The EU's Evolving Cybersecurity Legislative Landscape

The European Union is set on developing legislative standards in order to meet the demands of the cybersecurity landscape of 2023. Back in February 2023, the European Union Agency for Cybersecurity (ENISA) hosted their 7^th annual conference and joined forces with the European Standards Organisations (ESOs), CEN, CENELEC and ETSI in order to do so. The hybrid conference focused on the following theme: “European Standardisation in support of the EU cybersecurity legislation”.

The European Union has always been proactive in their efforts to strengthen the cybersecurity landscape across the continent. It has been a key priority for the EU to safeguard data across multiple sectors that have been through a period of digital transformation including economics and politics, finance, healthcare, energy and education.

We recently explored the introduction of the DORA act within the EU that reflected a key shift towards prioritising a firm’s ability to demonstrate financial resilience and maintain operational resilience in the event of a cyberattack. Another key example is one of the EU’s latest investment programmes: the Digital Europe Program (DIGITAL). Between 2021 to 2027, the EU intends to ‘invest € 7.5 billion into cybersecurity capacity, the deployment of cybersecurity infrastructures and digital technologies’. These efforts will help safeguard businesses, people and public administrations.

However, a concern for the EU is that the complex legislative systems that support these industries could prove to be ineffective in a rapidly changing cyberspace of modern day society. Both the Covid19 crisis and the continuation of the Russian/Ukrainian war have had significant impacts on the economy, transforming the way that people live and work and caused considerable increased threat due to the greater reliance on digital technologies. According to the EU: ‘both the health crisis and the geopolitical tensions have led to a greater need for an even more comprehensive cybersecurity regulatory framework’.

The conference attracted over 1600 attendees from across both the European Union and the world. Separated into four panels, the event explored both ongoing standardisation work and addressed solutions and outcomes for future requirements. The opening panel investigated the future of EU standardisation through the perspective of a ‘regional versus international’ approach. The second panel visited the Cyber Resilience Act (CRA) and how the standards listed within the legislation can support the EU’s future. The third panel explored the role of electronic identification and trust services for electronic transactions in the internal market (or eIDAS) V2 and digital identities. The conference concluded by giving an overview of the current landscape of the EU cybersecurity legislation and the steps that need to be made to carry us into the future.

As we look forward towards the future of cybersecurity and business, it is crucial that legislation meets the demands and developments of technology. At RFA, our cybersecurity solutions are created by taking a holistic view of a client’s business needs and combining this with legislative and regulatory requirements. We help our clients to prepare for worst case scenarios whilst also ensuring they operate to the highest standards of compliance. Legal and regulatory requirements will continue to become more complex and firms will need a rigorous and well thought out cybersecurity strategy in order to operate in the EU’s constantly evolving legislative landscape. 

The Cybersecurity Act gives mandate to the European Union Agency for Cybersecurity to monitor developments in the area of standardisation. The work of the Agency builds on the on-going standardisation work of the European Standardisation Organisations: CEN, CENELEC, ETSI, as well as the Cybersecurity Coordination Group (CSCG).