the legislation) would be subject to a new proactive supervisory regime, in addition to the existing reactive regime. The UK Government would be empowered to update aspects of the UK NIS Regulations without parliamentary approval, including sectors regulated by the legislation. Incident reporting obligations would also be expanded beyond those affecting continuity of service to include those which significantly impact the security of network and information systems for essential services.
In its response to the public consultation in November 2022, the UK Government indicated that it intended to release draft legislation once parliamentary time allowed. However, this has not yet occurred.
The UK Government may release draft legislation for its proposed reforms to the UK NIS Regulations in early 2024, subject to plans for the January 2025 election. The results of that election may have an impact on the legislation (it may be scrapped or substantially revised).
Need Compliance Help? Reach Out
Need more detailed information about any privacy, data protection or cybersecurity legislation, contact the Privacy 108 team.